File name:

I3GSvcManager.exe

Full analysis: https://app.any.run/tasks/f4325b92-3699-40d6-86e7-03e7f5df49f5
Verdict: Malicious activity
Analysis date: June 13, 2019, 14:20:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

2AADCA037C8A01021E1892C07D8206FB

SHA1:

5F4226F02CFE33760A4BDB510DFBBEC69E277808

SHA256:

A30BDFCED314A2C27598568D79CFF3787E703964FC60522368531036CDF2EEFF

SSDEEP:

196608:XtvZfxhyaau9vuhR0zxkqYZ6iG+mwZwoZhJ0E2SQ66:XyaLMc+mOwox0wQ6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • msiexec.exe (PID: 252)
      • certmgr.exe (PID: 3008)
      • certmgr.exe (PID: 2424)
      • I3GInit.exe (PID: 3564)
      • certmgr.exe (PID: 3328)
      • certmgr.exe (PID: 2896)
      • I3GInit.exe (PID: 3168)
      • certmgr.exe (PID: 2632)
      • certmgr.exe (PID: 804)
      • rundll32.exe (PID: 460)
      • I3GInit.exe (PID: 3992)

    • Loads dropped or rewritten executable

      • install.exe (PID: 2412)
      • I3GProc.exe (PID: 3640)
      • certutil.exe (PID: 2496)
      • certutil.exe (PID: 980)
      • certutil.exe (PID: 3660)
      • certutil.exe (PID: 2544)
      • I3GProc.exe (PID: 1536)
      • I3GProc.exe (PID: 2416)
      • certutil.exe (PID: 2604)
      • certutil.exe (PID: 1528)
      • I3GProc.exe (PID: 3276)

    • Application was dropped or rewritten from another process

      • install.exe (PID: 2412)
      • vcredist_x86.exe (PID: 3608)
      • I3GProc.exe (PID: 3640)
      • I3GMainSvc.exe (PID: 3036)
      • I3GMainSvc.exe (PID: 1152)
      • I3GMainSvc.exe (PID: 1028)
      • I3GInit.exe (PID: 3564)
      • certmgr.exe (PID: 3008)
      • certutil.exe (PID: 2496)
      • certmgr.exe (PID: 2424)
      • certutil.exe (PID: 980)
      • certmgr.exe (PID: 2896)
      • certutil.exe (PID: 2544)
      • certutil.exe (PID: 3660)
      • I3GMainSvc.exe (PID: 2860)
      • I3GMainSvc.exe (PID: 3408)
      • I3GMainSvc.exe (PID: 592)
      • I3GInit.exe (PID: 3168)
      • certmgr.exe (PID: 3772)
      • I3GEX.exe (PID: 2612)
      • I3GEX.exe (PID: 3484)
      • I3GMainSvc.exe (PID: 2552)
      • I3GProc.exe (PID: 1536)
      • I3GMainSvc.exe (PID: 3284)
      • I3GEX.exe (PID: 4052)
      • I3GEX.exe (PID: 1900)
      • I3GMainSvc.exe (PID: 2748)
      • I3GProc.exe (PID: 2416)
      • I3GMainSvc.exe (PID: 2648)
      • I3GMainSvc.exe (PID: 2556)
      • certmgr.exe (PID: 804)
      • I3GInit.exe (PID: 2524)
      • certutil.exe (PID: 2604)
      • certutil.exe (PID: 1528)
      • certmgr.exe (PID: 2632)
      • I3GMainSvc.exe (PID: 3944)
      • I3GInit.exe (PID: 3992)
      • I3GMainSvc.exe (PID: 3888)
      • I3GProc.exe (PID: 3276)
      • I3GMainSvc.exe (PID: 2128)
      • certmgr.exe (PID: 3328)

    • Changes the autorun value in the registry

      • I3GSvcManager.exe (PID: 808)
      • I3GSvcManager.exe (PID: 2732)
      • I3GSvcManager.exe (PID: 2312)

  • SUSPICIOUS

    • Creates a software uninstall entry

      • I3GSvcManager.exe (PID: 808)
      • I3GSvcManager.exe (PID: 2732)
      • I3GSvcManager.exe (PID: 2312)

    • Uses NETSH.EXE for network configuration

      • I3GSvcManager.exe (PID: 808)
      • I3GSvcManager.exe (PID: 2732)
      • I3GSvcManager.exe (PID: 2312)

