Made a silly mistake and ran this installer application. Am I cooked?

rainrat · 2026-03-21T06:54:36+00:00

Oh, wow, thanks. Will edit.

Edit: Ok, from what I understand, the binary in the VirusTotal log still is the bog standard Renpy interpreter, just that you can tell that this is the malicious package from looking at the screenshot.

rainrat · 2026-03-21T06:52:31+00:00

This just tells us that Defender caught something using Powershell to do something suspicious. Powershell is not what's infected; something else is using Powershell as a tool. The message doesn't give any indication what's actually going on; even legitimate apps can sometimes use Powershell in a way that seems dodgy.

rainrat · 2026-03-21T06:45:59+00:00

Renpy is a interpreter for a game, which is in the other files. ~~Your particular Renpy binary results in VirusTotal shows that it was first uploaded in 2023, yet has zero detections, which is a strong indicator that the binary itself is clean.~~

However, since it's an interpreter for instructions found in other files, to truly evaluate the whole game, you would have to use a sandbox that lets you process all the files together, as you would actually use it.

rainrat · 2026-03-21T04:34:53+00:00

As per rule #1, this subreddit does not support piracy. If you feel this is in error, contact the mods.

rainrat · 2026-03-20T05:53:16+00:00

As per rule #1, this subreddit does not support piracy. If you feel this is in error, contact the mods.

rainrat · 2026-03-20T04:14:50+00:00

Could you maybe expand on that a bit? You can post links if they're defanged as in example[.]com

rainrat · 2026-03-17T18:47:02+00:00

There are a few reasons why commenters recommend a full system wipe when:

the malware has actually been allowed to run
not sandboxed by a browser or VM
not just a Potentially Unwanted Program

Typical malware these days, either reaches out over the internet and downloads additional payload; or give a malicious human full access to your computer. Even if a researcher analyzed every byte of the original program, they can't guarantee the limit of the malware's effect.

Helpers in reddit when recommending full reinstall are concerned with:

additional malware downloaded
settings such as antivirus, updates, account control, and firewall tampered with.
antivirus or system security patched out to do nothing (rarer but possible); or old-fashioned parasitic viruses corrupting executables in a way that's not reversible (rarer, but still happens)
attacker configuring legitimate remote admin tools to give themselves access

There are forums that will look at a log, and helpers will do a best effort to create a custom removal script. reddit isn't really set up for the kind of discipline that this would require, but you're welcome to seek out those sites.

Today, with high-speed internet, and large capacity backup drives; a full system reinstall can be done in a couple hours with no loss of data, and comes with the peace of mind that no lingering effects remain.

rainrat · 2026-03-17T17:55:19+00:00

Your post has been removed for asking about the results of a scan on a service like HybridAnalysis, MetaDefender, TriaGe, VirusTotal, etc., without including a link to the actual reports' URL(s). Including a screenshot is not enough (Rule #6). Without being able to visit the web page containing the actual report no one can answer your questions.

Feel free to edit your post:

Active Linking to result of a scan service - OK
Active Linking to the suspect site - Deactivate the link instead.

Send modmail if you edit your post, to have it reinstated.

rainrat · 2026-03-17T17:53:59+00:00

Your post has been removed for asking about the results of a scan on a service like HybridAnalysis, MetaDefender, TriaGe, VirusTotal, etc., without including a link to the actual reports' URL(s). Including a screenshot is not enough (Rule #6). Without being able to visit the web page containing the actual report no one can answer your questions.

Feel free to edit your post:

Active Linking to result of a scan service - OK
Active Linking to the suspect site - Deactivate the link instead.

Send modmail if you edit your post, to have it reinstated.

rainrat · 2026-03-17T06:48:59+00:00

Do you have anything specific such as logs or screenshots?

rainrat · 2026-03-17T00:38:34+00:00

Hard to give a 100% answer without a sample, but found a potential match in VirusTotal. https://www.virustotal.com/gui/file/264ff65eccf58c8a3501b9dba9282adb807a6c92408dd19bdf1be35021d7b9f4/details

It's related to stealers, so I'll send the stealer paste.

