arrow_back
search
close

TrojanSpy.MSIL.ANGRYSTEALER.THHBHBD

September 06, 2024
 Analysis by: John Rainier Navato
 ALIASES:

PWS:MSIL/Stealgen.GA!MTB (MICROSOFT)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan Spy

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware


This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

9,163,776 bytes

File Type:

EXE

Memory Resident:

No

Initial Samples Received Date:

28 Aug 2024

Payload:

Drops files, Connects to URLs/IPs, Steals information

Arrival Details

This Trojan Spy arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan Spy creates the following folders:

  • %AppDataLocal%\44_23
  • %AppDataLocal%\44_23\Browsers
  • %AppDataLocal%\44_23\Browsers\360Browser
  • %AppDataLocal%\44_23\Browsers\7Star
  • %AppDataLocal%\44_23\Browsers\Amigo
  • %AppDataLocal%\44_23\Browsers\BlackHaw
  • %AppDataLocal%\44_23\Browsers\BraveSoftware
  • %AppDataLocal%\44_23\Browsers\CatalinaGroup
  • %AppDataLocal%\44_23\Browsers\CentBrowser
  • %AppDataLocal%\44_23\Browsers\Chedot
  • %AppDataLocal%\44_23\Browsers\Chromium
  • %AppDataLocal%\44_23\Browsers\Chromodo
  • %AppDataLocal%\44_23\Browsers\CocCoc
  • %AppDataLocal%\44_23\Browsers\Comodo
  • %AppDataLocal%\44_23\Browsers\Coowon
  • %AppDataLocal%\44_23\Browsers\Cyberfox
  • %AppDataLocal%\44_23\Browsers\Edge
  • %AppDataLocal%\44_23\Browsers\Elements Browser
  • %AppDataLocal%\44_23\Browsers\Epic Privacy Browser
  • %AppDataLocal%\44_23\Browsers\Fenrir Inc
  • %AppDataLocal%\44_23\Browsers\Firefox
  • %AppDataLocal%\44_23\Browsers\Google
  • %AppDataLocal%\44_23\Browsers\Google(x86)
  • %AppDataLocal%\44_23\Browsers\IceDragon
  • %AppDataLocal%\44_23\Browsers\Iridium
  • %AppDataLocal%\44_23\Browsers\K-Meleon
  • %AppDataLocal%\44_23\Browsers\K-Melon
  • %AppDataLocal%\44_23\Browsers\Kometa
  • %AppDataLocal%\44_23\Browsers\liebao
  • %AppDataLocal%\44_23\Browsers\Mail.Ru
  • %AppDataLocal%\44_23\Browsers\MapleStudio
  • %AppDataLocal%\44_23\Browsers\Maxthon3
  • %AppDataLocal%\44_23\Browsers\Nichrome
  • %AppDataLocal%\44_23\Browsers\Opera
  • %AppDataLocal%\44_23\Browsers\Orbitum
  • %AppDataLocal%\44_23\Browsers\Pale Moon
  • %AppDataLocal%\44_23\Browsers\QIP Surf
  • %AppDataLocal%\44_23\Browsers\Sputnik
  • %AppDataLocal%\44_23\Browsers\Thunderbird
  • %AppDataLocal%\44_23\Browsers\Torch
  • %AppDataLocal%\44_23\Browsers\uCozMedia
  • %AppDataLocal%\44_23\Browsers\Uran
  • %AppDataLocal%\44_23\Browsers\Vivaldi
  • %AppDataLocal%\44_23\Browsers\Waterfox
  • %AppDataLocal%\44_23\Browsers\Yandex
  • %AppDataLocal%\44_23\Files
  • %AppDataLocal%\44_23\Files\{Folders Copied From %Desktop%}
  • %AppDataLocal%\44_23\Files\{Folders Copied From %User Profile%\Documents}
  • %AppDataLocal%\44_23\Files\{Folders Copied From %User Profile%\source}
  • %AppDataLocal%\44_23\Wallets
  • %AppDataLocal%\44_23\Wallets\Armory
  • %AppDataLocal%\44_23\Wallets\Atomic\Local Storage\leveldb\
  • %AppDataLocal%\44_23\Wallets\Bitcoin Core
  • %AppDataLocal%\44_23\Wallets\Bytecoin
  • %AppDataLocal%\44_23\Wallets\Dash Core
  • %AppDataLocal%\44_23\Wallets\Electrum
  • %AppDataLocal%\44_23\Wallets\Ethereum
  • %AppDataLocal%\44_23\Wallets\Exodus
  • %AppDataLocal%\44_23\Wallets\Jaxx\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
  • %AppDataLocal%\44_23\Wallets\Litecoin Core
  • %AppDataLocal%\44_23\Wallets\Monero
  • %AppDataLocal%\44_23\Wallets\Zcash
  • %AppDataLocal%\44_23\VPN
  • %AppDataLocal%\44_23\VPN\Proton VPN
  • %AppDataLocal%\44_23\VPN\OpenVPN
  • %AppDataLocal%\44_23\VPN\NordVPN
  • %AppDataLocal%\44_23\Steam
  • %AppDataLocal%\44_23\Steam\ssnf
  • %AppDataLocal%\44_23\Steam\configs
  • %AppDataLocal%\44_23\Discord
  • %AppDataLocal%\44_23\Discord\{Folders from %Application Data%\Discord\Local Storage\leveldb}
  • %AppDataLocal%\44_23\Discord\{Folders from %Application Data%\Discord PTB\Local Storage\leveldb}
  • %AppDataLocal%\44_23\Discord\{Folders from %Application Data%\Discord Canary\leveldb}
  • %User Temp%leveldb → copy of Discord's leveldb folder, deleted afterwards
  • %AppDataLocal%\44_23\FileZilla
  • %AppDataLocal%\44_23\Telegram\{Folders from Telegram's tdata path}
  • %AppDataLocal%\44_23\VimeWorld
  • %AppDataLocal%\44_23\Browsers\New_Passwords
  • %AppDataLocal%\44_23\Browsers\New_Cookies

