PSA: Malware detected from member's upload

[xvis]

我再看了一下,首先可以确定开机会不会启动 可以检查一下注册表 run regedit path

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

上图是我自己电脑的情况

这个是报告里中招的情况.

另外推荐大家使用这软件
Process Explorer
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
它最基础的功能就是监视自己电脑的资源情况. 他原版可是english的, 不存在语言障碍吧?
他好像还是阻碍恶意程序运行的因素之一.

 

[shinguhus]

Does anyone know what jekson5865's profile picture looked like?
I'm wondering because seeing the profile picture might help me remember if I downloaded from that person.

 

[Checkmate]

Does anyone know what jekson5865's profile picture looked like?

Member jekson5865 does not use any profile picture. And because a large number of Uploader also reupload infected release from the jekson5865, it doesn't help even if you didn't download from jekson5865 but you got the same release from some other.

And before you starting to ask why nobody check for it. Everyone check for virus total atleast, but there was no red flag until someone else notice their PC being really hot, and really slow, and that alert a Chinese group of user to investigate. They finally ask Huorong to take a look and Huorong confirm it just couple of days ago.

Even if you check right at this moment, only Huorong AV will flag it.

Tip: On ASF, we have a special note "Own Bought Game" from Uploaders and Contributors. We require Uploaders and Contribitors to submit proof of purchase frequently, so the Own Bought from Uploader and Contributor are more reliable.

 

[natsugajeel2000]

If you downloaded [dHR Research] Sakura Exec Special Emergency Security Department Sexual Treatment Division - RJ01484777, you're most likely infected because no one else uploaded it. (I confirmed that the copy I downloaded generated the virus file.)

I usually only download from trusted uploaders but was super bored the day it came out.

Edit: Going through all my recent games to see if anything else is infected that isn't on the above list and adding them to the list below.

[Lucky Pervert Diary Takashi-kun @CFNM] Immoral Ejaculation: A Thrilling Undercover Investigation - Can You Cross the Line? - RJ01525446

Thanks for this, I checked and was infected, though I got the game from Kimochi. Is there any safe place to download this game now?

 

[4yvak]

Hi, :)
Find Virus only in
Virus - Unreal3D RJ01416500 SweetLife 〜幸せな毎日が、寝取られに染まるまで〜 d_647906
d_647906
--------------------------------------------------
Dont find Rpgmaker games
rj01507389 NoVoice - Rpgm - RJ01507389 人妻剣士サツキの寝取られ売春記
---
rj01476568 NoVoice - RpgmEngine RJ01476568 マスターマインド
---
rj01509293 AiAnim RJ01509293 Peeping MySchool 盗撮が救う未来もある！?
------------------------------------
Special check with 0 from 62 Antivirus check
https://www.virustotal.com/gui/file...4ZTI2NThkYWNmNTg3NGEzNWE5Y2E6MTc2NzI1OTgxNQ==
don`t run game yet.
rj01526843 RJ01526843 ミミズ井戸。 d_711775
P.S Other games don`t load. Just finish check windows folder find nothing.
P.P.S
New crack line,? or someone Really start add something... Just ask.
inheart_0102 Virus? inheart_0102 Iinari Aneiro ~Onee-chan ni Marking~ イイナリ姉色 〜お姉ちゃんにマーキング〜 ダウンロード版 VJ012680

 

[shinguhus]

Member jekson5865 does not use any profile picture. And because a large number of Uploader also reupload infected release from the jekson5865, it doesn't help even if you didn't download from jekson5865 but you got the same release from some other.

And before you starting to ask why nobody check for it. Everyone check for virus total atleast, but there was no red flag until someone else notice their PC being really hot, and really slow, and that alert a Chinese group of user to investigate. They finally ask Huorong to take a look and Huorong confirm it just couple of days ago.

Even if you check right at this moment, only Huorong AV will flag it.

Tip: On ASF, we have a special note "Own Bought Game" from Uploaders and Contributors. We require Uploaders and Contribitors to submit proof of purchase frequently, so the Own Bought from Uploader and Contributor are more reliable.

I see, it certainly wouldn't be useful if it's been re-uploaded...

Since cacheapp64.exe hasn't been generated yet, I think we're safe for now, but what would be the most reliable way to handle it if it were to be generated?

I'm using Windows Defender, but it doesn't detect it either, so it's difficult to block it beforehand.

Also, what kind of behavior does this malware exhibit?

 

[figma1356]

Thanks for this, I checked and was infected, though I got the game from Kimochi. Is there any safe place to download this game now?

Which game did you download using Kimochi?
I would recommend ryuugames

 

[4yvak]

Little about problem.
-://forum.kaspersky.com/topic/%E6%B8%B8%E6%88%8Flibegldll%E5%AD%98%E5%9C%A8%E6%8C%96%E7%9F%BF%E7%97%85%E6%AF%92-57734/
-
More deep
-://zhuanlan.zhihu.com/p/1989378491892929195
---
cacheapp64.exe
is a malicious executable file, often around 750MB, used as part of a sophisticated malware campaign, typically a mining Trojan (cryptominer) disguised within seemingly harmless software (like games from shady sites) that aims to steal computing power by deploying malware, heavily detecting and evading analysis environments like VMs, sandboxes, and antivirus software.

What it does:

• Downloads Payload: cacheapp64.exe acts as an injector, dropping and running a mining Trojan after complex evasion checks.
• Evasion Techniques: It checks for debugger tools (IDA, Wireshark), virtual environments (VirtualBox, Sandboxie), antivirus software, and even uses anti-sandbox tricks like timing delays and large file sizes.
• Stealthy Operation: It uses indirect API calls (hash-based) and hides its true malicious intent.
• Connects to Mining Pools: Once the miner is running, it connects to private cryptocurrency mining pools to use your CPU/GPU resources.

How it appears:

• It might be found alongside fake .dll files (like version.dll) in game folders.
• Its large size (around 750MB) and high entropy are indicators of malicious packers.

In summary, if you find cacheapp64.exe on your system, it's a strong sign of a cryptomining infection, and you should run a full scan with reputable antivirus/antimalware software immediately.
---
Nothing, new if, you ask me, just another wave Crypto Malware Shit, this time, used to cover it, Anime - Hentai sites.

 

[nanasakinanaya]

我再看了一下,首先可以确定开机会不会启动 可以检查一下注册表 run regedit path

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

上图是我自己电脑的情况
View attachment 85709

这个是报告里中招的情况.
View attachment 85710


另外推荐大家使用这软件
Process Explorer
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
它最基础的功能就是监视自己电脑的资源情况. 他原版可是english的, 不存在语言障碍吧?
他好像还是阻碍恶意程序运行的因素之一.
View attachment 85711View attachment 85711

Looking at this, it appears that "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" was added by a miner program, so there seems to be no problem in deleting the shell itself (including the description of explorer.exe). However, tampering with the registry may affect the entire PC, so please proceed at your own risk.

 

[nanase1015]

哇 这么坏的吗 那个人