Bypass DetectionยทJun 2, 2026

Purge Bypass: Emoji-Named DLL, Discord Bot C2 & VBScript Downloader

The Purge bypass drops a DLL named c๐Ÿ‘Ž.dll โ€” an emoji character in the filename evades simple string-based file searches โ€” persists via HKCU\Printers\DevModePerUser, injects a second stage through the local Discord client, and fetches additional payloads via an obfuscated VBScript downloader.

FiveMBypass DetectionEmoji DLLRegistry PersistenceVBScript Downloader

Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.

Overview

The Purge bypass is a multi-stage FiveM anti-cheat bypass with an unusually creative set of evasion mechanisms. Its most immediately distinctive artifact is the dropped DLL named c๐Ÿ‘Ž.dll, where a thumbs-down emoji character (Unicode U+1F44E) is embedded directly in the filename. Most file-searching tools and log parsers that operate on ASCII or basic UTF-8 filenames will not match this file under simple string searches, making it invisible to investigators who search for .dll drops without Unicode-aware enumeration.

The bypass also spawns cmd.exe, which opens System Informer โ€” an unusual behaviour that suggests the bypass is performing its own process monitoring check to detect security tools. This process spawn pattern is itself a detection indicator observable in process creation logs (Sysmon EventID 1 or Security EventID 4688).

Persistence is written to HKCU\Printers\DevModePerUser, an unconventional registry location used to blend into legitimate printer configuration data. The bypass also drops imgui_log.txt, a debug log produced by the Dear ImGui UI framework โ€” confirming the bypass has a rendered cheat menu interface built on ImGui.

Second-stage injection is performed through the local Discord client, which acts as an injection vector via a localhost bot interface. An obfuscated VBScript downloader fetches additional components from a scrapingant domain โ€” an atypical C2 choice that leverages a legitimate web scraping API service to proxy payload delivery, complicating domain blocklist-based detection.

Primary IOCs

1

c๐Ÿ‘Ž.dll on disk โ€” emoji filename search

Open a PowerShell window as administrator and run: Get-ChildItem -Path C:\ -Recurse -Filter "*๐Ÿ‘Ž*" -ErrorAction SilentlyContinue. The emoji character must be typed or pasted correctly โ€” a plain text search for "c.dll" will not match. Alternatively, use Everything (voidtools) which supports Unicode filename search natively. Search for ๐Ÿ‘Ž in the Everything search bar to surface all files containing the thumbs-down emoji.

Any .dll file containing an emoji in its name is anomalous by definition โ€” no legitimate software ships DLLs with emoji filenames.

2

Registry persistence โ€” HKCU\\Printers\\DevModePerUser

Open Registry Editor (regedit.exe) and navigate to HKEY_CURRENT_USER\Printers\DevModePerUser. Inspect all values present under this key. Legitimate entries here are binary blobs representing printer device mode configurations and will be associated with known printer names. Any value that contains an executable path, a DLL path, or base64-encoded data is a persistence entry placed by Purge.

Also check HKCU\Software\Microsoft\Windows\CurrentVersion\Run for a secondary persistence entry if the main key has been cleaned, as some Purge variants use both locations.

3

imgui_log.txt โ€” ImGui cheat UI confirmation

Search the filesystem for imgui_log.txt using Everything or Get-ChildItem -Path C:\ -Recurse -Filter "imgui_log.txt". The Dear ImGui framework writes this log file by default when a debug build is active. Its presence confirms that a process running an ImGui-based rendered overlay (i.e., a cheat menu) has executed on the machine. The file typically appears in the directory of the process that rendered the UI, providing path context for where the bypass was executed from.

4

Hash identification and VirusTotal

Hash the primary Purge executable with certutil -hashfile <path> SHA256 and verify against SHA-256 1c6f0c6aa01e65b9bf17ea1d4d7de0a6382b97dad27541eccc608e5e645d40fa and SHA-1 5f100ced1736b235c1f86aa58f86466cc9818c2d. Submit to VirusTotal for detection names and behaviour report, which will document the VBScript downloader and registry persistence operations in the sandbox run.

VT Report โ†—

5

cmd.exe spawning System Informer โ€” process creation log

If Sysmon is installed, query EventID 1 (process creation) for SystemInformer.exe as the child process with cmd.exe as the parent. In Event Viewer, filter the Microsoft-Windows-Sysmon/Operational log for EventID 1 and search the XML data for SystemInformer. Without Sysmon, check the Security log for EventID 4688 (process creation) if audit process creation is enabled. This process spawn chain is abnormal and confirms the bypass was performing its own process monitoring sweep.

