General Info

File name

FounderFont_0.9.7.5_fontsnetcn.exe

Full analysis
https://app.any.run/tasks/01cd5273-3d46-4093-8973-6ecc913e44ac
Verdict
Malicious activity
Analysis date
7/18/2019, 12:26:46
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

installer

loader

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5

a4eec1bacdaccf53324b950259b3073b

SHA1

b210c6c4993bb793f6d4fba09cbf24e5a154604d

SHA256

006082bf6b0abbe97501648f603328595d8ea111b270951a7dd293f9cef332f9

SSDEEP

98304:jviEqNjP4yJeMAbewvCR91G2jRUf9JWi7ctTh0XvrOvLrxhEnabxqi5r0wJ7oLtf:zuP4uDwabxRUmi7WtYrOvh+nR20GoLtf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • FounderFontPlus.FontInstall.exe (PID: 3836)
  • FounderFontPlus.Client.exe (PID: 4048)
  • FounderFontPlus.Update.exe (PID: 672)
  • FounderFont_0.9.7.5_fontsnetcn.exe (PID: 4024)
  • SearchProtocolHost.exe (PID: 876)
Application was dropped or rewritten from another process
  • FounderFontPlus.FontInstall.exe (PID: 3068)
  • FounderFontPlus.FontInstall.exe (PID: 3836)
  • FounderFontPlus.Client.exe (PID: 4048)
  • FounderFontPlus.Update.exe (PID: 672)
Downloads executable files from the Internet
  • FounderFontPlus.Update.exe (PID: 672)
Reads Environment values
  • FounderFontPlus.Client.exe (PID: 4048)
  • FounderFontPlus.Update.exe (PID: 672)
Application launched itself
  • FounderFontPlus.FontInstall.exe (PID: 3068)
Creates a software uninstall entry
  • FounderFont_0.9.7.5_fontsnetcn.exe (PID: 4024)
Executable content was dropped or overwritten
  • FounderFontPlus.Update.exe (PID: 672)
  • FounderFont_0.9.7.5_fontsnetcn.exe (PID: 4024)
Creates files in the program directory
  • FounderFont_0.9.7.5_fontsnetcn.exe (PID: 4024)
Manual execution by user
  • FounderFontPlus.Update.exe (PID: 672)
Reads settings of System Certificates
  • FounderFontPlus.Update.exe (PID: 672)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   NSIS - Nullsoft Scriptable Install System (91.9%)
.exe
|   Win32 Executable MS Visual C++ (generic) (3.3%)
.exe
|   Win64 Executable (generic) (3%)
.dll
|   Win32 Dynamic Link Library (generic) (0.7%)
.exe
|   Win32 Executable (generic) (0.4%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2009:12:05 23:53:13+01:00
PEType:
PE32
LinkerVersion:
6
CodeSize:
25088
InitializedDataSize:
124928
UninitializedDataSize:
1024
EntryPoint:
0x352f
OSVersion:
4
ImageVersion:
6
SubsystemVersion:
4
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
05-Dec-2009 22:53:13
Detected languages
English - United States
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000C8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
05-Dec-2009 22:53:13
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0000601A 0x00006200 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.39018
.rdata 0x00008000 0x000011E0 0x00001200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.31017
.data 0x0000A000 0x0001C3D8 0x00000C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 5.11457
.ndata 0x00027000 0x0000A000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rsrc 0x00031000 0x00042A88 0x00042C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 2.49716
Resources
1

103

105

106

111

Imports
    KERNEL32.dll

    USER32.dll

    GDI32.dll

    SHELL32.dll

    ADVAPI32.dll

    COMCTL32.dll

    ole32.dll

    VERSION.dll

Exports

    No exports.

Screenshots

Processes

Total processes
47
Monitored processes
7
Malicious processes
6
Suspicious processes
0

