PSA: Malware detected from member's upload

[natsugajeel2000]

If you downloaded [dHR Research] Sakura Exec Special Emergency Security Department Sexual Treatment Division - RJ01484777, you're most likely infected because no one else uploaded it. (I confirmed that the copy I downloaded generated the virus file.)

I usually only download from trusted uploaders but was super bored the day it came out.

Edit: Going through all my recent games to see if anything else is infected that isn't on the above list and adding them to the list below.

[Lucky Pervert Diary Takashi-kun @CFNM] Immoral Ejaculation: A Thrilling Undercover Investigation - Can You Cross the Line? - RJ01525446

Thanks for this, I checked and was infected, though I got the game from Kimochi. Is there any safe place to download this game now?

 

[4yvak]

Hi, :)
Find Virus only in
Virus - Unreal3D RJ01416500 SweetLife 〜幸せな毎日が、寝取られに染まるまで〜 d_647906
d_647906
--------------------------------------------------
Dont find Rpgmaker games
rj01507389 NoVoice - Rpgm - RJ01507389 人妻剣士サツキの寝取られ売春記
---
rj01476568 NoVoice - RpgmEngine RJ01476568 マスターマインド
---
rj01509293 AiAnim RJ01509293 Peeping MySchool 盗撮が救う未来もある！?
------------------------------------
Special check with 0 from 62 Antivirus check
https://www.virustotal.com/gui/file...4ZTI2NThkYWNmNTg3NGEzNWE5Y2E6MTc2NzI1OTgxNQ==
don`t run game yet.
rj01526843 RJ01526843 ミミズ井戸。 d_711775
P.S Other games don`t load. Just finish check windows folder find nothing.
P.P.S
New crack line,? or someone Really start add something... Just ask.
inheart_0102 Virus? inheart_0102 Iinari Aneiro ~Onee-chan ni Marking~ イイナリ姉色 〜お姉ちゃんにマーキング〜 ダウンロード版 VJ012680

 

[shinguhus]

Member jekson5865 does not use any profile picture. And because a large number of Uploader also reupload infected release from the jekson5865, it doesn't help even if you didn't download from jekson5865 but you got the same release from some other.

And before you starting to ask why nobody check for it. Everyone check for virus total atleast, but there was no red flag until someone else notice their PC being really hot, and really slow, and that alert a Chinese group of user to investigate. They finally ask Huorong to take a look and Huorong confirm it just couple of days ago.

Even if you check right at this moment, only Huorong AV will flag it.

Tip: On ASF, we have a special note "Own Bought Game" from Uploaders and Contributors. We require Uploaders and Contribitors to submit proof of purchase frequently, so the Own Bought from Uploader and Contributor are more reliable.

I see, it certainly wouldn't be useful if it's been re-uploaded...

Since cacheapp64.exe hasn't been generated yet, I think we're safe for now, but what would be the most reliable way to handle it if it were to be generated?

I'm using Windows Defender, but it doesn't detect it either, so it's difficult to block it beforehand.

Also, what kind of behavior does this malware exhibit?

 

[figma1356]

Thanks for this, I checked and was infected, though I got the game from Kimochi. Is there any safe place to download this game now?

Which game did you download using Kimochi?
I would recommend ryuugames

 

[4yvak]

Little about problem.
-://forum.kaspersky.com/topic/%E6%B8%B8%E6%88%8Flibegldll%E5%AD%98%E5%9C%A8%E6%8C%96%E7%9F%BF%E7%97%85%E6%AF%92-57734/
-
More deep
-://zhuanlan.zhihu.com/p/1989378491892929195
---
cacheapp64.exe
is a malicious executable file, often around 750MB, used as part of a sophisticated malware campaign, typically a mining Trojan (cryptominer) disguised within seemingly harmless software (like games from shady sites) that aims to steal computing power by deploying malware, heavily detecting and evading analysis environments like VMs, sandboxes, and antivirus software.

What it does:

• Downloads Payload: cacheapp64.exe acts as an injector, dropping and running a mining Trojan after complex evasion checks.
• Evasion Techniques: It checks for debugger tools (IDA, Wireshark), virtual environments (VirtualBox, Sandboxie), antivirus software, and even uses anti-sandbox tricks like timing delays and large file sizes.
• Stealthy Operation: It uses indirect API calls (hash-based) and hides its true malicious intent.
• Connects to Mining Pools: Once the miner is running, it connects to private cryptocurrency mining pools to use your CPU/GPU resources.

How it appears:

• It might be found alongside fake .dll files (like version.dll) in game folders.
• Its large size (around 750MB) and high entropy are indicators of malicious packers.