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Dropping Routine

This Trojan Spy drops the following files wherein it saves the information it gathers:

  • %AppDataLocal%\44_23\Browsers\{Browser Name}\CreditCards.txt
  • %AppDataLocal%\44_23\Browsers\{Browser Name}\Passwords.txt
  • %AppDataLocal%\44_23\Browsers\{Browser Name}\Autofill.txt
  • %AppDataLocal%\44_23\Browsers\{Browser Name}Bookmarks.txt
  • %AppDataLocal%\44_23\Browsers\Cookies_{Browser Name}{Random Number}.txt
  • %AppDataLocal%\44_23\Passwords.txt
  • %AppDataLocal%\44_23\Files\{Folders Copied From %Desktop%}\{.txt Files Copied From %Desktop%}
  • %AppDataLocal%\44_23\Files\{Folders Copied From %User Profile%\Documents}\{.txt Files Copied From %User Profile%\Documents}
  • %AppDataLocal%\44_23\Files\{Folders Copied From %User Profile%\source}\{.txt Files Copied From %User Profile%\source}
  • %AppDataLocal%\44_23\Wallets\Armory\{Files Copied from}
  • %AppDataLocal%\44_23\Wallets\Atomic\Local Storage\leveldb\{Files Copied from %AppData%\atomic\Local Storage\leveldb
  • %AppDataLocal%\44_23\Bitcoin Core\wallet.dat
  • %AppDataLocal%\44_23\Bytecoin\{.wallet Files Copied from %AppData%\bytecoin}
  • %AppDataLocal%\44_23\Dash Core\wallet.dat
  • %AppDataLocal%\44_23\Wallets\Electrum\{Files Copied from %AppData%\Electrum\wallets}
  • %AppDataLocal%\44_23\Wallets\Ethereum\{Files Copied from %AppData%\Ethereum\keystore}
  • %AppDataLocal%\44_23\Wallets\Exodus\{Files Copied from %AppData%\Exodus\exodus.wallet}
  • %AppDataLocal%\44_23\Wallets\Jaxx\{Files Copied from %AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\}
  • %AppDataLocal%\44_23\Litecoin Core\wallet.dat
  • %AppDataLocal%\44_23\Wallets\Monero\{stolen information file}
  • %AppDataLocal%\44_23\Wallets\Zcash\{Files Copied from %AppData%\Zcash}
  • %AppDataLocal%\44_23\Screen.png
  • %AppDataLocal%\44_23\Process.txt
  • %AppDataLocal%\44_23\Information.txt
  • %AppDataLocal%\44_23\VPN\Proton VPN\{Path to %AppDataLocal%ProtonVPN where user.config is found}\user.config
  • %AppDataLocal%\44_23\VPN\OpenVPN\{OVPN File Name}.ovpn
  • %AppDataLocal%\44_23\VPN\NordVPN\accounts.txt
  • %AppDataLocal%\44_23\Steam\AccountsList.txt
  • %AppDataLocal%\44_23\Steam\Games.txt
  • %AppDataLocal%\44_23\Steam\ssnf\{Steam ssnf Files}
  • %AppDataLocal%\44_23\Steam\configs\{Steam vdf Files}
  • %AppDataLocal%\44_23\Discord\Tokens.txt
  • %AppDataLocal%\44_23\Discord\{Folders and Files from %Application Data%\Discord\Local Storage\leveldb}
  • %AppDataLocal%\44_23\Discord\{Folders and Files from %Application Data%\Discord PTB\Local Storage\leveldb}
  • %AppDataLocal%\44_23\Discord\{Folders and Files from %Application Data%\Discord Canary\leveldb}
  • %User Temp%\leveldb\{Files From Discord's leveldb Folder} → deleted afterwards
  • %AppDataLocal%\44_23\FileZilla\FileZilla.log
  • %AppDataLocal%\44_23\Telegram\{Folders and Files from Telegram's tdata path}
