Currently my site has issues with DNS resolvers. As a temporary measure I recommend you to either use CloudFlare’s DNS address 1.1.1.1 or some VPN, there are tons of free browser VPN plugins for that.

Not ELI5, but close.

[Deep Dive] What is Hypervisor? How does it work? Should I Revert All Settings and Restart My PC via the VBS Script After Each Play Session Using Hypervisor? If I use it, can I get hacked visiting a website? etc
byu/kaldeqca inPiratedGames

According to this list on CrackWatch, only 64 games with Denuvo are still uncracked/unplayable. But I guess soon it will be empty or left with some obscure titles with additional protection. I can only imagine Denuvo execs and their hard talks with customers.

As for the wave of HV repacks lately – just keep calm, if you don’t like them. Things will balance themselves out soon. And repacks with traditional cracks will prevail.

MKDEV team with friends and support from cs.rin.ru administrator RessourectoR has reached an important milestone in HyperVisor bypasses/cracks progress. ATM it’s not necessary to disable Secure Boot or use EfiGuard tool. Currently you only need to run simple bat-file and restart. Some of the generic and security features will be disabled and you will need to restart once to manually disable Driver Signature Enforcement (DSE), which is used by modern Windows to load only signed drivers (which the HyperVisor crack obviously can’t have). In my opinion the current level of disabled features is much better, than it was a few weeks ago and is around the same level as a disabled Windows Defender. But ofc the VBS.cmd script, made by MKDEV has a revert settings option, which is recommended to run after any game session (and restart).

What does it mean for you and me? Most probably next week, after VBS script will be kinda finalized, I will start posting HV-bypassed repacks, approved by cs.rin.ru team. Every such repack will have a very visible HYPERVISOR tag. They will be available alongside with generic/classic repacks. Any HV-based repack will be replaced if/once proper crack is released.

That way, if you’re OK with a non-classical cracks/bypasses with a minor security hit – get HV repacks. If you’re not OK – skip them and wait for a proper crack.

Today one of my users/fans has created MemeCoin on Solana network, called $FitGirl. It already has some action/traction on Pump.Fun, you can also participate. All trading fees processed on that coin will go to my address. Please be advised, that this IS A MEMECOIN, IT HAS NO REAL VALUE! I won’t show you my tits nor kiss anyone just because you’ve been trading it! 🙂 If you’ve been participating in memecoins trades before – you know what to do. If not… well, it’s time to learn new & risky tricks!

Trade $FitGirl MemeCoin

Good read about those Hypervisor Cracks you could see a lot recently.

Seeing tons of misinformation about the dangers of using the hypervisor bypass
byu/gray-drow inPiratedGames

As for me – you won’t see any HV-cracks repacks from me until you won’t need actually disable security features. If it ever happens at all. No game worth potential irrecoverable damage you can do to your PC.

Once in a while, this day comes. The day where I have to remind you that making repacks and running this site costs me money.

Three years ago I rented a very powerful RDP (remote machine), which now allows me to repack a huge number of games – you can see it by the total count of posts each month.

War in Ukraine caused a world economic crisis, which is now taking a toll on my hobby expenses as well.

That’s why I remind you that if you have cryptocurrency of any amount, you can share some crypto-pennies with me to help maintain the site and allow me to continue the service that you rely on.

All these years, I have kept the site ad-free. I’m not gonna change my policy about ads. I’m not earning money off my hobby, but only try to cover expenses, and when some of you donate periodically – it’s all good.

So, if you can afford to say “Thanks” in a crypto monetary way – be my guest; I have a plethora of cryptocurrencies supported for donating.

If you can’t – no worries, you still can seed torrents which in turn also helps the crowd.

Support the cause, donate crypto to FitGirl

New to crypto?

It has apps available for desktop & smartphones, supports 240+ coins and have built-in ability for buying crypto with traditional money.

Get Exodus

Since May 2024 I have a new donation widget available, which allows to donate almost any possible crypto on the market despite me having that particular crypto wallet or no. It will convert your donation in SuperDuperCoin to the one I accept minus a tiny fee. So if you have stashed some obscure crypto which you don’t know what to do with – now you know what to do 🙂

PS: February 21, 2026 – Nothing new added, just a reminder for those who can help.

OK, with a help from my users I can finally confirm that the possible malware data pack I’ve posted yesterday is indeed a malware.