Behavior graph

+
start download and start download and start founderfont_0.9.7.5_fontsnetcn.exe no specs founderfont_0.9.7.5_fontsnetcn.exe searchprotocolhost.exe no specs founderfontplus.update.exe founderfontplus.client.exe founderfontplus.fontinstall.exe no specs founderfontplus.fontinstall.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
876
CMD
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
Path
C:\Windows\System32\SearchProtocolHost.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft Windows Search Protocol Host
Version
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\tquery.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msshooks.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msidle.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\mssph.dll
c:\windows\system32\mapi32.dll
c:\windows\system32\authz.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\version.dll
c:\users\admin\×ö¼ó\founderfontplus.fontinstall.exe
c:\users\admin\×ö¼ó\founderfontplus.generaltools.dll
c:\users\admin\×ö¼ó\founderfontplus.fontlogic.dll
c:\users\admin\×ö¼ó\founderfontplus.core.dll
c:\users\admin\×ö¼ó\founderfontplus.client.exe
c:\users\admin\×ö¼ó\fontinteraction.dll
c:\windows\system32\msxml3r.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mlang.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\users\admin\×ö¼ó\uninst.exe
c:\users\admin\×ö¼ó\wpfanimatedgif.dll
c:\users\admin\×ö¼ó\system.windows.interactivity.dll
c:\users\admin\×ö¼ó\system.data.sqlite.dll
c:\users\admin\×ö¼ó\system.data.sqlite.linq.dll
c:\users\admin\×ö¼ó\system.data.sqlite.ef6.dll
c:\users\admin\×ö¼ó\newtonsoft.json.dll
c:\users\admin\×ö¼ó\nsoup.dll
c:\users\admin\×ö¼ó\ionic.zip.dll
c:\users\admin\×ö¼ó\galasoft.mvvmlight.dll
c:\users\admin\×ö¼ó\galasoft.mvvmlight.extras.dll
c:\users\admin\×ö¼ó\founderfontplus.update.exe
c:\users\admin\×ö¼ó\commonservicelocator.dll
c:\users\admin\×ö¼ó\x86\sqlite.interop.dll
c:\windows\system32\notepad.exe
c:\users\admin\×ö¼ó\update\founderfontplus.client.exe
c:\users\admin\×ö¼ó\founderfontplus.client.exeent.exe
c:\users\admin\×ö¼ó\update\founderfontplus.update.exe
c:\users\admin\×ö¼ó\font_interaction.dll
c:\users\admin\×ö¼ó\update\fontinteraction.dll
c:\users\admin\×ö¼ó\fontinteraction.dllion.dll

PID
3256
CMD
"C:\Users\admin\AppData\Local\Temp\FounderFont_0.9.7.5_fontsnetcn.exe"
Path
C:\Users\admin\AppData\Local\Temp\FounderFont_0.9.7.5_fontsnetcn.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\founderfont_0.9.7.5_fontsnetcn.exe
c:\systemroot\system32\ntdll.dll

PID
4024
CMD
"C:\Users\admin\AppData\Local\Temp\FounderFont_0.9.7.5_fontsnetcn.exe"
Path
C:\Users\admin\AppData\Local\Temp\FounderFont_0.9.7.5_fontsnetcn.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\founderfont_0.9.7.5_fontsnetcn.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\users\admin\appdata\local\temp\nsbb76a.tmp\installoptions.dll
c:\windows\system32\comdlg32.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\netutils.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\networkexplorer.dll
c:\users\admin\appdata\local\temp\nsbb76a.tmp\accesscontrol.dll
c:\windows\system32\linkinfo.dll
c:\users\admin\×ö¼ó\founderfontplus.update.exe
c:\users\admin\×ö¼ó\uninst.exe

PID
672
CMD
"C:\Users\admin\×Ö¼Ó\FounderFontPlus.Update.exe"
Path
C:\Users\admin\×Ö¼Ó\FounderFontPlus.Update.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
北京北大方正电子有限公司
Description
FounderFontPlus.Update
Version
1.0.0.0
Modules
Image
c:\users\admin\×ö¼ó\founderfontplus.update.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\windowsbase\0d5a8e6f89227cc5d954e65856f9cf1a\windowsbase.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentationcore\e7873d3bd71f6122c2a954be1bb5bb28\presentationcore.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio5ae0f00f#\b34cda03a984c515b31faf410e5b7e39\presentationframework.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xaml\4d290752f65a065fcde70178562c3383\system.xaml.ni.dll
c:\windows\system32\dwrite.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpfgfx_v0400.dll
c:\windows\system32\msvcp120_clr0400.dll
c:\windows\system32\oleaut32.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\presentationnative_v0400.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\cd03f9386e02f56502e01a25ddd7e0a7\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\bcrypt.dll
c:\users\admin\×ö¼ó\galasoft.mvvmlight.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\vga.dll
c:\users\admin\×ö¼ó\wpfanimatedgif.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatiod51afaa5#\867cbe7462b04e2cf1ae39abb576ae2a\presentationframework.classic.ni.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msctfui.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\uiautomationtypes\1e1a1bd97e618bc4934ee967bea27ae8\uiautomationtypes.ni.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\oleacc.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml.linq\f68563fb25af65c25de37130ebcd576c\system.xml.linq.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\e588691224a17737f3a164cc2d46c156\system.management.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\users\admin\×ö¼ó\newtonsoft.json.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.runteb92aa12#\62a6b39f4f68c25dfd2f6308d7541401\system.runtime.serialization.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\5ac17cc5b92efda83e2925857f4fa655\system.numerics.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\1288d7e030bc0c5d8b2cbe5f33aeed7f\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\winmm.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wpdshext.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\ieframe.dll
c:\users\admin\×ö¼ó\founderfontplus.client.exeent.exe
c:\users\admin\×ö¼ó\founderfontplus.fontinstall.exe

