HEUR.Malware.Dotfus.Generic

By CagedTech in HEUR Malware, Malware

Threat Scorecard

Popularity Rank:	7,817
Threat Level:	100 % (High)
Infected Computers:	1,479

First Seen:	May 23, 2024
Last Seen:	April 12, 2026
OS(es) Affected:	Windows

Table of Contents

Analysis Report

General information

Family Name:	HEUR.Malware.Dotfus.Generic
Signature status:	No Signature

Known Samples

MD5: 4169df45c5be27ebb297eab9a2161e57

SHA1: 51781f19f80ced926199e7b85449d8357b836ad6

SHA256: 0962129AEFCFFE1A3496000891FD539A063AF5B6058D99BAE7275262A6814593

File Size: 113.66 KB, 113664 bytes

MD5: d025d7f68f3545fdd6bce5bc4a51b1ca

SHA1: b13300c717fab8d0b521e6b34d8c6825a28cfb8e

SHA256: FCD6E0D94E6D950B28BA1C3EA7D29A3E0F09C53AD4D42D7339AA10D488D9B5DE

File Size: 458.75 KB, 458752 bytes

MD5: 0a8545d38503abacc845a38e18aeb8e4

SHA1: 8b4461b524117f2b58fa37b9317d8a986e070aee

SHA256: A833655D4410767B1B1088A181CE2DB79041E4B3CFE5DA5B71FAEB4309F67FD9

File Size: 5.66 MB, 5658112 bytes

MD5: 88dcdd51e19cea655bf9ec964385d3b1

SHA1: 1f986a4a173799abcbb4dd2335ca5e1012de8c6a

SHA256: 55155F74F37B35F617B00AA11AB6896F54D63BD416D9DE1950D272454A2CD477

File Size: 73.22 KB, 73216 bytes

MD5: ea0982e8d7e6387fcde2a75ae2eacb6f

SHA1: ed75f8a0189fd469c573718ed07fc6c880982d93

SHA256: 956265155E67E9FD63EA268D0B2C6E5B79B4E1D945349D83997001D8D8EBEFBC

File Size: 843.78 KB, 843776 bytes

MD5: 59ba37d8c87e5f21bb61fe5ae9c65b2b

SHA1: d2372dc978fa9ee138a129ebb7513abbca4c7c68

SHA256: A81BC900C79C51D0F24E689DC7381EB01AB0267FF52D74D7991CCE45FA69C90E

File Size: 509.44 KB, 509440 bytes

MD5: 78cfe0f9e0d4b9dc4469567763d3c9c3

SHA1: 592b8168036ea33e0d194ca53061fd4721900661

SHA256: 5FAEBF230A54337E806324D16CAAE449EEC88D4BF881ACBE29BE6DB3CD4CBFF9

File Size: 7.17 KB, 7168 bytes

MD5: a11a9ec8f56a5cdb7b20e203788d4a05

SHA1: a0752a16c132e3492f8e6e0628f20d39a6d7f9fb

SHA256: A0395758F8A987180649E65939BF3D1EC8171A0E83096C4C348555C817CEA541

File Size: 7.17 KB, 7168 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have resources
File doesn't have security information
File is .NET application
File is 32-bit executable
File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)

File is not packed
IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Assembly Version	7.1.0.0 3.0.0.309 1.0.0.0
Comments	Wondershare Passport
Company Name	Wondershare
File Description	Easeware.Driver.Core Wondershare Passport
File Version	7.1.0.0 3.0.0.309 1.0.0.0
Internal Name	Easeware.Driver.Core.dll WsAppFoundation.dll
Legal Copyright	Copyright © 2025, Easeware. All right reserved. Copyright © Wondershare 2019
Original Filename	Easeware.Driver.Core.dll WsAppFoundation.dll
Product Name	Easeware.Driver.Core Wondershare App Framework
Product Version	7.1.0.0 3.0.0.309 1.0.0.0

File Traits

.NET
.sdata
dll
No Version Info
x86

Block Information

Total Blocks:	10
Potentially Malicious Blocks:	1
Whitelisted Blocks:	6
Unknown Blocks:	3

Visual Map

0 0 0 0 0 0 x ? ? ?

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File	Attributes
\device\namedpipe\gmdasllogger	Generic Write,Read Attributes
c:\windows\appcompat\programs\amcache.hve	Read Data,Read Control,Write Data
c:\windows\appcompat\programs\amcache.hve	Write Attributes
c:\windows\appcompat\programs\amcache.hve.log1	Read Data,Write Data
c:\windows\appcompat\programs\amcache.hve.log2	Read Data,Write Data

Registry Modifications

Key::Value	Data	API Name
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\software\microsoft\tip\aggregateresults::data	鐄ȴ 鲱摖픋˹耀뫹躧隞̃耀꧌йN	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\software\microsoft\tip\aggregateresults::data	隞̃紁耀꧌Тә	RegNtPreCreateKey

Windows API Usage

Category	API
User Data Access	GetComputerNameEx GetUserDefaultLocaleName GetUserObjectInformation
Anti Debug	IsDebuggerPresent
Process Shell Execute	CreateProcess
Encryption Used	BCryptOpenAlgorithmProvider
Process Manipulation Evasion	NtUnmapViewOfSection ReadProcessMemory
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAdjustPrivilegesToken ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcConnectPortEx ntdll.dll!NtAlpcCreateSecurityContext ntdll.dll!NtAlpcDeleteSecurityContext ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAssociateWaitCompletionPacket Show More ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateIoCompletion ntdll.dll!NtCreateKey ntdll.dll!NtCreateMutant ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtCreateTimer2 ntdll.dll!NtCreateWaitCompletionPacket ntdll.dll!NtCreateWorkerFactory ntdll.dll!NtDelayExecution ntdll.dll!NtDeleteValueKey ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFlushProcessWriteBuffers ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtFsControlFile ntdll.dll!NtLoadKeyEx ntdll.dll!NtMapViewOfSection ntdll.dll!NtNotifyChangeKey ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenSymbolicLinkObject ntdll.dll!NtOpenThread ntdll.dll!NtOpenThreadToken ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDebugFilterState ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySymbolicLinkObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReadFile ntdll.dll!NtReadRequestData ntdll.dll!NtReadVirtualMemory ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtResumeThread ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationThread ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSetTimer2 ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtTraceEvent ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtWaitForAlertByThreadId ntdll.dll!NtWaitForMultipleObjects ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair 3 additional items are not displayed above.

Shell Command Execution


							C:\Windows\Microsoft.NET\Framework\v2.0.50727\\dw20.exe dw20.exe -x -s 844


							C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe dw20.exe -x -s 772


							C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\dw20.exe dw20.exe -x -s 712

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

HEUR.Malware.Dotfus.Generic

Threat Scorecard

EnigmaSoft Threat Scorecard

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

File Traits

Block Information

Block Information

Visual Map

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

Trojan.Downloader.ConsCorr

Trojan.Vapsup

Trojan.Vundo.HM

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

Pornktube.porn

Discord Shows Black Screen when Sharing Screen