And it’s distributed by a user named Heroskeep, which uploads his works to two big torrent trackers: 1337x.to and TPB:

1. https://1337x.to/user/heroskeep/
2. https://thepiratebay.org/search.php?q=user:heroskeep

Update Jan 15, 2025: Both 1337x.to and TPB has cleaned the Heroskeep accounts, all torrents has been removed.

Below are solid proof that his repacks and other releases contains mining malware, with steps needed to reproduce.

To check the malware you need only two files from any of his latest repacks (actually this goes for about 10 months):

setup.exe (installer + malware dropper in one package) and Redist.bin (malware container, is always the same file of 298.1 MB)

So, you download selected files, let’s take his
“FIFA 22-VOICES38 [v1.0.77.45722] [ALL DLCs] [Multi21]” for example:
magnet:?xt=urn:btih:83691C96A2E8E156EAEBA9014749F26BCE5970BB

After you download said files, DO NOT run the setup.exe, better rename it to setup.exe_ to not run it by mistake.

Get the Inno Unpacker from here: https://innounp.sourceforge.net/ and unpack innounp050.rar to the same folder where setup.exe_ is located.

Create a new text file (say, in Notepad), paste this string into it:
innounp.exe -x -a -dUnpacked -m %1
and save as Unpacker.bat

Then drag and drop setup.exe_ on Unpacker.bat

The folder called “Unpacked” will be created with contents extracted from the said setup.exe

Inside that folder there is another folder called “embedded” and you need “CompiledCode.bin” file from it, which is a bytecode of all installation functions this setup.exe does.

“CompiledCode.bin” is not in human-readable format, so we need to convert it:

Download https://github.com/Wack0/IFPSTools.NET/releases
and unpack ifpstools-net_v2.0.4.zip to the folder where “CompiledCode.bin” resides.
Drag and drop “CompiledCode.bin” on “ifpsdasm.exe”, it will decode file to “CompiledCode.txt” which is an Assembler (machine) code.

While it’s much more human-friendly, it still contains encrypted strings to evade easy detection.

Primitive double base64 encoding is used to achieve that, so we just need to reverse that encoding.

I’ve made a simple Python script for that (you need Python, or get the full ZIP with proof from a link below):

https://paste.fitgirl.nsus.dev/?ec5cbdfe6c3bebf1#8sXGcAfjSjttezY8YvE3NJB5SWrjxNmFA3vDXTRa7xAK

After you run it something like “Python.exe _decode_base64_in_asm.py CompiledCode.txt CompiledCode.decoded.asm” you will get the same ASM-file but with comments on each string with encryption in it.

Commented lines will look like this:
assign Var6, UnicodeString_3(“VW1Wa2FYTjBMbUpwYmc9PQ==”) ;DECODED STRING: Redist.bin
where “VW1Wa2FYTjBMbUpwYmc9PQ==” is a hidden string with double base64-encoding and decoding string in the end, in comment

Later on this article I will use strings numbers based on that particular “CompiledCode.decoded.txt” file.

Part 1: Malware Dropper

1.1 Evading Detection

The setup.exe takes certain measures to avoid easy detection by a human or antiviruses.

It checks the age of the windows installation and if it’s less than 90 days, it doesn’t drop payload, line 16246. It does so, as many on-request virtual machines are setting the Windows folder to a fresh date, the day of creation:

.function(export) BOOLEAN ISWINDOWSFOLDEROLDERTHAN90DAYS()

Then it checks if the setup.exe is running in a virtual machine or tools for process/network monitoring are used, which are usually used for malware analysis:

function loc_33a at line 29536 and below:
assign Var42, UnicodeString_3(“ZG1KdmVIUnlZWGt1WlhobA==”) ;DECODED STRING: vboxtray.exe
assign Var42, UnicodeString_3(“ZG0xMGIyOXNjMlF1WlhobA==”) ;DECODED STRING: vmtoolsd.exe
assign Var42, UnicodeString_3(“VTJGdVpHSnZlR2xsUkdOdmJVeGhkVzVqYUM1bGVHVT0=”) ;DECODED STRING: SandboxieDcomLaunch.exe
assign Var42, UnicodeString_3(“VUhKdlkyMXZiaTVsZUdVPQ==”) ;DECODED STRING: Procmon.exe
etc.

If those are found, no payload is dropped as well.