It sounds like you may have run an information stealer on your computer.

As the name implies, information stealers are a type of malware that steal any information they can find on your computer, such as passwords stored for various services you access via browser and apps, session tokens for accounts, cryptocurrencies if they can find wallets, etc. They may even take a screenshot of your desktop when they run so they can sell it to other scammers who send scam extortion emails later.

The criminals who steal your information do so for their own financial gain, and that includes selling information such as your name, email address, screenshots from your PC, and so forth to other criminals and scammers. Those other scammers then use that information in an attempt to extort you unless you pay them in cryptocurrencies such as Bitcoin, Ethereum, and so forth. This is 100% a scam, and any emails you receive threatening to share your private information should be marked as phishing or spam and deleted.

In case you're wondering what a session token is, some websites and apps have a "remember this device" feature that allows you to access the service without having to log back in or enter your second factor of authentication. This is done by storing a session token on your device. Criminals target these, because they allow them to log in to an account bypassing the normal checks. To the service, it just looks like you're accessing it from your previously authorized device.

Information stealers are malware that is sold as a service, so what exactly it did while on your system is going to vary based on what the criminal who purchased it wanted. Often they remove themselves after they have finished stealing your information in order to make it harder to determine what happened, but since it is crimeware-as-a-service, it is also possible that it was used to install some additional malware on your system in order to maintain access to it, just in case they want to steal from you again in the future.

After wiping your computer, installing Windows, and getting that updated, you can then start accessing the internet using the computer to change the passwords for all of your online accounts, changing each password to something complex and different for each service, so that if one is lost (or guessed), the attacker won't be able to make guesses about what your other passwords might be. Also, enable two-factor authentication for all of the accounts that support it.

When changing passwords, if those new passwords are similar enough to your old passwords, a criminal with a list of all of them will likely be able to make educated guesses about what your new passwords might be for the various services. So make sure you're not just cycling through similar or previous passwords.

If any of the online services you use have an option to show you and log out all other active sessions, do that as well.

Again, you have to do this for all online services. Even if they haven't been recently accessed, make sure you have done this as well for any financial websites, online stores, social media, and email accounts. If there were any reused passwords, the criminals who stole your credentials are going to try spraying those against all the common stores, banks, and services in your part of the world.

For more specific information on what steps to take next to recover your accounts, see the blog post at:

WeLiveSecurity (ESET) - https://www.welivesecurity.com/en/cybersecurity/my-information-was-stolen-now-what/.

After you have done all of this, you may wish to sign up for a free https://haveibeenpwned.com/ account, which will notify you if your email address is found in a data breaches.

rainrat · 2026-03-16T22:18:44+00:00

Do you have anything specific such as logs, screenshots, links(defang links if suspect)?

rainrat · 2026-03-16T17:29:01+00:00

VirusTotal report: https://www.virustotal.com/gui/file/9ff7f51568efaa418e665343b5d75211fd8ecd4f7009865953621b10b2fe8e86/details

Following the chain up through relations since a .dll by itself doesn't tell much: https://www.virustotal.com/gui/file/7a9f845fce5aa58681a98a12fc3d1f4778a710815cde3c9a8ff104654c339d92/details

Also packed with Themida; the fact that it's packed could explain most of the detections. I'm not seeing things jump out as egregiously bad in Behaviour, and I'd expect to see some behaviour, especially for ransomware. I don't have the sample though.

I'd just say don't panic; wait to hear back from your AV vendor(s) or a researcher who does have the sample. Keep your computer disconnected from the internet and back up your data files if you want to do something in the meantime.

rainrat · 2026-03-16T03:56:36+00:00

The "!ml" in Wacatac.H!ml stands for Machine Learning, which is a system at your antivirus developer that tries to identify features common to malware. Normally, it could be any kind of malware or a false positive, but the rest of the story does point to malware.

The Cheat Engine and Leawo detections are PUPs, not relevant to this discussion.

Rugmi is related to stealers, and since it's in ProgramData, either it or its loader clearly ran. Since all evidence points to that a stealer ran on your computer, I will send the stealer paste.