Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.
Overview
The Purge bypass is a multi-stage FiveM anti-cheat bypass with an unusually creative set of evasion mechanisms. Its most immediately distinctive artifact is the dropped DLL named c๐.dll, where a thumbs-down emoji character (Unicode U+1F44E) is embedded directly in the filename. Most file-searching tools and log parsers that operate on ASCII or basic UTF-8 filenames will not match this file under simple string searches, making it invisible to investigators who search for .dll drops without Unicode-aware enumeration.
The bypass also spawns cmd.exe, which opens System Informer โ an unusual behaviour that suggests the bypass is performing its own process monitoring check to detect security tools. This process spawn pattern is itself a detection indicator observable in process creation logs (Sysmon EventID 1 or Security EventID 4688).
Persistence is written to HKCU\Printers\DevModePerUser, an unconventional registry location used to blend into legitimate printer configuration data. The bypass also drops imgui_log.txt, a debug log produced by the Dear ImGui UI framework โ confirming the bypass has a rendered cheat menu interface built on ImGui.
Second-stage injection is performed through the local Discord client, which acts as an injection vector via a localhost bot interface. An obfuscated VBScript downloader fetches additional components from a scrapingant domain โ an atypical C2 choice that leverages a legitimate web scraping API service to proxy payload delivery, complicating domain blocklist-based detection.
Primary IOCs
c๐.dll on disk โ emoji filename search
Open a PowerShell window as administrator and run: Get-ChildItem -Path C:\ -Recurse -Filter "*๐*" -ErrorAction SilentlyContinue. The emoji character must be typed or pasted correctly โ a plain text search for "c.dll" will not match. Alternatively, use Everything (voidtools) which supports Unicode filename search natively. Search for ๐ in the Everything search bar to surface all files containing the thumbs-down emoji.
Any .dll file containing an emoji in its name is anomalous by definition โ no legitimate software ships DLLs with emoji filenames.
Registry persistence โ HKCU\\Printers\\DevModePerUser
Open Registry Editor (regedit.exe) and navigate to HKEY_CURRENT_USER\Printers\DevModePerUser. Inspect all values present under this key. Legitimate entries here are binary blobs representing printer device mode configurations and will be associated with known printer names. Any value that contains an executable path, a DLL path, or base64-encoded data is a persistence entry placed by Purge.
Also check HKCU\Software\Microsoft\Windows\CurrentVersion\Run for a secondary persistence entry if the main key has been cleaned, as some Purge variants use both locations.
imgui_log.txt โ ImGui cheat UI confirmation
Search the filesystem for imgui_log.txt using Everything or Get-ChildItem -Path C:\ -Recurse -Filter "imgui_log.txt". The Dear ImGui framework writes this log file by default when a debug build is active. Its presence confirms that a process running an ImGui-based rendered overlay (i.e., a cheat menu) has executed on the machine. The file typically appears in the directory of the process that rendered the UI, providing path context for where the bypass was executed from.
Hash identification and VirusTotal
Hash the primary Purge executable with certutil -hashfile <path> SHA256 and verify against SHA-256 1c6f0c6aa01e65b9bf17ea1d4d7de0a6382b97dad27541eccc608e5e645d40fa and SHA-1 5f100ced1736b235c1f86aa58f86466cc9818c2d. Submit to VirusTotal for detection names and behaviour report, which will document the VBScript downloader and registry persistence operations in the sandbox run.
cmd.exe spawning System Informer โ process creation log
If Sysmon is installed, query EventID 1 (process creation) for SystemInformer.exe as the child process with cmd.exe as the parent. In Event Viewer, filter the Microsoft-Windows-Sysmon/Operational log for EventID 1 and search the XML data for SystemInformer. Without Sysmon, check the Security log for EventID 4688 (process creation) if audit process creation is enabled. This process spawn chain is abnormal and confirms the bypass was performing its own process monitoring sweep.
VBScript downloader artifacts
Search for recently created or modified .vbs files in user-writable directories: Get-ChildItem -Path $env:TEMP,$env:APPDATA -Filter "*.vbs" -Recurse. Purge drops an obfuscated VBScript that uses WScript.Shell or XMLHTTP to fetch a secondary payload. The script will be heavily obfuscated โ look for characteristic VBScript obfuscation patterns such as concatenated character code arrays (e.g., Chr(80)&Chr(79)&...). Any VBScript in a temp directory that performs HTTP requests is a strong indicator.
scrapingant C2 in DNS cache
Run ipconfig /displaydns | findstr /i "scrapingant"in an elevated Command Prompt. Scrapingant is a web scraping API service with no legitimate use case on a gaming PC. Its presence in the DNS cache indicates the VBScript downloader successfully contacted the C2 relay and fetched a secondary component. Note the full hostname for threat intelligence reporting.
Persistence & Injection Chain
The Purge bypass establishes persistence through the HKCU\Printers\DevModePerUser registry key. This location is chosen specifically because security tools and manual investigators rarely inspect printer configuration subkeys for executable content. The key exists on all Windows machines with printers configured, making its presence non-suspicious at a glance. The malicious value must be read and decoded (typically base64) to reveal the actual payload path or shellcode.
The second-stage injection chain uses the locally running Discord client as a vector. The bypass communicates with the Discord client's local RPC socket (listening on localhost on a port in the range 6463โ6472) and leverages Discord's built-in Node.js runtime or its update mechanism to execute injected code within the Discord process space. This allows the second stage to run inside a signed, trusted application process, bypassing process-level integrity checks that might flag an unsigned binary.
The VBScript downloader represents the third layer of the chain: after the primary executable and the Discord injection, the script fetches and executes an additional payload from the scrapingant relay. This three-stage architecture means that removing only the primary executable does not fully remediate the compromise โ all three layers must be confirmed cleared.
Detection Notes
The emoji DLL filename is one of the most immediately confirmatory artifacts in the bypass detection space. No legitimate software produces DLL files with emoji characters in their names. A single positive result from the emoji filename search is sufficient to conclude that this bypass (or a variant sharing the same naming convention) is or was present on the system.
The imgui_log.txt file survives reboots and binary deletion. Its presence is a persistent record that an ImGui-based cheat menu ran in that directory. Combined with the registry persistence key, these two artifacts can confirm Purge use even after the operator has attempted to clean the machine.
The scrapingant C2 relay is an unusual pivot from the keyauth.win and eauth.us.to infrastructure seen in other FiveM bypasses. Its use may indicate the bypass operator is experimenting with legitimate service abuse to avoid domain reputation blocking. Investigators should note the full scrapingant URL from the DNS record for threat intelligence correlation across cases.