Then, for some reason, it kills most popular torrent clients it finds, lines 30297 and below:

assign Var44, UnicodeString_3(“/f /im \”qbittorrent*\””)
pushtype UnicodeString_2
assign Var45, UnicodeString_3(“taskkill.exe”)

If script decides that it’s the safe environment to drop the malware, it proceeds.

1.2 Dropping the Malware

Script adds the exclusion to Windows Defender rules for the path where the malware will be dropped, line 30894:

assign Var39, UnicodeString_3(“/c \”powershell Add-MpPreference -ExclusionPath \””)

Target folder for the actual malware is C:\Users\Your Username\AppData\Roaming\Microsoft\, line 30929:

assign Var45, UnicodeString_3(“ZTNWelpYSmhjSEJrWVhSaGZWeE5hV055YjNOdlpuUmM=”) ;DECODED STRING: {userappdata}\Microsoft\

Yes, it hides itself in the “Microsoft” folder.

When folder is created and exclusion is added, the script selects the file to drop.

It uses two functions for that, in line 16147:

.function(export) void INITIALIZEPAYLOADSIZE()

and in line 16190

.function(export) void INITIALIZERANDOMOFFSETS()

Those are selected randomly out of 40 variants.

Those payload files are located in the Redist.bin file. And setup.exe make several checks that this file is present and it’s not modified. This bin has a fake FreeArc header and can’t be extracted by any FreeArc.

Checks are done on lines 25857 and 26001. First one checks the presence of the file, and the second one verifies the MD5 hash for that file (which is 03cf23c41bc7468021826f7b897f8a7f).

assign Var6, UnicodeString_3(“VW1Wa2FYTjBMbUpwYmc9PQ==”) ;DECODED STRING: Redist.bin
assign Var4, UnicodeString_3(“TUROalpqSXpZelF4WW1NM05EWTRNREl4T0RJMlpqZGlPRGszWmpoaE4yWT0=”) ;DECODED STRING: 03cf23c41bc7468021826f7b897f8a7f

If one the checks fails, setup closes.

If all checks pass, then the setup chooses the random name for the dropped malware, line 17061 and below:

The list is predefined and has 3652 possible variants, like these:

assign Global44[196], UnicodeString_3(“UVhSMGNtbGlkWFJs”) ;DECODED STRING: Attribute
assign Global44[197], UnicodeString_3(“UVhWa1lXTnBkSGs9”) ;DECODED STRING: Audacity
assign Global44[198], UnicodeString_3(“UVhWa2FXZG5iR1U9”) ;DECODED STRING: Audiggle
assign Global44[199], UnicodeString_3(“UVhWa2FXOD0=”) ;DECODED STRING: Audio
assign Global44[200], UnicodeString_3(“UVhWa2FXOVNaV3hoZVE9PQ==”) ;DECODED STRING: AudioRelay
assign Global44[201], UnicodeString_3(“UVhWa2FXOW5jbUZpWW1WeQ==”) ;DECODED STRING: Audiograbber
assign Global44[202], UnicodeString_3(“UVhWa2FXOTBiMjVwWXc9PQ==”) ;DECODED STRING: Audiotonic
assign Global44[203], UnicodeString_3(“UVhWeVlRPT0=”) ;DECODED STRING: Aura
assign Global44[204], UnicodeString_3(“UVhWeWIzSmg=”) ;DECODED STRING: Aurora
assign Global44[205], UnicodeString_3(“UVhWemJHOW5hV056”) ;DECODED STRING: Auslogics
assign Global44[206], UnicodeString_3(“UVhWMGIwTkJSQT09”) ;DECODED STRING: AutoCAD

In example, the Aurora.exe was already mentioned in this incident report:
https://reddit.com/r/PiratedGames/comments/1q9tji5/beware_of_user_heroskeep_on_1337x_his_uploads/

Yes, it was this exact malware, but in the different repack from the same Heroskeep uploader.