In summary, if you find cacheapp64.exe on your system, it's a strong sign of a cryptomining infection, and you should run a full scan with reputable antivirus/antimalware software immediately.
---
Nothing, new if, you ask me, just another wave Crypto Malware Shit, this time, used to cover it, Anime - Hentai sites.

 

[nanase1015]

哇 这么坏的吗 那个人

 

[Dann]

I downloaded one of the supposedly infected games a few days ago, dunno if from that particular user but could very well have been from him. Unpacked the game, but never actually started it due to being busy in the last few days. I deleted it just to be safe, haven't found any of the folders mentioned here like the cacheapp64 or the syscacheapp, nor any file with coinapp in the name.

Does that mean I am good since I never opened the game itself?

 

[Shadow Word: Porn]

Looking at this, it appears that "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" was added by a miner program, so there seems to be no problem in deleting the shell itself (including the description of explorer.exe). However, tampering with the registry may affect the entire PC, so please proceed at your own risk.

Yes, confirmed, my computer appears to be healthy and uninfected and this is what HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon looks like for me:

There should not be any /Shell directory under Winlogon, nor should there be a Shell key in the Winlogon directory.

Note that there are possible legitimate reasons to have a Shell directory or a Shell key, but it is certainly a very suspicious sign. It means that something replaced Windows Explorer as your default shell, which does not happen by accident. If you have a Shell key and/or directory there, and you don't know what did it, odds are you're infected.

 

[for_Real_1234]

I have deleted the shell entry under the reg-edit and deleted the folder cacheapp64.exe was contained in. Pretty sure the infected game is also deleted. My CPU is back to normal temps in idle.

Can we be sure this fixed the problem?

 

[stupid_army]

Awww man i click SweetLife 〜幸せな毎日が、寝取られに染まるまで〜 exe file. I can't play the game so i delete it quickly

 

[4yvak]

Why so many worries, just use Free antivirus tools. Many years, use CureIt, from Cd -> Dvd -> Flash.
https://free.drweb.ru/download+cureit+free/
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
Kaspersky Virus Removal Tool
https://www.kaspersky.ru/downloads/free-virus-removal-tool?ysclid=mjviudgnex23020704
If, you still worry, just install Full version, any Antivirus, you get 30 days free, for test.
https://www.av-test.org/en/
P.S If, you have Virus, (more important Troyan) , they can ease change, file name, regname. If, they already inside.

 

[chd114]

南+那邊提供的列表

基本上也有包含日文遊戲在內

請問綠色線劃掉的遊戲是不攜帶病毒的資源還是目前無法判斷是否含有病毒的資源？

 

[chd114]

Member jekson5865 does not use any profile picture. And because a large number of Uploader also reupload infected release from the jekson5865, it doesn't help even if you didn't download from jekson5865 but you got the same release from some other.

And before you starting to ask why nobody check for it. Everyone check for virus total atleast, but there was no red flag until someone else notice their PC being really hot, and really slow, and that alert a Chinese group of user to investigate. They finally ask Huorong to take a look and Huorong confirm it just couple of days ago.

Even if you check right at this moment, only Huorong AV will flag it.

Tip: On ASF, we have a special note "Own Bought Game" from Uploaders and Contributors. We require Uploaders and Contribitors to submit proof of purchase frequently, so the Own Bought from Uploader and Contributor are more reliable.

Will this information then be provided to the police to have this person arrested? Simply deleting his account and posts can only be a temporary solution—he can still register new accounts and continue releasing other resources embedded with the virus.

 

[Checkmate]

Will this information then be provided to the police to have this person arrested? Simply deleting his account and posts can only be a temporary solution—he can still register new accounts and continue releasing other resources embedded with the virus.

Unfortunately, it doesn't work like that in real life.

Regarding "He can still register new accounts and continue". He can surely do that on Nyaa or Tokyo Toshokan but to do that on ASF will be a little bit harder now that the staff are aware.

 

[mikomikonii]

Got infected too... Went through the steps and deleted the folder and the registry...

Would doing a re-install needed as well or does deleting the folder and the registry done?