PID
4048
CMD
"C:\Users\admin\×Ö¼Ó\FounderFontPlus.Client.exe"
Path
C:\Users\admin\×Ö¼Ó\FounderFontPlus.Client.exe
Indicators
Parent process
FounderFontPlus.Update.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
北京北大方正电子有限公司
Description
FounderFontPlus.Client
Version
1.0.0.0
Modules
Image
c:\users\admin\×ö¼ó\founderfontplus.client.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\windowsbase\0d5a8e6f89227cc5d954e65856f9cf1a\windowsbase.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentationcore\e7873d3bd71f6122c2a954be1bb5bb28\presentationcore.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio5ae0f00f#\b34cda03a984c515b31faf410e5b7e39\presentationframework.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xaml\4d290752f65a065fcde70178562c3383\system.xaml.ni.dll
c:\windows\system32\dwrite.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpfgfx_v0400.dll
c:\windows\system32\msvcp120_clr0400.dll
c:\windows\system32\oleaut32.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\presentationnative_v0400.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\cd03f9386e02f56502e01a25ddd7e0a7\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\vga.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatiod51afaa5#\867cbe7462b04e2cf1ae39abb576ae2a\presentationframework.classic.ni.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\windowsform0b574481#\c6131c3262a5bf98463da8f219b75baa\windowsformsintegration.ni.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\msctfui.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\uiautomationtypes\1e1a1bd97e618bc4934ee967bea27ae8\uiautomationtypes.ni.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\oleacc.dll
c:\users\admin\×ö¼ó\founderfontplus.fontlogic.dll
c:\windows\system32\winmm.dll
c:\users\admin\×ö¼ó\founderfontplus.generaltools.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.management\e588691224a17737f3a164cc2d46c156\system.management.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\wminet_utils.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\users\admin\×ö¼ó\newtonsoft.json.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.runteb92aa12#\62a6b39f4f68c25dfd2f6308d7541401\system.runtime.serialization.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.numerics\5ac17cc5b92efda83e2925857f4fa655\system.numerics.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.data\1288d7e030bc0c5d8b2cbe5f33aeed7f\system.data.ni.dll
c:\windows\microsoft.net\assembly\gac_32\system.data\v4.0_4.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.web\7c32e936a07e0c7d9cae3ac27497f613\system.web.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\webengine4.dll
c:\windows\system32\userenv.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\secur32.dll
c:\windows\system32\schannel.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\users\admin\×ö¼ó\galasoft.mvvmlight.dll

PID
3068
CMD
"C:\Users\admin\×Ö¼Ó\FounderFontPlus.FontInstall.exe"
Path
C:\Users\admin\×Ö¼Ó\FounderFontPlus.FontInstall.exe
Indicators
No indicators
Parent process
FounderFontPlus.Update.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
北京北大方正电子有限公司
Description
FounderFontPlus.FontInstall
Version
1.0.0.0
Modules
Image
c:\users\admin\×ö¼ó\founderfontplus.fontinstall.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\windowsbase\0d5a8e6f89227cc5d954e65856f9cf1a\windowsbase.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentationcore\e7873d3bd71f6122c2a954be1bb5bb28\presentationcore.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio5ae0f00f#\b34cda03a984c515b31faf410e5b7e39\presentationframework.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xaml\4d290752f65a065fcde70178562c3383\system.xaml.ni.dll
c:\windows\system32\dwrite.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpfgfx_v0400.dll
c:\windows\system32\msvcp120_clr0400.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\presentationnative_v0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mpr.dll
c:\windows\system32\rpcrtremote.dll

PID
3836
CMD
"C:\Users\admin\×Ö¼Ó\FounderFontPlus.FontInstall.exe"
Path
C:\Users\admin\×Ö¼Ó\FounderFontPlus.FontInstall.exe
Indicators
Parent process
FounderFontPlus.FontInstall.exe
User
admin
Integrity Level
HIGH
Version:
Company
北京北大方正电子有限公司
Description
FounderFontPlus.FontInstall
Version
1.0.0.0
Modules
Image
c:\users\admin\×ö¼ó\founderfontplus.fontinstall.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v4.0.30319\clr.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\mscorlib\97e047cf68e9a7d90e196d072cd49cac\mscorlib.ni.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\microsoft.net\framework\v4.0.30319\clrjit.dll
c:\windows\system32\oleaut32.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system\e071297bb06faa961bef045ae5f25fdc\system.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.core\21a1606b6c00f9abe7db55c02e0f87c9\system.core.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\windowsbase\0d5a8e6f89227cc5d954e65856f9cf1a\windowsbase.ni.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentationcore\e7873d3bd71f6122c2a954be1bb5bb28\presentationcore.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatio5ae0f00f#\b34cda03a984c515b31faf410e5b7e39\presentationframework.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xaml\4d290752f65a065fcde70178562c3383\system.xaml.ni.dll
c:\windows\system32\dwrite.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\wpfgfx_v0400.dll
c:\windows\system32\msvcp120_clr0400.dll
c:\windows\microsoft.net\framework\v4.0.30319\wpf\presentationnative_v0400.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.drawing\61dfb69c9ad6ed96809170d54d80b8a6\system.drawing.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.windows.forms\2dc6cfd856864312d563098f9486361c\system.windows.forms.ni.dll
c:\users\admin\×ö¼ó\founderfontplus.fontlogic.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v4.0.30319\nlssorting.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.configuration\cd03f9386e02f56502e01a25ddd7e0a7\system.configuration.ni.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\system.xml\7c8f75f367134a030cba4a127dc62a2f\system.xml.ni.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\uxtheme.dll
c:\windows\assembly\nativeimages_v4.0.30319_32\presentatiod51afaa5#\867cbe7462b04e2cf1ae39abb576ae2a\presentationframework.classic.ni.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\d3d9.dll
c:\windows\system32\d3d8thk.dll
c:\windows\system32\vga.dll
c:\users\admin\×ö¼ó\founderfontplus.generaltools.dll