  • %AppDataLocal%\44_23\VimeWorld\[{VimeWorld Rank}]{VimeWorld Level}{VimeWorld Username}
  • %AppDataLocal%\44_23\Browsers\New_Passwords\Chrome Passwords.txt
  • %AppDataLocal%\44_23\Browsers\New_Cookies\Chrome Cookies.txt
  • %AppDataLocal%\{Country Code}[{Date and Time When the Zip File is Created}]-{IP Address of Affected Machine}-{Username}.zip → contains all stolen information

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Desktop% is the current user's desktop, which is usually C:\Documents and Settings\{User Name}\Desktop on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\Desktop on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name} on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Roaming on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

Information Theft

This Trojan Spy gathers the following data:

  • Browser data (such as Credit Card Information, Username, Passwords, Website Cookies, and Bookmarks) from the following browsers:
    • 360 Browser
    • 7Star
    • Amigo
    • Atom
    • BlackHawk
    • Brave-Browser
    • CentBrowser
    • Chedot
    • ChromePlus
    • Chromium
    • Chromodo
    • Citrio
    • CocCoc
    • Comodo Dragon
    • Comodo IceDragon
    • Coowon
    • Cyberfox
    • Elements Browser
    • Epic Privacy Browser
    • Firefox
    • Google Chrome
    • Iridium
    • K-Meleon
    • K-Melon
    • Kometa
    • Liebao
    • Maxthon3
    • Microsoft Edge
    • Nichrome
    • Opera
    • Opera GX
    • Orbitum
    • Pale Moon
    • QIP Surf
    • Sleipnir5
    • Sputnik
    • Thunderbird
    • Torch
    • Uran
    • Vivaldi
    • Waterfox
    • Yandex Browser
  • Cryptocurrency wallet data from the following applications:
    • Armory
    • Atomic Wallet
    • Bitcoin Core
    • Bytecoin
    • Dash Core
    • Electrum
    • Ethereum
    • Exodus
    • Jaxx
    • Litecoin Core
    • Monero
    • Zcash
  • Configuration files from the following VPN applications:
    • NordVPN
    • OpenVPN
    • Proton VPN
  • Online account information:
    • Discord
      • Files in Discord leveldb folders
      • Tokens
    • Steam
      • Account Names
      • Configuration Files
      • Games Acquired
      • SSNF Files
    • Telegram
      • Keys
      • Session Directories
      • Settings Files
      • User Data
      • User Tags
    • VimeWorld
      • Configuration File (contains username, passwords, rank, level, etc.)
      • OSSUID
  • Credentials for FileZilla:
    • Host
    • Port
    • Username
    • Password
  • System Information:
    • Basic Service Set Identifier
    • Clipboard Content
    • Computername
    • Country
    • CPU ID
    • CPU Name
    • Current Date and Time
    • Geolocation
    • GPU Name
    • IP Address
    • List of Running Processes
    • Log Date
    • Malware Current Working Directory
    • Operating System
    • Screen Resolution
    • Screenshot of Affected Machine
    • Total RAM
    • Username