 

[4yvak]

請問綠色線劃掉的遊戲是不攜帶病毒的資源還是目前無法判斷是否含有病毒的資源？

Hmm, howe more simple answer,,, Virus (Etc.) can be. In, Any File Archive, that depend from> your Luck, i fear. I talk about, all time, not about this Miner Troyan Virus.
---
How Miner work.
it use different dll. cryptbase.dll, libEGL.dll etc. Depend from game engine.
First Run C:\Windows\System32\version.dll
Then Check TPM ( try undarstand if it real, not Virtual machine)
then use - create cacheapp64.exe = 750MB If file = 750mb you Doomed. Check Win+R -> regedit
Press Ctrl+F search for cacheapp64
Search in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
last words Shell explorer.exe, C:\Users\Administrator\AppData\Local\Sicsacheapp64.exe
if you have it, you have Miner.
Unpack them self with garbage from C:\Users\''YourUsedName''\AppData\Local\Scacheapp\apps.z.p
Check if your system has Antivirus, if have then freeze them self, for some time.
Again check, if Troyan Runing, in Virtual machine, or nope.
Run Miner use for it NtCreateFile, NtSetInformationFile, NtWriteFile, NtCreateSection and NtCreateUserProcess, NtMapViewOfSection and NtSetContextThread
Again chek for antivirus
Trying connect to -://rentrys.co/GzueSqAf/raw or -://pastebin.com/raw/WcTE2iw1 to get mining info Pull Ip and Port for connect
Start Mining...

 

[4yvak]

Got infected too... Went through the steps and deleted the folder and the registry...

Would doing a re-install needed as well or does deleting the folder and the registry done?

For, now, Hard to say, maybe it creat other Virus hiding Bombs. Just check next day, If it Show Up Again, then you need use some different Antivirus Clean tool, i give links already. if not help, then, you need copy, important info but, it can be infected already :( . At least try, and ReInstal Windows , better format Disk.

 

[natsugajeel2000]

Which game did you download using Kimochi?
I would recommend ryuugames

Sakura Exec Special Emergency Security Department Sexual Treatment Division - RJ01484777. I prefer kimochi or otomi due to not having to go through so many ads, but since even the one i got from there had the malware, was wondering which site would have a version of the game not corrupted

 

[Scar17]

Hi! Thank you so much to everyone who's answering questions and contributing. It's a shame these things happen :(

I have a question, is the list of infected games final? Or is it still possible that more infected games will be found?

 

[Checkmate]

I have a question, is the list of infected games final? Or is it still possible that more infected games will be found?

The list is from what the member posted on ASF. For new member to post on ASF, they are subjected to throttling such as 1 thread per hour, all thread is held in the approval queue. Therefore, the member coudn't post many in the span of 1 month.

If you download your game from sources like Tokyo Toshokan or Nyaa Torrents, the same member may have shared more content since they aren't subject to the same throttling.

Unfortunately it's hard to say whether other Uploader/Contributor redownload somewhere else as well.

 

[bidlocat0]

Add [RJ01524403] to this list, it was also most likely distributed by the well-known jekson5865/hentaigamer**
But I can't vouch for the game uploaded here. It was originally posted on a popular anime tracker similar to nyaa, and this torrent is also indexed by TokyoToshokan. (A hint to the site, because I'm not sure if it's allowed to mention/write names websites)

Why so many worries, just use Free antivirus tools. Many years, use CureIt, from Cd -> Dvd -> Flash.
https://free.drweb.ru/download+cureit+free/
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
Kaspersky Virus Removal Tool
https://www.kaspersky.ru/downloads/free-virus-removal-tool?ysclid=mjviudgnex23020704
If, you still worry, just install Full version, any Antivirus, you get 30 days free, for test.
https://www.av-test.org/en/
P.S If, you have Virus, (more important Troyan) , they can ease change, file name, regname. If, they already inside.

If you read the article published by Huorong and uploaded the infected files (if you had any, for example), you'd realize that currently only two antivirus programs detect them: Huorong and Rising, and nothing else. I got infected myself, and the first thing I did was, as an experiment, scan my computer for viruses using AV scanners (KVRT, Cureit, Minersearch), and they found nothing. The most CureIT could find was a modified line in REGEDIT, and that was it. As for the miner itself, it wasn't found.

 

[PhantomMemos]

Is it known for how long had this user been sharing infected files?

 

[Checkmate]

I'm not sure if it's allowed to mention/write names websites)

ASF does not forbid mentioning of other sites, blogs or forums unless spamming.

Is it known for how long had this user been sharing infected files?

First post here is around December 10

 

[bidlocat0]

By the way, this might sound pretty crazy to some, but one of the games on the list, namely — RJ01524136, was initially infected with a cryptominer (libegl.dll, cacheapp, etc.) and sold with it on DLsite.
How could this have happened? Who knows, most likely the developer was infected too, and the infected files "migrated" to their game. But that's just my theory. On one of the content sharing forums, a user posted a screenshot of this game purchased from them, and it was the game they bought that infected them.

 

[Checkmate]

To be fair I did mention there is nothing such 100% safety. Even if one buy it from DLSite, it will be lowest risk but not absolute.

Stay safe, we are stronger together.

I am looking into that possibility at the moment but it is the holiday...