Registry activity

Total events
1716
Read events
1651
Write events
65
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
876
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
876
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\70\52C64B7E
@C:\Windows\System32\msxml3r.dll,-1
XML Document
876
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\70\52C64B7E
@C:\Windows\System32\ieframe.dll,-10046
Internet Shortcut
876
SearchProtocolHost.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\70\52C64B7E
@C:\Windows\system32\notepad.exe,-469
Text Document
4024
FounderFont_0.9.7.5_fontsnetcn.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
4024
FounderFont_0.9.7.5_fontsnetcn.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Browse For Folder Width
318
4024
FounderFont_0.9.7.5_fontsnetcn.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Browse For Folder Height
288
4024
FounderFont_0.9.7.5_fontsnetcn.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\×Ö¼Ó
DisplayName
×Ö¼Ó 0.9.7.5_beta
4024
FounderFont_0.9.7.5_fontsnetcn.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\×Ö¼Ó
UninstallString
C:\Users\admin\×Ö¼Ó\uninst.exe
4024
FounderFont_0.9.7.5_fontsnetcn.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\×Ö¼Ó
DisplayVersion
0.9.7.5_beta
4024
FounderFont_0.9.7.5_fontsnetcn.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\×Ö¼Ó
URLInfoAbout
http://www.foundertype.com
4024
FounderFont_0.9.7.5_fontsnetcn.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\×Ö¼Ó
Publisher
±±´ó·½Õýµç×Ó
672
FounderFontPlus.Update.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
FounderFontPlus.Update.exe
672
FounderFontPlus.Update.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FounderFontPlus_RASAPI32
EnableFileTracing
0
672
FounderFontPlus.Update.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FounderFontPlus_RASAPI32
EnableConsoleTracing
0
672
FounderFontPlus.Update.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FounderFontPlus_RASAPI32
FileTracingMask
4294901760
672
FounderFontPlus.Update.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FounderFontPlus_RASAPI32
ConsoleTracingMask
4294901760
672
FounderFontPlus.Update.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FounderFontPlus_RASAPI32
MaxFileSize
1048576
672
FounderFontPlus.Update.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FounderFontPlus_RASAPI32
FileDirectory
%windir%\tracing
672
FounderFontPlus.Update.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FounderFontPlus_RASMANCS
EnableFileTracing
0
672
FounderFontPlus.Update.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FounderFontPlus_RASMANCS
EnableConsoleTracing
0
672
FounderFontPlus.Update.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FounderFontPlus_RASMANCS
FileTracingMask
4294901760
672
FounderFontPlus.Update.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FounderFontPlus_RASMANCS
ConsoleTracingMask
4294901760
672
FounderFontPlus.Update.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FounderFontPlus_RASMANCS
MaxFileSize
1048576
672
FounderFontPlus.Update.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FounderFontPlus_RASMANCS
FileDirectory
%windir%\tracing
672
FounderFontPlus.Update.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
672
FounderFontPlus.Update.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
672
FounderFontPlus.Update.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
672
FounderFontPlus.Update.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow
Left
0
672
FounderFontPlus.Update.exe
write
HKEY_CURRENT_USER\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow
Top
0
4048
FounderFontPlus.Client.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
FounderFontPlus.Client.exe
4048
FounderFontPlus.Client.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
LanguageList
en-US
3068
FounderFontPlus.FontInstall.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3068
FounderFontPlus.FontInstall.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3836
FounderFontPlus.FontInstall.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication
Name
FounderFontPlus.FontInstall.exe