Stolen Information

This Trojan Spy sends the gathered information via HTTP POST to the following URL:

  • https://{BLOCKED}egram.org/bot7111654667:AAFkYkvnCsb8YVJsK4iKBRAyyQO9vyaJa7U/sendDocument?chat_id=1435200072&caption=\n{Contents of Log}

Other Details

This Trojan Spy does the following:

  • It copies .txt files from %Desktop%, %User Profile%\Documents, and %User Profile%\source that does not exceed 5000 bytes to %AppDataLocal%\44_23\Files while the folder does not exceed 25000 bytes.
  • It connects to the following URL to identify the affected machine's geolocation:
    • http://{BLOCKED}i.com/xml/
  • It connects to the following URL to retrieve online account information:
    • https://{BLOCKED}ommunity.com/profiles/{Steam Username}
    • https://{BLOCKED}eworld.ru/user/name/{VimeWorld Username}

  SOLUTION

Minimum Scan Engine:

9.800

FIRST VSAPI PATTERN FILE:

19.556.04

FIRST VSAPI PATTERN DATE:

28 Aug 2024

VSAPI OPR PATTERN File:

19.557.00

VSAPI OPR PATTERN Date:

29 Aug 2024

Step 1

Trend Micro Predictive Machine Learning detects and blocks malware at the first sign of its existence, before it executes on your system. When enabled, your Trend Micro product detects this malware under the following machine learning name:

