PSA: Malware detected from member's upload

[xvis]

我再看了一下,首先可以确定开机会不会启动 可以检查一下注册表 run regedit path

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

上图是我自己电脑的情况

这个是报告里中招的情况.

另外推荐大家使用这软件
Process Explorer
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
它最基础的功能就是监视自己电脑的资源情况. 他原版可是english的, 不存在语言障碍吧?
他好像还是阻碍恶意程序运行的因素之一.

 

[shinguhus]

Does anyone know what jekson5865's profile picture looked like?
I'm wondering because seeing the profile picture might help me remember if I downloaded from that person.

 

[Checkmate]

Does anyone know what jekson5865's profile picture looked like?

Member jekson5865 does not use any profile picture. And because a large number of Uploader also reupload infected release from the jekson5865, it doesn't help even if you didn't download from jekson5865 but you got the same release from some other.

And before you starting to ask why nobody check for it. Everyone check for virus total atleast, but there was no red flag until someone else notice their PC being really hot, and really slow, and that alert a Chinese group of user to investigate. They finally ask Huorong to take a look and Huorong confirm it just couple of days ago.

Even if you check right at this moment, only Huorong AV will flag it.

Tip: On ASF, we have a special note "Own Bought Game" from Uploaders and Contributors. We require Uploaders and Contribitors to submit proof of purchase frequently, so the Own Bought from Uploader and Contributor are more reliable.

 

[natsugajeel2000]

If you downloaded [dHR Research] Sakura Exec Special Emergency Security Department Sexual Treatment Division - RJ01484777, you're most likely infected because no one else uploaded it. (I confirmed that the copy I downloaded generated the virus file.)

I usually only download from trusted uploaders but was super bored the day it came out.

Edit: Going through all my recent games to see if anything else is infected that isn't on the above list and adding them to the list below.

[Lucky Pervert Diary Takashi-kun @CFNM] Immoral Ejaculation: A Thrilling Undercover Investigation - Can You Cross the Line? - RJ01525446

Thanks for this, I checked and was infected, though I got the game from Kimochi. Is there any safe place to download this game now?

 

[4yvak]

Hi, :)
Find Virus only in
Virus - Unreal3D RJ01416500 SweetLife 〜幸せな毎日が、寝取られに染まるまで〜 d_647906
d_647906
--------------------------------------------------
Dont find Rpgmaker games
rj01507389 NoVoice - Rpgm - RJ01507389 人妻剣士サツキの寝取られ売春記
---
rj01476568 NoVoice - RpgmEngine RJ01476568 マスターマインド
---
rj01509293 AiAnim RJ01509293 Peeping MySchool 盗撮が救う未来もある！?
------------------------------------
Special check with 0 from 62 Antivirus check
https://www.virustotal.com/gui/file...4ZTI2NThkYWNmNTg3NGEzNWE5Y2E6MTc2NzI1OTgxNQ==
don`t run game yet.
rj01526843 RJ01526843 ミミズ井戸。 d_711775
P.S Other games don`t load. Just finish check windows folder find nothing.
P.P.S
New crack line,? or someone Really start add something... Just ask.
inheart_0102 Virus? inheart_0102 Iinari Aneiro ~Onee-chan ni Marking~ イイナリ姉色 〜お姉ちゃんにマーキング〜 ダウンロード版 VJ012680

 

[shinguhus]

Member jekson5865 does not use any profile picture. And because a large number of Uploader also reupload infected release from the jekson5865, it doesn't help even if you didn't download from jekson5865 but you got the same release from some other.

And before you starting to ask why nobody check for it. Everyone check for virus total atleast, but there was no red flag until someone else notice their PC being really hot, and really slow, and that alert a Chinese group of user to investigate. They finally ask Huorong to take a look and Huorong confirm it just couple of days ago.

Even if you check right at this moment, only Huorong AV will flag it.

Tip: On ASF, we have a special note "Own Bought Game" from Uploaders and Contributors. We require Uploaders and Contribitors to submit proof of purchase frequently, so the Own Bought from Uploader and Contributor are more reliable.

I see, it certainly wouldn't be useful if it's been re-uploaded...

Since cacheapp64.exe hasn't been generated yet, I think we're safe for now, but what would be the most reliable way to handle it if it were to be generated?

I'm using Windows Defender, but it doesn't detect it either, so it's difficult to block it beforehand.

Also, what kind of behavior does this malware exhibit?

 

[figma1356]

Thanks for this, I checked and was infected, though I got the game from Kimochi. Is there any safe place to download this game now?