Files activity

Executable files
29
Suspicious files
0
Text files
38
Unknown types
4

Dropped files

PID
Process
Filename
Type
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\AppData\Local\Temp\nsbB76A.tmp\InstallOptions.dll
executable
MD5: 325b008aec81e5aaa57096f05d4212b5
SHA256: c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\FounderFontPlus.Update.exe
executable
MD5: acbcfda2fb794f85fe500fa49469ee33
SHA256: f0296706f1cd73b6a90bb6dd70b3da16800744df99fe7d40ae4a51b2b6697995
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\AppData\Local\Temp\nsbB76A.tmp\AccessControl.dll
executable
MD5: 9e7d36edcc188e166dee9552017ac94f
SHA256: d52a83c2a8551cebf48ff7a8d5930be1873bce990f855ccab4d7479cfeb22e3d
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\FounderFontPlus.GeneralTools.dll
executable
MD5: ed3166224ff52f9596eda2473c4d237c
SHA256: 88ed71a220683105656bec718c305b80e2061b5099c5031bce4045302f75e24b
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\x86\SQLite.Interop.dll
executable
MD5: 75278f5ebe41817b2d85aff60f84f7c6
SHA256: 9e08d48e4d8bc18099b845246c61b54d3718cfb1870c9547e61c733c991dfb69
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\FounderFontPlus.FontLogic.dll
executable
MD5: 7a9b5afbd06f173486c87d634bc39184
SHA256: aa835e3c2500872a78ec7b4565deeb379ab33baee564f57bbad61fd3f6b32bfe
672
FounderFontPlus.Update.exe
C:\Users\admin\×Ö¼Ó\FounderFontPlus.Client.exe
executable
MD5: d84691896f5d91ac8480073963b959f2
SHA256: dbcf7981ae4f54a3561b2a203094dc8d9a4cfb0af70109c5cfdb4ca5649e1d23
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\FounderFontPlus.FontInstall.exe
executable
MD5: fe93d71941d1fa64ee0aaaf1a0d25b84
SHA256: 2601de8ee7d231d7db4283795768580909a04f017ca391f88c2ca41f2eae2894
672
FounderFontPlus.Update.exe
C:\Users\admin\×Ö¼Ó\Update\FounderFontPlus.Update.exe
executable
MD5: 72fac6d6d41d99b810e88f7f3f5e86af
SHA256: ce6d37fc8108507068b9be4b704f4564e615008f352a6e09862bf0cc834415d4
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\FounderFontPlus.Core.dll
executable
MD5: 9098e48951750d366c3db64fc8aacfc5
SHA256: 8dd97430b4f4216269a1717f9d0c2ea75912e0a23de50b82c3714d690a997e5c
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\GalaSoft.MvvmLight.Extras.dll
executable
MD5: 9b9d52b1af97307c20cde8cf537ed06b
SHA256: b1441f0d875e3749b0fce8ffd498ba3459e00ea4587d1f080b724bb7020cc5c8
672
FounderFontPlus.Update.exe
C:\Users\admin\×Ö¼Ó\FounderFontPlus.FontLogic.dll
executable
MD5: ab6ce5822759057e3aadd583616ef2dd
SHA256: 3a2328f11806f8b0d3a3b8897fe63afc731b05a698af5073a553e0d9234f449d
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\GalaSoft.MvvmLight.dll
executable
MD5: ef91d5dbddf5f3b2dd04d43012292cfa
SHA256: db4203b2781307ac0ff58db6b889cb6a51e50fca2103cc0f2c73401d81bad19c
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\FounderFontPlus.Client.exe
executable
MD5: 17c15bd3932a6e5a118f75af309b020f
SHA256: 1d6df98b40c1a924378770c42b1b41c2e20b877c31d89bd7bd06a2c4a35db050
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\Ionic.Zip.dll
executable
MD5: 6ded8fcbf5f1d9e422b327ca51625e24
SHA256: 3b3e541682e48f3fd2872f85a06278da2f3e7877ee956da89b90d732a1eaa0bd
672
FounderFontPlus.Update.exe
C:\Users\admin\×Ö¼Ó\FounderFontPlus.FontInstall.exe
executable
MD5: 6524253869a92cfcb90c3172b020ad5d
SHA256: 069bbca9fbc7a970f39587b6450d0efc553127a60bbda031a7db8f1e29d803b6
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\NSoup.dll
executable
MD5: 661e5b49491edbf4ad911d98c1372079
SHA256: 27fe61f165d9b5304e1089847c97543ed1ce43fdae8466ce47992400eedd7918
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\FontInteraction.dll
executable
MD5: b972bf6521b6b2d7501f0e92018d6a1a
SHA256: f5916bbd1c3e8008f6bd5042939f25b8674a9be60b673d8a647fa80f7400c83c
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\Newtonsoft.Json.dll
executable
MD5: 8f6875148b45c300b95514cb40703c2e
SHA256: ea7fd75e2bb069699d4da09f3601d70ca8e401f58949178cdbf2c5928720daa1
672
FounderFontPlus.Update.exe
C:\Users\admin\×Ö¼Ó\Font_Interaction.dll
executable
MD5: eeb7684c84f05aa4ee97089de58e599f