     
    • PWS:MSIL/Stealgen.GA!MTB

Step 2

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 3

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 4

Search and delete these files

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %AppDataLocal%\44_23\Browsers\{Browser Name}\CreditCards.txt
  • %AppDataLocal%\44_23\Browsers\{Browser Name}\Passwords.txt
  • %AppDataLocal%\44_23\Browsers\{Browser Name}\Autofill.txt
  • %AppDataLocal%\44_23\Browsers\{Browser Name}Bookmarks.txt
  • %AppDataLocal%\44_23\Browsers\Cookies_{Browser Name}{Random Number}.txt
  • %AppDataLocal%\44_23\Passwords.txt
  • %AppDataLocal%\44_23\Files\{Folders Copied From %Desktop%}\{.txt Files Copied From %Desktop%}
  • %AppDataLocal%\44_23\Files\{Folders Copied From %User Profile%\Documents}\{.txt Files Copied From %User Profile%\Documents}
  • %AppDataLocal%\44_23\Files\{Folders Copied From %User Profile%\source}\{.txt Files Copied From %User Profile%\source}
  • %AppDataLocal%\44_23\Wallets\Armory\{Files Copied from}
  • %AppDataLocal%\44_23\Wallets\Atomic\Local Storage\leveldb\{Files Copied from %AppData%\atomic\Local Storage\leveldb
  • %AppDataLocal%\44_23\Bitcoin Core\wallet.dat
  • %AppDataLocal%\44_23\Bytecoin\{.wallet Files Copied from %AppData%\bytecoin}
  • %AppDataLocal%\44_23\Dash Core\wallet.dat
  • %AppDataLocal%\44_23\Wallets\Electrum\{Files Copied from %AppData%\Electrum\wallets}
  • %AppDataLocal%\44_23\Wallets\Ethereum\{Files Copied from %AppData%\Ethereum\keystore}
  • %AppDataLocal%\44_23\Wallets\Exodus\{Files Copied from %AppData%\Exodus\exodus.wallet}
  • %AppDataLocal%\44_23\Wallets\Jaxx\{Files Copied from %AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\}
  • %AppDataLocal%\44_23\Litecoin Core\wallet.dat
  • %AppDataLocal%\44_23\Wallets\Monero\{stolen information file}
  • %AppDataLocal%\44_23\Wallets\Zcash\{Files Copied from %AppData%\Zcash}
  • %AppDataLocal%\44_23\Screen.png
  • %AppDataLocal%\44_23\Process.txt
  • %AppDataLocal%\44_23\Information.txt
  • %AppDataLocal%\44_23\VPN\Proton VPN\{Path to %AppDataLocal%ProtonVPN where user.config is found}\user.config
  • %AppDataLocal%\44_23\VPN\OpenVPN\{OVPN File Name}.ovpn
  • %AppDataLocal%\44_23\VPN\NordVPN\accounts.txt
  • %AppDataLocal%\44_23\Steam\AccountsList.txt
  • %AppDataLocal%\44_23\Steam\Games.txt
  • %AppDataLocal%\44_23\Steam\ssnf\{Steam ssnf Files}
  • %AppDataLocal%\44_23\Steam\configs\{Steam vdf Files}
  • %AppDataLocal%\44_23\Discord\Tokens.txt
  • %AppDataLocal%\44_23\Discord\{Folders and Files from %Application Data%\Discord\Local Storage\leveldb}
  • %AppDataLocal%\44_23\Discord\{Folders and Files from %Application Data%\Discord PTB\Local Storage\leveldb}
  • %AppDataLocal%\44_23\Discord\{Folders and Files from %Application Data%\Discord Canary\leveldb}
  • %User Temp%\leveldb\{Files From Discord's leveldb Folder}
  • %AppDataLocal%\44_23\FileZilla\FileZilla.log
  • %AppDataLocal%\44_23\Telegram\{Folders and Files from Telegram's tdata path}
  • %AppDataLocal%\44_23\VimeWorld\[{VimeWorld Rank}]{VimeWorld Level}{VimeWorld Username}
  • %AppDataLocal%\44_23\Browsers\New_Passwords\Chrome Passwords.txt
  • %AppDataLocal%\44_23\Browsers\New_Cookies\Chrome Cookies.txt
  • %AppDataLocal%\{Country Code}[{Date and Time When the Zip File is Created}]-{IP Address of Affected Machine}-{Username}.zip

