Trojan.Downloader.Gen.HG
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Popularity Rank: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Popularity Rank: | 3,754 |
| Threat Level: | 80 % (High) |
| Infected Computers: | 65 |
| First Seen: | December 28, 2025 |
| Last Seen: | May 11, 2026 |
| OS(es) Affected: | Windows |
Table of Contents
Analysis Report
General information
| Family Name: | Trojan.Downloader.Gen.HG |
|---|---|
| Signature status: | Hash Mismatch |
Known Samples
Known Samples
This section lists other file samples believed to be associated with this family.|
MD5:
799261f351ad5509ea5c697dbfd8d7a0
SHA1:
2e2dcf5d0bce72e43c79661305f8123c3e3f21c9
SHA256:
878BEF133F8E872FDE2F30115BA790A1E25C7058579C208604B7701F6F78FB55
File Size:
1.98 MB, 1977928 bytes
|
|
MD5:
c3c5a6c6c2cd76f378c16b4c9c309d1b
SHA1:
af3172cdbc0b470bb2b63be2da1c613bfd607c23
SHA256:
0060EBB74C668FC14787D716E79AFB4E87882ECCA27D8DA3B4A90B3ABF888E1C
File Size:
1.08 MB, 1075712 bytes
|
|
MD5:
d7874429991b974063abbaeb474ca3f5
SHA1:
e24caf8365b08cab863d20a9963f1bfe3a2e5ae0
SHA256:
389A65491900049E9AD1FD0658264ED3B83E7DBE7674660D85F12FEAD5616251
File Size:
1.04 MB, 1037544 bytes
|
|
MD5:
6a27f2cb3554c4c98464e671dda71827
SHA1:
b1c6976d8869ce600b35e804faf51b848c405c82
SHA256:
5E1D117056AF8B79F5ADB765C15A8AEBED36895F9ECF0F04B9059DB99C6057B0
File Size:
661.59 KB, 661592 bytes
|
|
MD5:
b5b947b8cef21c4256ce15f8484f66fb
SHA1:
98126b243ddf240d40e0bca74ff4b017d7418e61
SHA256:
64C7D3F74BDD4A5FF6DE7A4F42796AFF48B6F682E4B1B221F91DB08971DB35B1
File Size:
189.43 KB, 189432 bytes
|
Show More
|
MD5:
bb9ebfe6045577d35ec0d592ec8e262f
SHA1:
68dad1709f2319299c4fcc058c297819582fdcdf
SHA256:
86CE0BAD00A31C8B7B64E8CB07CA8A49BBA4FC02D339E04EB3BA61A85EC6BF53
File Size:
192.62 KB, 192616 bytes
|
|
MD5:
48ec998d8ed44d2807df651445f871fc
SHA1:
1ffebf66f07d99a9cda2f4a7e4135e60ded8728b
SHA256:
DA3CC2D6E4B94029433BD49F261D1ED32080917BE962883F41B32CF8D20D4EB4
File Size:
1.24 MB, 1240576 bytes
|
|
MD5:
f5fe68622107c0004b50606acec98126
SHA1:
5620b07ce4f7adfbdd9fd0467bb08f3a7aa5f8a7
SHA256:
6DD5CBE269B14AAF3278C690A8FC810E447EFF6F1C88FCF00749F35561BD982F
File Size:
928.02 KB, 928016 bytes
|
|
MD5:
6d1134a67bdf89dce5e085328343ee31
SHA1:
df1b65541a8c13a146025d4d922ce01546e11fa4
SHA256:
8345FE3149F8C7C410AA62829C366C6E1856183C47909580C813D9A8C3F3B76C
File Size:
380.96 KB, 380960 bytes
|
|
MD5:
849eebd7dba6c52b505bff5dd03b2053
SHA1:
52e910f505c2472451c3c3ef280f2e96105e7dbf
SHA256:
3D504CD9EA40F6B9D263D7601958459B09FBAD71EA970F154ACD7C3856174389
File Size:
192.62 KB, 192616 bytes
|
|
MD5:
d8470dd2dd470ce0b4e339007d2b25df
SHA1:
5772b3aa01350a7d16972466c6616ce65da2d9e6
SHA256:
DECEBF47AA53DF4CD41CA9A0F81640F9748448A87795C3DE1FD4867C4CB31CBA
File Size:
2.29 MB, 2293248 bytes
|
|
MD5:
3b1ea24b172606052f4cef8b815014ae
SHA1:
65cb34e90f522d1241c1af5ca72c6308d47897ee
SHA256:
1CCBB89CDDF03DA9D465C7FC7AFD509213EC0FA82176B09886E32D4A4287CD02
File Size:
223.62 KB, 223624 bytes
|
|
MD5:
2a2dc7a44854798f295ef76e05cec868
SHA1:
a42e92dbde79c4b830512e7e6898d1576a316d72
SHA256:
FB1969686B5F42DABEBAB894A5DBBBC57DB8B1201EAF0AC5A9636263042AECD8
File Size:
775.26 KB, 775264 bytes
|
Windows Portable Executable Attributes
- File doesn't have "Rich" header
- File doesn't have debug information
- File doesn't have resources
- File doesn't have security information
- File has exports table
- File has TLS information
- File is 64-bit executable
- File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
- File is either console or GUI application
- File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
Show More