SHA256: 943b6005326a063275269cf8da73ccce3821577d3da40eb39b5663b23eb6c73a
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\uninst.exe
executable
MD5: 5f0837bd66ed86195a5fac5a22272b3a
SHA256: 875030fa6f4ea70cff803d519e06c23874de4d8f018f3ed71dd213716971d19e
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\CommonServiceLocator.dll
executable
MD5: 15f6aba908544febd6160bbd22959fcb
SHA256: 92bb52995fd841e25fed46b560ea048bece2b9c0d11667f91c1f617c6fdcb719
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\System.Data.SQLite.Linq.dll
executable
MD5: 4fdbc2bd80f3dd42f35c303cdae9c93b
SHA256: c07206d15a9a2b264a4ec5bb7aa6e86d75ab46f2a89848fa5cb169a7bcf2f27d
672
FounderFontPlus.Update.exe
C:\Users\admin\×Ö¼Ó\FontInteraction.dll
executable
MD5: 713adf8af6a74e53bcef57e39638d0d0
SHA256: 97cd7cb4f2af154e174b6826165a17effef01028af56717bfd79151927b2dd12
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\System.Windows.Interactivity.dll
executable
MD5: 3ab57a33a6e3a1476695d5a6e856c06a
SHA256: 4aace8c8a330ae8429cd8cc1b6804076d3a9ffd633470f91fd36bdd25bb57876
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\System.Data.SQLite.EF6.dll
executable
MD5: 8cd1b708c53acb47817a3ac7415e938b
SHA256: e32070353fe62863ef299386fe01c55ea0a11e87ba6c08e0139bd9b0960f49af
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\System.Data.SQLite.dll
executable
MD5: 0c186d47d2c74021940247c59e2ec146
SHA256: eb000bed426fb19b0fa91b6aa45e30a4ccd487215835755bff9e109a04c94852
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\WpfAnimatedGif.dll
executable
MD5: 53a37f8a6157d7a4914bce3872322c00
SHA256: 354c280d91ad0a8d56aca376f592c61862d4da5928729b50748d27f6ef04d01b
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\uninst.exe
executable
MD5: 075c6b9820f7f266314ee4ac90afbeb3
SHA256: fa2a43823522c78c3a888dea9c1555db5efe0eda304a7c640f55b7883e984d96
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\Image\fontimg_forever-ziku-two-FZLTXHJW-2ee0889a85420113435bff66c5d273b2-FZLTXHJW.png
image
MD5: 9431e70d4eae0fbfaac23a816ee9af43
SHA256: 325abeec7a0ccf33a9dc209eb03782725e068c96f5640ac0e03c86c3b5c1c3af
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\Image\fontimg_forever-ziku-two-FZLuXTJW-659718e267d11e895f477c386d88589e-FZLuXTJW.png
image
MD5: 8426a0ab50023544e861576b29c27198
SHA256: 65966ec5d7f6e0a18c8047a9665fcc724073223c430a847033a99d8339789e12
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\AppData\Local\Temp\nsbB76A.tmp\modern-wizard.bmp
image
MD5: cbe40fd2b1ec96daedc65da172d90022
SHA256: 3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\Image\fontimg_forever-ziku-two-FZJuZXFJW-c21bd7c4d78abe0f7b0aca81bf280ee1-FZJuZXFJW.png
image
MD5: 84bed328becae5cda728dc6ce8836811
SHA256: a687b3bfd8541db496a146dcf520158bdcf1dbebe3873be86dfbe830b5a8b0ca
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\Image\fontimg_forever-ziku-two-FZLTCXHJW-ede654bc582ca3c68b210998012af290-FZLTCXHJW.png
image
MD5: 7437131b4454d9e8d112cd82e5540d68
SHA256: b3faf1b665b9aec5993cde1ad53f8795d504fca7d2d543248d47d78726b6f8c3
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\Image\fontimg_forever-ziku-two-FZCuJinLJW-78fcce5e2ba594f10cd147c256eb36d5-FZCuJinLJW.png
image
MD5: 9555db726c27127b74ce17f6221097e0
SHA256: 70dc20891c8a1b0401c059803ab7d73e58bdea78d8eedc8eaf30d9786d287d17
4048
FounderFontPlus.Client.exe
C:\Users\admin\×Ö¼Ó\Config.xml
xml
MD5: a017091dd4f844aa581420053ea641f8
SHA256: 049158e4b134b133c36e1cca0b4ccfb2c4aaf27b0cecef3b2e463c7b2babcff9
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\fonts.sqlite
––
MD5:  ––
SHA256:  ––
672
FounderFontPlus.Update.exe
C:\Users\admin\×Ö¼Ó\Update\FounderFontPlus.FontLogic.dll
––
MD5:  ––
SHA256:  ––
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\UpdateList.xml
xml
MD5: d2fe1252968f42947cdd2390ac63ee84
SHA256: fa671fcbe5e1b3e3a94cc6c7dd6de7ff9bc86e11b50c90fb64c0ab98c272136c
672
FounderFontPlus.Update.exe
C:\Users\admin\×Ö¼Ó\Update\FontInteraction.dll
––
MD5:  ––
SHA256:  ––
672
FounderFontPlus.Update.exe
C:\Users\admin\×Ö¼Ó\meain2j1.newcfg
