fontcache.exe

Microsoft @ Windows @ Operation System

Hefei Hejunzhengce Info Tech Co., Ltd.

The application fontcache.exe, “Windows Font Cache Service” by Hefei Hejunzhengce Info Tech Co. has been detected as a potentially unwanted program by 7 anti-malware scanners. It runs as a windows Service named “Windows Font Cache Service (R1)”. While running, it connects to the Internet address 8a.eb.6132.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:

Product:
Microsoft @ Windows @ Operation System

Description:
Windows Font Cache Service

Version:
1.7.9.3

MD5:
d3f1d528b2eb45379fba7a0b2a6bfc07

SHA-1:
45e9cc7a1b28f52692a50f7882774f7f8df79906

SHA-256:
cb7212837f2c4226ca659f3ab42e4c4899b9c082292b8eba58c93bf5c4c2d9a6

Scanner detections:
7 / 68

Status:
Potentially unwanted

Analysis date:
11/16/2024 3:30:51 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Trojan.Heur.KR1@reWb1KfQ
665

Bitdefender
Gen:Trojan.Heur.KR1@reWb1KfQ
1.0.20.500

Emsisoft Anti-Malware
Gen:Trojan.Heur.KR1@reWb1KfQ
8.15.04.10.10

F-Secure
Gen:Trojan.Heur.KR1@reWb1KfQ
11.2015-10-04_6

G Data
Gen:Trojan.Heur.KR1@reWb1KfQ
15.4.25

MicroWorld eScan
Gen:Trojan.Heur.KR1@reWb1KfQ
16.0.0.300

Reason Heuristics
PUP.HefeiHejunzhengceInfoTechCo (M)
15.7.24.22

File size:
3.6 MB (3,751,000 bytes)

Product version:
1.7.9.3

Copyright:
Hefei Hejunzhengce Info Tech Co., Ltd.

Original file name:
Windows Font Cache Service

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\windows fontcache\r1\fontcache.exe

Digital Signature
Authority:
WoSign CA Limited

Valid from:
3/5/2015 9:35:27 PM

Valid to:
12/29/2016 9:35:27 PM

Subject:
CN="Hefei Hejunzhengce Info Tech Co., Ltd.", O="Hefei Hejunzhengce Info Tech Co., Ltd.", L=Hefei, S=Anhui, C=CN

Issuer:
CN=WoSign Class 3 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:
3312D0B8D4D7941DF85AA59F134E7719

File PE Metadata
Compilation timestamp:
4/7/2015 2:41:39 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
2.25

CTPH (ssdeep):
49152:6Ee1RXcSQRCi7zACIHsKth9yF3ZSaPDCdgMRH3AWrTrTTvgI9DpS9k7:6Ee4os/dDCdgMOUQC

Entry address:
0x311E44

Entry point:
55, 8B, EC, 83, C4, F0, 53, B8, 0C, 38, 70, 00, E8, 0F, A3, CF, FF, A1, 34, 0C, 72, 00, 8B, 00, 80, 78, 38, 00, 74, 10, A1, 34, 0C, 72, 00, 8B, 00, E8, 56, 25, E2, FF, 84, C0, 74, 0C, A1, 34, 0C, 72, 00, 8B, 00, 8B, 10, FF, 52, 44, 8B, 0D, 18, 08, 72, 00, A1, 34, 0C, 72, 00, 8B, 00, 8B, 15, E0, 32, 70, 00, 8B, 18, FF, 53, 40, A1, 34, 0C, 72, 00, 8B, 00, 8B, 10, FF, 52, 48, 5B, E8, AC, 58, CF, FF, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
6.6498

Developed / compiled with:
Microsoft Visual C++

Code size:
3.1 MB (3,214,336 bytes)

Service
Display name:
Windows Font Cache Service (R1)

Service name:
FontCache_R1

Description:
Optimizes performance of applications by caching commonly used font data. Applications will start this service if it is not already running. It can be disabled, though doing so will degrade applicatio

Type:
Win32OwnProcess, InteractiveProcess


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to 8a.eb.6132.ip4.static.sl-reverse.com  (50.97.235.138:80)

Remove fontcache.exe - Powered by Reason Core Security