Citra Interesting VirusTotal Report

When I comes to software I’m always interested in what I’m installing.
I ran the most recent version of the Citra installer to VirusTotal to make sure everything was good.
Especially because I read a post on the Citra form saying it did have malware: Current version got trojan?
I know the post is pretty suspicious but I thought it was worth mentioning.

Now onto the actual report: https://www.virustotal.com/gui/file/259802212619473b387d6dc98ecb33840c88f33bac85a1a7af65ecd2565e5e1a/relations
Specifically the relations tab:
Execution Parents: Files that create the file being studied upon execution in a sandbox enviroment.
2020-03-13 | 60/72 | Win32 EXE | 07156d292a20bff302788ce88919db07.virus
2020-04-21 | 55/72 | Win32 EXE | 4e6e0a1802bece8c71675d58b465a31d.virus
PE Resource Parents: Portable Executable files submitted to VirusTotal that contain the file being studied in their resources section.
2020-03-13 | 60/72 | Win32 EXE | 07156d292a20bff302788ce88919db07.virus

My question is why Citra? Why is a 3ds emulator being used by these peaces of malware?
Its clear that 07156d292a20bff302788ce88919db07.virus has some version of Citra inside of it.
And more on 4e6e0a1802bece8c71675d58b465a31d.virus later.

Also in the community people(I think bots) have deemed it as #malware. But 9/10 its just false positives.

I also saw some interesting information in the Names listing
Names

  • citra-setup-windows.exe
  • 4e6e0a1802bece8c71675d58b465a31d.virus.exe
  • ._cache_07156d292a20bff302788ce88919db07.virus.exe
  • citra-2018-09-19-nightly-build.exe
  • citra-setup-windows (1).exe
  • citra-setup-windows(1).exe
  • 151700956347298332_citra-setup-windows.exe

Conclusion:
Here’s my theory on whats going on here. 4e6e0a1802bece8c71675d58b465a31d.virus.exe is a either infected or intentionally hacked and filled with malware version of Citra. Being downloaded from sites like these:


07156d292a20bff302788ce88919db07.virus could be the same as 4e6e0a1802bece8c71675d58b465a31d.virus.exe but I believe that 07156d292a20bff302788ce88919db07.virus is an installed that installs 4e6e0a1802bece8c71675d58b465a31d.virus

I’m not saying that’s exactly whats going on here but is a theory.

Let me know what you think!

I would be interested in knowing what installer Citra uses?