––
MD5:  ––
SHA256:  ––
672
FounderFontPlus.Update.exe
C:\Users\admin\×Ö¼Ó\Update\FounderFontPlus.Client.exe
––
MD5:  ––
SHA256:  ––
672
FounderFontPlus.Update.exe
C:\Users\admin\×Ö¼Ó\Update\UpdateList.xml
xml
MD5: ab1f4beba41d8054cfa87628d12ff6c1
SHA256: 9b35572d9f17cea8eba274caa2bfe3e68dff9da7588f53da9dce55430bdcdada
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\install.log
text
MD5: 9e47e3c65755c38015da8936d0e40dee
SHA256: 5386d5c51821fc8751a63f71717ad6ac8aedc5889a09fcc2c014584016c7b854
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\AppData\Local\Temp\nsbB76A.tmp\ioSpecial.ini
text
MD5: 0a0ea0e348bd6540b28a6f82996ce1a9
SHA256: 0d4dcf814669fc1da08de1b57055f560c97b25b41422bd73fb574f7da461214d
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\×Ö¼Ó\Uninstall.lnk
lnk
MD5: fa2d6ddda24a681c4a50e33ac162578b
SHA256: 47b0322c56108451f9231f030b27c3d511db5662553923fcd0c8f5e007a42ccc
672
FounderFontPlus.Update.exe
C:\Users\admin\×Ö¼Ó\Update\Font_Interaction.dll
––
MD5:  ––
SHA256:  ––
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\×Ö¼Ó\·ÃÎÊ.lnk
lnk
MD5: 0e67667ebc66c042a5bf2080d5de1528
SHA256: 9099994f15b680dba2df38da169dc935efd6e5cbb77c164a8257c1ea7ea6fb15
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\×Ö¼Ó\×Ö¼Ó.lnk
lnk
MD5: 9384b4308a51e15fa4b24e4969215962
SHA256: 065aba8f04693aced2b5301fba93a0f2df4a021e3739ad27062d29b4a07b3642
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\×Ö¼Ó.url
text
MD5: 6779792e1ff3f14923ebce8a2d56a5b6
SHA256: 5f8aded60f0bde5091ed2c27dcfb589ea9afe56930151ac892508aba20244e28
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\Public\Desktop\×Ö¼Ó.lnk
lnk
MD5: 23b358cbd3a94fa0d5cfea29d5549b96
SHA256: e8c39e8e16a0c27cd7cd7e2fe9d5621268dc4971181f8f3c661c5698fe7b7022
672
FounderFontPlus.Update.exe
C:\Users\admin\×Ö¼Ó\UpdateList.xml
xml
MD5: ab1f4beba41d8054cfa87628d12ff6c1
SHA256: 9b35572d9f17cea8eba274caa2bfe3e68dff9da7588f53da9dce55430bdcdada
672
FounderFontPlus.Update.exe
C:\Users\admin\×Ö¼Ó\Update\FounderFontPlus.FontInstall.exe
––
MD5:  ––
SHA256:  ––
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\Tools\InteractAE.jsx
text
MD5: 4f4946864fa32874bcfca78cb7955b85
SHA256: 763efd67a7dabbef2c09ff593ea15a5774da9d32ec05c88a29d102f80d351ac5
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\FounderFontPlus.Client.exe.config
xml
MD5: be73afc8eac3dc46d678a2c3c99b7ec5
SHA256: d430336f93e8dbd83ab515fc0c2c3097fac19ff782dbbb40153c10f643cafce5
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\Image\fontimg_forever-ziku-two-FZYouMaoZaiJ-c88c98eb41080e745b9a5f043657c0f9-FZYouMaoZaiJ.png
image
MD5: 3b3875cbadde6142e752b82f7de37ad6
SHA256: c80fc35b95710a94e7b4f01ff428d5e16767fade024112b2ecce859a2dd4013b
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\Config.xml
xml
MD5: b39d593c552cce1c7a40992f36c3aa63
SHA256: 6fc384ee74ddd17085b43d194955bcc39f66f8da485804dc4a743e43a5770542
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\Image\fontimg_forever-ziku-two-FZXiJinLJW-f47613174597a9ff5ad7928995120db2-FZXiJinLJW.png
image
MD5: 671fdf24fd63e111e1c6dcf66e1bc07b
SHA256: 1425588c8b1016fddc52152769f4d3c8704885c36a90ab80cf65b1bb42951013
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\AppData\Local\Temp\nsbB76A.tmp\ioSpecial.ini
text
MD5: d2d24f5346f6440badf152fa0c3f66c6
SHA256: 4fd4b4ed1f73ffc960fb43280cefaa98ac148607ae6b60d483e26eb419600b48
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\×Ö¼Ó\Image\fontimg_forever-ziku-two-FZQKBYSJW-12232f65c491d156df1c0739707453b4-FZQKBYSJW.png
image
MD5: 781662e8fc58002b0d7ea123ccc7206d
SHA256: 3f5d942b9321ca768521c2c44b6afb55541c134d13268297cb4e3b4e6d2fab0b
4024
FounderFont_0.9.7.5_fontsnetcn.exe
C:\Users\admin\AppData\Local\Temp\nsbB76A.tmp\ioSpecial.ini
text
MD5: a8b57975f451b5204b968b7388bb7744
SHA256: 1db58fe54cecb748aa88916d3d12be7a529eb61b03429126ccd012ed5ec70556
672
FounderFontPlus.Update.exe
C:\Users\admin\×Ö¼Ó\FounderFontPlus.Client.exe.config
xml
MD5: d65af6bd19b12356ecc5dfdfcefef1de
SHA256: dd866bc583540b14318dbffd508209528f1fd0c0e726a164134f3ce7beb0ad92