    • Executable content was dropped or overwritten

      • I3GSvcManager.exe (PID: 808)
      • vcredist_x86.exe (PID: 3608)
      • msiexec.exe (PID: 252)
      • I3GSvcManager.exe (PID: 2732)
      • I3GSvcManager.exe (PID: 2312)

    • Creates files in the Windows directory

      • I3GSvcManager.exe (PID: 808)
      • msiexec.exe (PID: 252)
      • I3GSvcManager.exe (PID: 2732)
      • I3GSvcManager.exe (PID: 2312)

    • Creates files in the program directory

      • I3GSvcManager.exe (PID: 808)
      • I3GSvcManager.exe (PID: 2732)
      • I3GSvcManager.exe (PID: 2312)

    • Adds / modifies Windows certificates

      • msiexec.exe (PID: 252)

    • Removes files from Windows directory

      • msiexec.exe (PID: 252)
      • I3GSvcManager.exe (PID: 2732)
      • I3GSvcManager.exe (PID: 2312)

    • Creates files in the user directory

      • certutil.exe (PID: 2496)
      • I3GSvcManager.exe (PID: 808)

    • Executed as Windows Service

      • I3GMainSvc.exe (PID: 1028)
      • I3GMainSvc.exe (PID: 592)
      • I3GMainSvc.exe (PID: 2128)

  • INFO

    • Creates a software uninstall entry

      • msiexec.exe (PID: 252)

    • Manual execution by user

      • explorer.exe (PID: 1360)
      • explorer.exe (PID: 3964)
      • I3GSvcManager.exe (PID: 1184)
      • I3GSvcManager.exe (PID: 2732)
      • I3GEX.exe (PID: 4052)
      • I3GInit.exe (PID: 2524)
      • I3GEX.exe (PID: 3484)
      • certmgr.exe (PID: 3772)
      • I3GEX.exe (PID: 2612)
      • I3GEX.exe (PID: 1900)
      • I3GMainSvc.exe (PID: 2748)
      • I3GProc.exe (PID: 2416)
      • I3GSvcManager.exe (PID: 2844)
      • I3GSvcManager.exe (PID: 2312)
      • rundll32.exe (PID: 460)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (54.3)
.exe | Win64 Executable (generic) (34.8)
.exe | Win32 Executable (generic) (5.6)
.exe | Generic Win/DOS Executable (2.5)
.exe | DOS Executable Generic (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:06:17 04:21:47+02:00
PEType: PE32
LinkerVersion: 9
CodeSize: 1228288
InitializedDataSize: 8123392
UninitializedDataSize: -
EntryPoint: 0x105cdb
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 3.0.0.5
ProductVersionNumber: 3.0.0.5
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Korea (Shift - KSC 5601)
Comments: I3GManager LWS Module Installer
CompanyName: Interezen. Co., Ltd.
FileDescription: I3GManager LWS Module Installer
FileVersion: 3.0.0.5
InternalName: I3GManager
LegalCopyright: Interezen. Copyright ⓒ 2009 ~
OriginalFileName: I3GSvcManager.exe
ProductName: I3GManager
ProductVersion: 3.0.0.5

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 17-Jun-2017 02:21:47
Detected languages:
  • English - United States
  • Korean - Korea
Debug artifacts:
  • d:\IPInside\trunk\client\LWS\Windows_original\I3GSvcManager\Release\I3GSvcManager.pdb
Comments: I3GManager LWS Module Installer
CompanyName: Interezen. Co., Ltd.
FileDescription: I3GManager LWS Module Installer
FileVersion: 3.0.0.5
InternalName: I3GManager
LegalCopyright: Interezen. Copyright ⓒ 2009 ~
OriginalFilename: I3GSvcManager.exe
ProductName: I3GManager
ProductVersion: 3.0.0.5

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 17-Jun-2017 02:21:47
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0012BD22
0x0012BE00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.54962
.rdata
0x0012D000
0x000427CA
0x00042800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.196
.data
0x00170000
0x0000D280
0x00005800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.70185
.rsrc
0x0017E000
0x0074F984
0x0074FA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.90398
.reloc
0x008CE000
0x0002780C
0x00027A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
4.98912