6

VBScript downloader artifacts

Search for recently created or modified .vbs files in user-writable directories: Get-ChildItem -Path $env:TEMP,$env:APPDATA -Filter "*.vbs" -Recurse. Purge drops an obfuscated VBScript that uses WScript.Shell or XMLHTTP to fetch a secondary payload. The script will be heavily obfuscated โ€” look for characteristic VBScript obfuscation patterns such as concatenated character code arrays (e.g., Chr(80)&Chr(79)&...). Any VBScript in a temp directory that performs HTTP requests is a strong indicator.

7

scrapingant C2 in DNS cache

Run ipconfig /displaydns | findstr /i "scrapingant"in an elevated Command Prompt. Scrapingant is a web scraping API service with no legitimate use case on a gaming PC. Its presence in the DNS cache indicates the VBScript downloader successfully contacted the C2 relay and fetched a secondary component. Note the full hostname for threat intelligence reporting.

Persistence & Injection Chain

The Purge bypass establishes persistence through the HKCU\Printers\DevModePerUser registry key. This location is chosen specifically because security tools and manual investigators rarely inspect printer configuration subkeys for executable content. The key exists on all Windows machines with printers configured, making its presence non-suspicious at a glance. The malicious value must be read and decoded (typically base64) to reveal the actual payload path or shellcode.

The second-stage injection chain uses the locally running Discord client as a vector. The bypass communicates with the Discord client's local RPC socket (listening on localhost on a port in the range 6463โ€“6472) and leverages Discord's built-in Node.js runtime or its update mechanism to execute injected code within the Discord process space. This allows the second stage to run inside a signed, trusted application process, bypassing process-level integrity checks that might flag an unsigned binary.

The VBScript downloader represents the third layer of the chain: after the primary executable and the Discord injection, the script fetches and executes an additional payload from the scrapingant relay. This three-stage architecture means that removing only the primary executable does not fully remediate the compromise โ€” all three layers must be confirmed cleared.

Screenshare Check Methodology

1

Emoji DLL file search

Open Everything and type the thumbs-down emoji into the search bar. Watch the results for any file containing the emoji character โ€” particularly any .dll file. If Everything is not installed, use PowerShell: Get-ChildItem C:\ -Recurse -Filter "*๐Ÿ‘Ž*" 2>$null. This check should be done first as the filename is the most distinctive IOC.

2

Registry persistence key inspection

Open regedit and navigate directly to HKCU\Printers\DevModePerUser. Scroll through all values. Legitimate values will have printer-model names as value names and binary data that looks like device configuration structures. Any value with a base64 string, a file path, or a name that does not match an installed printer is the persistence entry.

3

imgui_log.txt filesystem search

In an elevated Command Prompt: dir /s /b C:\imgui_log.txt 2>nul. Any result means an ImGui-based application ran from that directory. Note the path carefully โ€” it identifies the working directory of the cheat process at runtime.

4

VBScript file check in temp directories

Open %TEMP% and %APPDATA% in Windows Explorer and sort by date modified. Look for any .vbs file created recently. Open a suspicious VBScript file in Notepad โ€” heavy obfuscation (concatenated Chr() calls or long variable name strings) is a clear indicator of a malicious downloader script.

5

DNS cache scrapingant check and hash verification

Run ipconfig /displaydns | findstr /i scrapingant. Then locate the primary executable, hash it, and submit to VirusTotal for confirmation. Together these two checks confirm both the download C2 activity and the identity of the primary binary, providing a complete evidence chain.

6

cmd.exe / System Informer process audit

Check the process creation history via Event Viewer โ†’ Windows Logs โ†’ Security, filtering for EventID 4688. Search the results for SystemInformer.exe with cmd.exe as the creator process. This confirms the bypass spawned a monitoring tool process, which is the Purge bypass's distinctive behavioural signature.

Detection Notes

The emoji DLL filename is one of the most immediately confirmatory artifacts in the bypass detection space. No legitimate software produces DLL files with emoji characters in their names. A single positive result from the emoji filename search is sufficient to conclude that this bypass (or a variant sharing the same naming convention) is or was present on the system.

The imgui_log.txt file survives reboots and binary deletion. Its presence is a persistent record that an ImGui-based cheat menu ran in that directory. Combined with the registry persistence key, these two artifacts can confirm Purge use even after the operator has attempted to clean the machine.

The scrapingant C2 relay is an unusual pivot from the keyauth.win and eauth.us.to infrastructure seen in other FiveM bypasses. Its use may indicate the bypass operator is experimenting with legitimate service abuse to avoid domain reputation blocking. Investigators should note the full scrapingant URL from the DNS record for threat intelligence correlation across cases.