Step 5

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %AppDataLocal%\44_23\Browsers\360Browser
  • %AppDataLocal%\44_23\Browsers\7Star
  • %AppDataLocal%\44_23\Browsers\Amigo
  • %AppDataLocal%\44_23\Browsers\BlackHaw
  • %AppDataLocal%\44_23\Browsers\BraveSoftware
  • %AppDataLocal%\44_23\Browsers\CatalinaGroup
  • %AppDataLocal%\44_23\Browsers\CentBrowser
  • %AppDataLocal%\44_23\Browsers\Chedot
  • %AppDataLocal%\44_23\Browsers\Chromium
  • %AppDataLocal%\44_23\Browsers\Chromodo
  • %AppDataLocal%\44_23\Browsers\CocCoc
  • %AppDataLocal%\44_23\Browsers\Comodo
  • %AppDataLocal%\44_23\Browsers\Coowon
  • %AppDataLocal%\44_23\Browsers\Cyberfox
  • %AppDataLocal%\44_23\Browsers\Edge
  • %AppDataLocal%\44_23\Browsers\Elements Browser
  • %AppDataLocal%\44_23\Browsers\Epic Privacy Browser
  • %AppDataLocal%\44_23\Browsers\Fenrir Inc
  • %AppDataLocal%\44_23\Browsers\Firefox
  • %AppDataLocal%\44_23\Browsers\Google
  • %AppDataLocal%\44_23\Browsers\Google(x86)
  • %AppDataLocal%\44_23\Browsers\IceDragon
  • %AppDataLocal%\44_23\Browsers\Iridium
  • %AppDataLocal%\44_23\Browsers\K-Meleon
  • %AppDataLocal%\44_23\Browsers\K-Melon
  • %AppDataLocal%\44_23\Browsers\Kometa
  • %AppDataLocal%\44_23\Browsers\liebao
  • %AppDataLocal%\44_23\Browsers\Mail.Ru
  • %AppDataLocal%\44_23\Browsers\MapleStudio
  • %AppDataLocal%\44_23\Browsers\Maxthon3
  • %AppDataLocal%\44_23\Browsers\Nichrome
  • %AppDataLocal%\44_23\Browsers\Opera
  • %AppDataLocal%\44_23\Browsers\Orbitum
  • %AppDataLocal%\44_23\Browsers\Pale Moon
  • %AppDataLocal%\44_23\Browsers\QIP Surf
  • %AppDataLocal%\44_23\Browsers\Sputnik
  • %AppDataLocal%\44_23\Browsers\Thunderbird
  • %AppDataLocal%\44_23\Browsers\Torch
  • %AppDataLocal%\44_23\Browsers\uCozMedia
  • %AppDataLocal%\44_23\Browsers\Uran
  • %AppDataLocal%\44_23\Browsers\Vivaldi
  • %AppDataLocal%\44_23\Browsers\Waterfox
  • %AppDataLocal%\44_23\Browsers\Yandex
  • %AppDataLocal%\44_23\Browsers\New_Cookies
  • %AppDataLocal%\44_23\Browsers\New_Passwords
  • %AppDataLocal%\44_23\Browsers
  • %AppDataLocal%\44_23\Files\{Folders Copied From %Desktop%}
  • %AppDataLocal%\44_23\Files\{Folders Copied From %User Profile%\Documents}
  • %AppDataLocal%\44_23\Files\{Folders Copied From %User Profile%\source}
  • %AppDataLocal%\44_23\Files
  • %AppDataLocal%\44_23\Wallets\Armory
  • %AppDataLocal%\44_23\Wallets\Atomic
  • %AppDataLocal%\44_23\Wallets\Bitcoin Core
  • %AppDataLocal%\44_23\Wallets\Bytecoin
  • %AppDataLocal%\44_23\Wallets\Dash Core
  • %AppDataLocal%\44_23\Wallets\Electrum
  • %AppDataLocal%\44_23\Wallets\Ethereum
  • %AppDataLocal%\44_23\Wallets\Exodus
  • %AppDataLocal%\44_23\Wallets\Jaxx
  • %AppDataLocal%\44_23\Wallets\Litecoin Core
  • %AppDataLocal%\44_23\Wallets\Monero
  • %AppDataLocal%\44_23\Wallets\Zcash
  • %AppDataLocal%\44_23\Wallets
  • %AppDataLocal%\44_23\VPN\Proton VPN
  • %AppDataLocal%\44_23\VPN\OpenVPN
  • %AppDataLocal%\44_23\VPN\NordVPN
  • %AppDataLocal%\44_23\VPN
  • %AppDataLocal%\44_23\Steam\ssnf
  • %AppDataLocal%\44_23\Steam\configs
  • %AppDataLocal%\44_23\Steam
  • %AppDataLocal%\44_23\Discord\{Folders from %Application Data%\Discord\Local Storage\leveldb}
  • %AppDataLocal%\44_23\Discord\{Folders from %Application Data%\Discord PTB\Local Storage\leveldb}
  • %AppDataLocal%\44_23\Discord\{Folders from %Application Data%\Discord Canary\leveldb}
  • %AppDataLocal%\44_23\Discord
  • %AppDataLocal%\44_23\FileZilla
  • %AppDataLocal%\44_23\Telegram\{Folders from Telegram's tdata path}
  • %AppDataLocal%\44_23\Telegram
  • %AppDataLocal%\44_23\VimeWorld
  • %AppDataLocal%\44_23
  • %User Temp%\leveldb

Step 6

Scan your computer with your Trend Micro product to delete files detected as TrojanSpy.MSIL.ANGRYSTEALER.THHBHBD. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.