- File is Native application (NOT .NET application)
- File is not packed
- IMAGE_FILE_DLL is not set inside PE header (Executable)
- IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)
Windows PE Version Information
Windows PE Version Information
This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.| Name | Value |
|---|---|
| Comments |
|
| Company Name |
|
| Division Name | Natural Language Group |
| File Description |
|
| File Version |
Show More
|
| Internal Name |
|
| Legal Copyright |
|
| Legal Trademarks1 | Microsoft® is a registered trademark of Microsoft Corporation. |
| Legal Trademarks2 | Windows® is a registered trademark of Microsoft Corporation. |
| License | https://curl.se/docs/copyright.html |
| Original Filename |
|
| Product Name |
|
| Product Version |
Show More
|
Digital Signatures
Digital Signatures
This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.| Signer | Root | Status |
|---|---|---|
| Tim Kosse | AAA Certificate Services | Hash Mismatch |
| Tenorshare Co., Ltd. | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Hash Mismatch |
| Wondershare Technology Group Co.,Ltd | DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 | Hash Mismatch |
| Tenorshare Co., Ltd. | DigiCert Trusted Root G4 | Hash Mismatch |
| Wondershare Technology Group Co.,Ltd | DigiCert Trusted Root G4 | Hash Mismatch |
Show More
| Microsoft Corporation | Microsoft Code Signing PCA | Hash Mismatch |
| Microsoft 3rd Party Application Component | Microsoft Code Signing PCA 2011 | Hash Mismatch |
| Microsoft Corporation | Microsoft Code Signing PCA 2011 | Hash Mismatch |
| Microsoft Windows Software Compatibility Publisher | Microsoft Windows Third Party Component CA 2013 | Hash Mismatch |
| LWKS Software Ltd. | Sectigo Public Code Signing Root R46 | Hash Mismatch |
File Traits
- 2+ executable sections
- dll
- ntdll
- x64
Block Information
Block Information
During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.| Total Blocks: | 2,645 |
|---|---|
| Potentially Malicious Blocks: | 2 |
| Whitelisted Blocks: | 1,359 |
| Unknown Blocks: | 1,284 |
Visual Map
?
?
0
0
0
0
?
?
0
0
?
?
0
0
0
?
?
0
0
0
0
?
?
?
?
?
0
0
0
0
?
?
?
?
?
?
?
0
0
0
?
0
0
?
?
0
0
?
?
0
0
?
0
0
?
0
?
0
0
0
0
0
?
?
?
?
?
?
?
?
?
?
?
0
0
?
0
0
0
0
0
0
0
0
?
?
0
?
?
0
0
0
?
?
?
?
?
?
0
0
0
?
0
0
0
0
?
?
0
0
?
0
?
0
?
?
?
?
?
?
?
?
?
0
?
0
?
0
?
0
?
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
?
0
0
0
?
?
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
?
?
?
0
0
0
0
0
0
0
0
0
0
?
?
?
?
0
0
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
?
?
?
?
?
?
?
?
?
0
x
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
0
0
0
0
0
0
0
0
?
?
0
?
?
?
0
?
?
?
0
0
0
0
0
0
?
0
?
0
?
0
?
0
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
0
0
?
?
?
?
?
?
?
?
0
?
0
0
0
0
0
0
0
0
0
0
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
?
?
0
0
0
0
?
0
?
0
?
0
?
0
0
0
0
0
0
0
?
0
0
0
?
0
0
0
?
0
?
0
0
0
0
0
?
0
0
0
0
?
?
?
?
?
?
?
?
?
?
0
0
0
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
0
0
0
0
0
0
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
?
0
0
0
?
?
?
?
?
0
0
0
0
0
0
0
0
?
?
?
?
?
?
?
?
0
0
?
?
?
?
?
0
?
?
0
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
?
?
0
0
?
?
?
?
0
?
?
?
?
0
?
?
?
0
?
?
?
0
?
?
?
?
?
?
?
0
?
?
?
0
?
?
0
?
0
0
?
?
?
0
?
0
?
?
0
0
?
0
0
0
0
0
?
?
?
0
0
0
?
?
?
0
0
0
?
?
?
?
?
?
0
?
0
?
?
?
?
?
?
0
0
?
?
0
?
?
?
?
?
0
0
0
?
0
0
0
0
?
?
?
?
?
0
?
0
0
?
?
?
0
?
?
?
?
?
?
?
0
?
?
?
0
0
?
0
?
0
0
?
?
?
0
?
?
?
0
0
0
?
0
?
?
?
0
?
0
?
0
0
0
0
0
?
0
?
?
0
?
?
?
0
?
?
?
?
0
0
?
0
?
?
?
?
?
0
0
?
?
0
?
?
?
?