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
7
TCP/UDP connections
5
DNS requests
3
Threats
2

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
672 FounderFontPlus.Update.exe GET 200 47.95.85.27:80 http://foundertype-bk4.oss-cn-beijing.aliyuncs.com/fontmanage/XML/UpdateList.xml?OSSAccessKeyId=8kXTv7Dc9Mo4e1pN&Expires=1563445742&Signature=1Ti1LhtdwYd59uWUy5DMqFLqJtU%3D CN
xml
suspicious
672 FounderFontPlus.Update.exe GET 200 47.95.85.27:80 http://foundertype-bk4.oss-cn-beijing.aliyuncs.com/fontmanage/EXE/FounderFontPlus.Client.exe?OSSAccessKeyId=8kXTv7Dc9Mo4e1pN&Expires=1563445743&Signature=3SEcqF9JyTzNhlyBlR9xqU8AdCM%3D CN
executable
suspicious
672 FounderFontPlus.Update.exe GET 200 47.95.85.27:80 http://foundertype-bk4.oss-cn-beijing.aliyuncs.com/fontmanage/EXE/FounderFontPlus.Update.exe?OSSAccessKeyId=8kXTv7Dc9Mo4e1pN&Expires=1563445746&Signature=zkM34cwqUHm9Z113gR%2BET%2BFRrRQ%3D CN
executable
suspicious
672 FounderFontPlus.Update.exe GET 200 47.95.85.27:80 http://foundertype-bk4.oss-cn-beijing.aliyuncs.com/fontmanage/DLL/FounderFontPlus.FontLogic.dll?OSSAccessKeyId=8kXTv7Dc9Mo4e1pN&Expires=1563445747&Signature=3e%2BITsLsM4tPifGPOLLuDaJY6ls%3D CN
executable
suspicious
672 FounderFontPlus.Update.exe GET 200 47.95.85.27:80 http://foundertype-bk4.oss-cn-beijing.aliyuncs.com/fontmanage/EXE/FounderFontPlus.FontInstall.exe?OSSAccessKeyId=8kXTv7Dc9Mo4e1pN&Expires=1563445748&Signature=%2BSKrBZuGyvH63xE2jvraXn%2Bwq%2Fo%3D CN
executable
suspicious
672 FounderFontPlus.Update.exe GET 200 47.95.85.27:80 http://foundertype-bk4.oss-cn-beijing.aliyuncs.com/fontmanage/DLL/Font_Interaction.dll?OSSAccessKeyId=8kXTv7Dc9Mo4e1pN&Expires=1563445749&Signature=P9xweo%2BVBUA77CnHpzIJ7B0rkDk%3D CN
executable
suspicious
672 FounderFontPlus.Update.exe GET 200 47.95.85.27:80 http://foundertype-bk4.oss-cn-beijing.aliyuncs.com/fontmanage/DLL/FontInteraction.dll?OSSAccessKeyId=8kXTv7Dc9Mo4e1pN&Expires=1563445751&Signature=dgsxaHPkmdgjzm8AcI5HrsVmTfU%3D CN
executable
suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
672 FounderFontPlus.Update.exe 39.107.156.7:443 Hangzhou Alibaba Advertising Co.,Ltd. CN unknown
672 FounderFontPlus.Update.exe 47.95.85.27:80 Hangzhou Alibaba Advertising Co.,Ltd. CN suspicious
4048 FounderFontPlus.Client.exe 39.107.156.7:443 Hangzhou Alibaba Advertising Co.,Ltd. CN unknown

DNS requests

Domain IP Reputation
zk.foundertype.com 39.107.156.7
unknown
foundertype-bk4.oss-cn-beijing.aliyuncs.com 47.95.85.27
suspicious
cdn1.foundertype.com No response unknown

Threats

PID Process Class Message
672 FounderFontPlus.Update.exe Potential Corporate Privacy Violation ET POLICY PE EXE or DLL Windows file download HTTP
672 FounderFontPlus.Update.exe Potentially Bad Traffic ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download

Debug output strings

No debug info.