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.19856
1016
Latin 1 / Western European
English - United States
RT_MANIFEST
2
3.02695
308
Latin 1 / Western European
Korean - Korea
RT_CURSOR
3
2.74274
180
Latin 1 / Western European
Korean - Korea
RT_CURSOR
4
2.34038
308
Latin 1 / Western European
Korean - Korea
RT_CURSOR
5
2.34004
308
Latin 1 / Western European
Korean - Korea
RT_CURSOR
6
2.51649
308
Latin 1 / Western European
Korean - Korea
RT_CURSOR
7
2.39851
78
Latin 1 / Western European
Korean - Korea
RT_STRING
8
2.34864
308
Latin 1 / Western European
Korean - Korea
RT_CURSOR
9
2.34505
308
Latin 1 / Western European
Korean - Korea
RT_CURSOR
10
2.34864
308
Latin 1 / Western European
Korean - Korea
RT_CURSOR

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
IMM32.dll
KERNEL32.dll
MSIMG32.dll
OLEACC.dll (delay-loaded)
OLEAUT32.dll
SHELL32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
54
Malicious processes
22
Suspicious processes
6

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start i3gsvcmanager.exe netsh.exe no specs vcredist_x86.exe install.exe no specs msiexec.exe certmgr.exe no specs certmgr.exe no specs certutil.exe no specs certutil.exe no specs i3gproc.exe no specs i3gmainsvc.exe no specs i3gmainsvc.exe no specs i3gmainsvc.exe no specs i3ginit.exe explorer.exe no specs explorer.exe no specs i3gsvcmanager.exe no specs i3gsvcmanager.exe i3gmainsvc.exe no specs i3gmainsvc.exe no specs netsh.exe no specs certmgr.exe no specs certmgr.exe no specs certutil.exe no specs certutil.exe no specs i3gproc.exe no specs i3gmainsvc.exe no specs i3gmainsvc.exe no specs i3gmainsvc.exe no specs i3ginit.exe i3gex.exe no specs i3gex.exe certmgr.exe no specs i3gex.exe no specs i3gex.exe i3ginit.exe i3gmainsvc.exe no specs i3gproc.exe no specs i3gsvcmanager.exe no specs i3gsvcmanager.exe i3gmainsvc.exe no specs i3gmainsvc.exe no specs netsh.exe no specs certmgr.exe no specs certmgr.exe no specs certutil.exe no specs rundll32.exe certutil.exe no specs i3gproc.exe no specs i3gmainsvc.exe no specs i3gmainsvc.exe no specs i3gmainsvc.exe no specs i3ginit.exe i3gsvcmanager.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
252C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
460"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER C:\Program Files\IPinside_LWS\interezen-rootca_sha1.crtC:\Windows\system32\rundll32.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\ipinside_lws\certmgr.exe
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\conhost.exe
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
592"C:\Program Files\IPinside_LWS\I3GMainSvc.exe"C:\Program Files\IPinside_LWS\I3GMainSvc.exeservices.exe
User:
SYSTEM
Company:
Interezen. Co., Ltd.
Integrity Level:
SYSTEM
Description:
Interezen Service Program
Exit code:
0
Version:
3.0.0.1
Modules
Images
c:\program files\ipinside_lws\i3gmainsvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winspool.drv
804"C:\Program Files\IPinside_LWS\certmgr.exe" /add /c interezen-rootca.crt /s /r localMachine rootC:\Program Files\IPinside_LWS\certmgr.exeI3GSvcManager.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
ECM Certificate Manager
Exit code:
0
Version:
5.131.1863.1
Modules
Images
c:\program files\ipinside_lws\certmgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
808"C:\Users\admin\AppData\Local\Temp\I3GSvcManager.exe" C:\Users\admin\AppData\Local\Temp\I3GSvcManager.exe
explorer.exe
User:
admin
Company:
Interezen. Co., Ltd.
Integrity Level:
HIGH
Description:
I3GManager LWS Module Installer
Exit code:
0
Version:
3.0.0.5
Modules
Images
c:\users\admin\appdata\local\temp\i3gsvcmanager.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
980"C:\Program Files\IPinside_LWS\certfr\certutil.exe" -A -n "Interezen CA" -t "C,C,C" -i "C:\Program Files\IPinside_LWS\interezen.crt" -d "C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default"C:\Program Files\IPinside_LWS\certfr\certutil.exeI3GSvcManager.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\ipinside_lws\certfr\certutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\ipinside_lws\certfr\nssutil3.dll
c:\program files\ipinside_lws\certfr\libplc4.dll
c:\program files\ipinside_lws\certfr\libnspr4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1028"C:\Program Files\IPinside_LWS\I3GMainSvc.exe"C:\Program Files\IPinside_LWS\I3GMainSvc.exeservices.exe
User:
SYSTEM
Company:
Interezen. Co., Ltd.
Integrity Level:
SYSTEM
Description:
Interezen Service Program
Exit code:
0
Version:
3.0.0.1
Modules
Images
c:\program files\ipinside_lws\i3gmainsvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winspool.drv
1152"C:\Program Files\IPinside_LWS\I3GMainSvc.exe" -installC:\Program Files\IPinside_LWS\I3GMainSvc.exeI3GSvcManager.exe
User:
admin
Company:
Interezen. Co., Ltd.
Integrity Level:
HIGH
Description:
Interezen Service Program
Exit code:
0
Version:
3.0.0.1
Modules
Images
c:\program files\ipinside_lws\i3gmainsvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winspool.drv
1184"C:\Program Files\IPinside_LWS\I3GSvcManager.exe" C:\Program Files\IPinside_LWS\I3GSvcManager.exeexplorer.exe
User:
admin
Company:
Interezen. Co., Ltd.
Integrity Level:
MEDIUM
Description:
I3GManager LWS Module Installer
Exit code:
3221226540
Version:
3.0.0.5
Modules
Images
c:\program files\ipinside_lws\i3gsvcmanager.exe
c:\systemroot\system32\ntdll.dll
1360"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
1 449
Read events
817
Write events
610
Delete events
22