?
0
0
?
0
?
?
0
?
0
?
?
0
?
0
?
?
?
0
?
?
?
0
?
0
?
0
?
0
?
?
?
?
?
?
?
?
?
?
0
0
?
0
?
0
?
?
0
0
?
?
?
?
0
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
0
?
?
0
0
?
?
?
?
?
?
?
0
0
?
?
?
?
?
?
0
?
?
?
?
0
?
0
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
0
?
0
?
?
?
?
0
0
?
?
0
?
0
?
?
0
0
?
?
?
?
?
?
0
0
0
?
?
?
?
?
?
0
?
?
?
?
0
?
0
0
0
0
?
?
?
0
?
?
0
0
?
0
0
?
?
?
0
?
?
?
?
?
?
?
?
?
?
0
0
?
?
0
0
0
?
?
0
?
?
?
?
?
0
?
?
?
0
?
?
?
?
?
?
?
?
0
0
?
?
0
0
?
0
?
?
?
?
0
0
?
?
0
0
0
0
?
0
?
?
?
?
0
0
?
?
0
0
0
?
?
0
0
?
?
?
?
?
?
0
?
0
?
?
?
?
0
?
?
?
0
?
?
0
?
?
?
0
0
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
0
?
?
?
?
?
0
?
?
?
?
?
0
?
0
?
0
?
?
0
?
?
?
?
0
0
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
0
0
?
0
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
0
?
?
?
0
?
?
?
?
0
?
?
?
0
?
?
0
?
?
?
?
?
?
0
?
?
?
0
?
?
?
?
0
?
?
0
?
?
?
?
?
0
?
0
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
0
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
0
?
0
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
?
?
?
?
0
0
?
?
?
?
0
?
?
?
?
?
?
?
?
0
0
?
?
0
0
0
0
0
0
?
?
?
?
?
?
0
?
?
?
?
?
?
0
0
?
?
0
0
0
0
0
0
?
0
0
0
0
?
?
0
?
?
?
?
?
?
0
0
0
?
?
0
0
0
?
0
0
?
0
?
?
?
?
0
0
?
?
?
0
?
0
?
?
?
?
0
0
?
0
?
?
?
?
0
0
?
0
?
?
?
?
0
0
?
0
?
?
?
?
0
0
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
0
?
?
?
0
?
?
?
0
0
0
0
?
?
?
?
0
0
?
?
?
0
0
0
0
?
?
?
?
?
?
0
?
?
0
?
?
?
?
?
?
?
?
0
?
?
?
0
?
?
?
?
0
?
?
0
0
0
0
0
?
?
0
0
0
0
0
0
0
?
?
0
0
0
?
?
0
?
0
?
?
?
?
0
?
0
0
?
0
?
0
?
0
0
?
?
?
?
?
?
0
?
?
?
?
?
0
0
?
?
?
0
0
?
?
?
?
0
0
?
?
?
?
?
?
?
?
?
?
0
?
?
0
?
?
?
?
?
?
?
?
0
0
?
0
0
?
?
?
0
?
?
?
?
?
0
?
0
?
0
?
?
?
0
?
0
0
0
?
?
?
0
?
?
0
?
?
?
?
0
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
?
0
0
0
?
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
0
0
0
?
0
0
0
?
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
?
?
?
0
0
?
?
?
0
?
0
?
0
0
0
?
0
?
0
?
0
?
?
0
0
?
0
?
?
0
0
?
0
?
?
0
0
?
0
?
?
0
0
?
0
?
?
0
0
?
0
0
?
0
?
0
?
?
?
?
?
?
?
0
?
?
?
?
0
0
?
?
?
?
?
?
?
?
?
?
?
0
0
0
0
?
?
?
?
?
0
?
?
?
0
0
0
?
0
?
0
?
?
?
?
?
?
?
?
?
0
?
?
?
?
0
?
0
?
?
?
0
?
?
?
?
?
?
0
?
?
0
0
0
0
0
0
?
0
0
0
0
0
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
0
?
0
?
?
?
?
?
0
0
0
0
?
?
0
?
?
?
?
?
?
?
?
?
0
?
0
0
0
0
?
?
?
?
0
0
?
?
?
0
0
0
0
0
0
0
0
0
0
0
?
0
0
?
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
?
?
0
0
0
0
0
0
0
0
0
0
0
0
0
?
0
0
0
?
?
?
?
0
0
0
0
0
0
0
0
0
0
0
0
2
0
0
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
...
Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block
? - Unknown Block
x - Potentially Malicious Block
Similar Families
Similar Families
This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.- Malex.CB
- PSW.Agent.FGD
- Rugmi.GF
- Rugmi.PGA
- Trojan.Downloader.Gen.AC
Show More
- Trojan.Downloader.Gen.CB
- Trojan.Downloader.Gen.HG
- Trojan.Downloader.Gen.JK
- Trojan.Downloader.Gen.JN
Windows API Usage
Windows API Usage
This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.| Category | API |
|---|---|
| Syscall Use |
Show More
|