Which game did you download using Kimochi?
I would recommend ryuugames

 

[4yvak]

Little about problem.
-://forum.kaspersky.com/topic/%E6%B8%B8%E6%88%8Flibegldll%E5%AD%98%E5%9C%A8%E6%8C%96%E7%9F%BF%E7%97%85%E6%AF%92-57734/
-
More deep
-://zhuanlan.zhihu.com/p/1989378491892929195
---
cacheapp64.exe
is a malicious executable file, often around 750MB, used as part of a sophisticated malware campaign, typically a mining Trojan (cryptominer) disguised within seemingly harmless software (like games from shady sites) that aims to steal computing power by deploying malware, heavily detecting and evading analysis environments like VMs, sandboxes, and antivirus software.

What it does:

• Downloads Payload: cacheapp64.exe acts as an injector, dropping and running a mining Trojan after complex evasion checks.
• Evasion Techniques: It checks for debugger tools (IDA, Wireshark), virtual environments (VirtualBox, Sandboxie), antivirus software, and even uses anti-sandbox tricks like timing delays and large file sizes.
• Stealthy Operation: It uses indirect API calls (hash-based) and hides its true malicious intent.
• Connects to Mining Pools: Once the miner is running, it connects to private cryptocurrency mining pools to use your CPU/GPU resources.

How it appears:

• It might be found alongside fake .dll files (like version.dll) in game folders.
• Its large size (around 750MB) and high entropy are indicators of malicious packers.

In summary, if you find cacheapp64.exe on your system, it's a strong sign of a cryptomining infection, and you should run a full scan with reputable antivirus/antimalware software immediately.
---
Nothing, new if, you ask me, just another wave Crypto Malware Shit, this time, used to cover it, Anime - Hentai sites.

 

[nanasakinanaya]

我再看了一下,首先可以确定开机会不会启动 可以检查一下注册表 run regedit path

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

上图是我自己电脑的情况
View attachment 85709

这个是报告里中招的情况.
View attachment 85710


另外推荐大家使用这软件
Process Explorer
https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer
它最基础的功能就是监视自己电脑的资源情况. 他原版可是english的, 不存在语言障碍吧?
他好像还是阻碍恶意程序运行的因素之一.
View attachment 85711View attachment 85711

Looking at this, it appears that "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" was added by a miner program, so there seems to be no problem in deleting the shell itself (including the description of explorer.exe). However, tampering with the registry may affect the entire PC, so please proceed at your own risk.

 

[nanase1015]

哇 这么坏的吗 那个人

 

[Dann]

I downloaded one of the supposedly infected games a few days ago, dunno if from that particular user but could very well have been from him. Unpacked the game, but never actually started it due to being busy in the last few days. I deleted it just to be safe, haven't found any of the folders mentioned here like the cacheapp64 or the syscacheapp, nor any file with coinapp in the name.

Does that mean I am good since I never opened the game itself?

 

[nanasakinanaya]

If you are not running the exe file then you are fine.

 

[Shadow Word: Porn]

Looking at this, it appears that "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell" was added by a miner program, so there seems to be no problem in deleting the shell itself (including the description of explorer.exe). However, tampering with the registry may affect the entire PC, so please proceed at your own risk.

Yes, confirmed, my computer appears to be healthy and uninfected and this is what HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon looks like for me:

There should not be any /Shell directory under Winlogon, nor should there be a Shell key in the Winlogon directory.

Note that there are possible legitimate reasons to have a Shell directory or a Shell key, but it is certainly a very suspicious sign. It means that something replaced Windows Explorer as your default shell, which does not happen by accident. If you have a Shell key and/or directory there, and you don't know what did it, odds are you're infected.

 

[for_Real_1234]

I have deleted the shell entry under the reg-edit and deleted the folder cacheapp64.exe was contained in. Pretty sure the infected game is also deleted. My CPU is back to normal temps in idle.

Can we be sure this fixed the problem?

 

[nanasakinanaya]

Yes, confirmed, my computer appears to be healthy and uninfected and this is what HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon looks like for me:

View attachment 85741

There should not be any /Shell directory under Winlogon, nor should there be a Shell key in the Winlogon directory.

Note that there are possible legitimate reasons to have a Shell directory or a Shell key, but it is certainly a very suspicious sign. It means that something replaced Windows Explorer as your default shell, which does not happen by accident. If you have a Shell key and/or directory there, and you don't know what did it, odds are you're infected.

I've updated the steps to reflect this.

 

[stupid_army]

Awww man i click SweetLife 〜幸せな毎日が、寝取られに染まるまで〜 exe file. I can't play the game so i delete it quickly

 

[nanasakinanaya]

I have deleted the shell entry under the reg-edit and deleted the folder cacheapp64.exe was contained in. Pretty sure the infected game is also deleted. My CPU is back to normal temps in idle.