Modification events

(PID) Process:(808) I3GSvcManager.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
Operation:writeName:C:\Users\admin\AppData\Local\Temp\I3GSvcManager.exe
Value:
1
(PID) Process:(808) I3GSvcManager.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IPinside LWS Agent
Operation:writeName:DisplayIcon
Value:
C:\Program Files\IPinside_LWS\I3GSvcManager.exe
(PID) Process:(808) I3GSvcManager.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IPinside LWS Agent
Operation:writeName:DisplayName
Value:
IPinside LWS Agent
(PID) Process:(808) I3GSvcManager.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IPinside LWS Agent
Operation:writeName:DisplayVersion
Value:
3.0.0.5
(PID) Process:(808) I3GSvcManager.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IPinside LWS Agent
Operation:writeName:Publisher
Value:
interezen
(PID) Process:(808) I3GSvcManager.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IPinside LWS Agent
Operation:writeName:UninstallPath
Value:
C:\Program Files\IPinside_LWS\I3GSvcManager.exe
(PID) Process:(808) I3GSvcManager.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IPinside LWS Agent
Operation:writeName:UninstallString
Value:
C:\Program Files\IPinside_LWS\I3GSvcManager.exe /uninstall
(PID) Process:(808) I3GSvcManager.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(808) I3GSvcManager.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3684) netsh.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
89
Suspicious files
20
Text files
326
Unknown types
20

Dropped files

PID
Process
Filename
Type
808I3GSvcManager.exeC:\Windows\hipiw.dlltext
MD5:
SHA256:
808I3GSvcManager.exeC:\Users\admin\AppData\LocalLow\IPinside\I3GSetupLog.logtext
MD5:
SHA256:
808I3GSvcManager.exeC:\Program Files\IPinside_LWS\I3GMainSvc.exeexecutable
MD5:
SHA256:
808I3GSvcManager.exeC:\Program Files\IPinside_LWS\I3Gescp.dllexecutable
MD5:
SHA256:
808I3GSvcManager.exeC:\Program Files\IPinside_LWS\I3GEX.exeexecutable
MD5:
SHA256:
808I3GSvcManager.exeC:\Program Files\IPinside_LWS\I3GInit.exeexecutable
MD5:
SHA256:
808I3GSvcManager.exeC:\Program Files\IPinside_LWS\I3GManager.dllexecutable
MD5:
SHA256:
808I3GSvcManager.exeC:\Program Files\IPinside_LWS\I3GProc.exeexecutable
MD5:
SHA256:
808I3GSvcManager.exeC:\Program Files\IPinside_LWS\interezen.crttext
MD5:223076A27C15B13BE6ECC059FA0EB6FC
SHA256:78D529C0ACEA89059F0891F8521DB095BFC34CE5646068DCD07B05A72969285A
808I3GSvcManager.exeC:\Program Files\IPinside_LWS\interezen_sha1.opttext
MD5:B01FF24277E42E70975C6A5BE073564C
SHA256:AF1BC2C6D2D7783810682456A4EF9587947CF35DB2D787A48CA47E638F0B58C9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
460
rundll32.exe
GET
200
2.16.186.56:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
compressed
56.2 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
460
rundll32.exe
2.16.186.56:80
www.download.windowsupdate.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
www.download.windowsupdate.com
  • 2.16.186.56
  • 2.16.186.81
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
I3GSvcManager.exe