Can we be sure this fixed the problem?

There should be no problem with the current information, but new information may come out in the future, so it's best to keep checking the information for a while.

 

[4yvak]

Why so many worries, just use Free antivirus tools. Many years, use CureIt, from Cd -> Dvd -> Flash.
https://free.drweb.ru/download+cureit+free/
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
Kaspersky Virus Removal Tool
https://www.kaspersky.ru/downloads/free-virus-removal-tool?ysclid=mjviudgnex23020704
If, you still worry, just install Full version, any Antivirus, you get 30 days free, for test.
https://www.av-test.org/en/
P.S If, you have Virus, (more important Troyan) , they can ease change, file name, regname. If, they already inside.

 

[chd114]

南+那邊提供的列表

基本上也有包含日文遊戲在內

請問綠色線劃掉的遊戲是不攜帶病毒的資源還是目前無法判斷是否含有病毒的資源？

 

[chd114]

Member jekson5865 does not use any profile picture. And because a large number of Uploader also reupload infected release from the jekson5865, it doesn't help even if you didn't download from jekson5865 but you got the same release from some other.

And before you starting to ask why nobody check for it. Everyone check for virus total atleast, but there was no red flag until someone else notice their PC being really hot, and really slow, and that alert a Chinese group of user to investigate. They finally ask Huorong to take a look and Huorong confirm it just couple of days ago.

Even if you check right at this moment, only Huorong AV will flag it.

Tip: On ASF, we have a special note "Own Bought Game" from Uploaders and Contributors. We require Uploaders and Contribitors to submit proof of purchase frequently, so the Own Bought from Uploader and Contributor are more reliable.

Will this information then be provided to the police to have this person arrested? Simply deleting his account and posts can only be a temporary solution—he can still register new accounts and continue releasing other resources embedded with the virus.

 

[Checkmate]

Will this information then be provided to the police to have this person arrested? Simply deleting his account and posts can only be a temporary solution—he can still register new accounts and continue releasing other resources embedded with the virus.

Unfortunately, it doesn't work like that in real life.

Regarding "He can still register new accounts and continue". He can surely do that on Nyaa or Tokyo Toshokan but to do that on ASF will be a little bit harder now that the staff are aware.

 

[mikomikonii]

Got infected too... Went through the steps and deleted the folder and the registry...

Would doing a re-install needed as well or does deleting the folder and the registry done?

 

[4yvak]

請問綠色線劃掉的遊戲是不攜帶病毒的資源還是目前無法判斷是否含有病毒的資源？

Hmm, howe more simple answer,,, Virus (Etc.) can be. In, Any File Archive, that depend from> your Luck, i fear. I talk about, all time, not about this Miner Troyan Virus.
---
How Miner work.
it use different dll. cryptbase.dll, libEGL.dll etc. Depend from game engine.
First Run C:\Windows\System32\version.dll
Then Check TPM ( try undarstand if it real, not Virtual machine)
then use - create cacheapp64.exe = 750MB If file = 750mb you Doomed. Check Win+R -> regedit
Press Ctrl+F search for cacheapp64
Search in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
last words Shell explorer.exe, C:\Users\Administrator\AppData\Local\Sicsacheapp64.exe
if you have it, you have Miner.
Unpack them self with garbage from C:\Users\''YourUsedName''\AppData\Local\Scacheapp\apps.z.p
Check if your system has Antivirus, if have then freeze them self, for some time.
Again check, if Troyan Runing, in Virtual machine, or nope.
Run Miner use for it NtCreateFile, NtSetInformationFile, NtWriteFile, NtCreateSection and NtCreateUserProcess, NtMapViewOfSection and NtSetContextThread
Again chek for antivirus
Trying connect to https://rentrys.co/GzueSqAf/raw or https://pastebin.com/raw/WcTE2iw1 to get mining info Pull Ip and Port for connect
Start Mining...

 

[4yvak]

Got infected too... Went through the steps and deleted the folder and the registry...

Would doing a re-install needed as well or does deleting the folder and the registry done?

For, now, Hard to say, maybe it creat other Virus hiding Bombs. Just check next day, If it Show Up Again, then you need use some different Antivirus Clean tool, i give links already. if not help, then, you need copy, important info but, it can be infected already :( . At least try, and ReInstal Windows , better format Disk.

 

[natsugajeel2000]

Which game did you download using Kimochi?
I would recommend ryuugames

Sakura Exec Special Emergency Security Department Sexual Treatment Division - RJ01484777. I prefer kimochi or otomi due to not having to go through so many ads, but since even the one i got from there had the malware, was wondering which site would have a version of the game not corrupted