When all those steps done, the actual file is dropped into the C:\Users\Your Username\AppData\Roaming\Microsoft\ folder along with some side files like readme.txt

To ensure persistance of the malware in the system, setup then adds a scheduler task, line 16695:

.function(export) void INITIALIZERANDOMSCHTASK()

where the path is also selected randomly and will look like some native Windows funtions is called:

assign Var2, UnicodeString_3(“VFdsamNtOXpiMlowWEZkcGJtUnZkM05jVlhCa1lYUmxUM0pqYUdWemRISmhkRzl5WEE9PQ==”) ;DECODED STRING: Microsoft\Windows\UpdateOrchestrator\

Task runs every 30 minutes and relaunches the dropped malware if it was killed. The string is combined from several lines, like this in line 31587:

assign Var41, UnicodeString_3(“SWlBdmMyTWdiV2x1ZFhSbElDOXRieUF6TUE9PQ==”) ;DECODED STRING: ” /sc minute /mo 30

Part 2: Malware Itself

All of those randomly chosen EXEs are slightly modified copies of each other. All of them are packed with Themida (consider it a lightweight copy of Denuvo, which main purpose is to hide what’s done inside the exe).

Each of those EXE is ~7 MB in size and with proper tools they unpack to ~21 MB each. And of course those are miners. Specifially, those are Monero/XMR miners.

I’ve made a Python script for extracting those exes from the Redist.bin file, you can find it in the ZIP at the bottom of this post.

I’ve uploaded two of those samples to hybrid-analysis.com

pe_0000
https://hybrid-analysis.com/sample/1091791d3b3f42d135b0010cb24b8aa0afd48d07f1f91a7afc16213fbad74531/6964887b81e25d4b1204f6d7

pe_0039
https://hybrid-analysis.com/sample/54c35f926229e2c661de324728e65a6b8e7c3c892f2d8cade4a3651f00f44c57/69648c1f037eace2e90e940d

The reports for both of files are basically the same.

Lines of interest:

Found a reference to the Stratum Mining Protocol

“stratum+tcp://” (Indicator: “stratum+tcp://”)

Possibly checks for the presence of an adware detecting tool

“mbam.exe” (Indicator: “mbam.exe”)

mbam.exe is an executable name for Malwarebytes, a renowned anti-malware soft.

Able to identify sandbox environment running process

Found string “VBoxService.exe” (Indicator: “vboxservice.exe”; Source: “00000000-00007316.00000000.282950.40581000.00000002.mdmp”)
Found string “VBoxTray.exe” (Indicator: “vboxtray.exe”; Source: “00000000-00007316.00000000.282950.40581000.00000002.mdmp”)

Able to identify virtual environment by using API string

Found string “NtQuerySystemInformation” (Indicator: “NtQuerySystemInformation”; Source: “00000000-00007316.00000000.282950.40581000.00000002.mdmp”)

Found E-Mail address in binary/memory

Pattern match: “ncz5enfj@proxifyme50.com”
Pattern match: “ncz5enfj@proxy00002.com”

Found registry location strings in memory

“SOFTWARE\Wireshark” in Source: 00000000-00007316.00000000.282950.40581000.00000002.mdmp
“SOFTWARE\GlassWire” in Source: 00000000-00007316.00000000.282950.40581000.00000002.mdmp
“SOFTWARE\Paessler” in Source: 00000000-00007316.00000000.282950.40581000.00000002.mdmp
“SOFTWARE\SolarWinds” in Source: 00000000-00007316.00000000.282950.40581000.00000002.mdmp
“SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps” in Source: 00000000-00007316.00000000.282950.40581000.00000002.mdmp
“HARDWARE\DESCRIPTION\System\CentralProcessor\%d” in Source: 00000000-00007316.00000000.282950.40581000.00000002.mdmp
“\REGISTRY\MACHINE\SOFTWARE\Classes” in Source: 00000000-00007316.00000000.282950.40A3B000.00000020.mdmp
“\Registry\Machine\Software\Classes\” in Source: 00000000-00007316.00000000.282950.40A3B000.00000020.mdmp

Shows ability to use execution guardrails

The analysis shows indicators which can be used as execution guardrails to ensure that payload only executes against intended targets/system. Matched sigs: Able to identify sandbox environment running process
Matched sigs: Contains ability to delay execution by waiting for signal/timeout (API string)
Matched sigs: Contains ability to retrieve the time elapsed since the system was started (API string)
Matched sigs: Able to identify virtual environment by using API string
Matched sigs: The input sample contains the RDTSCP instruction

Tries to access non-existent files (non-executable)

“pe_0000.bad.dll.exe” trying to access non-existent file “C:\INFO.TXT”
“pe_0000.bad.dll.exe” trying to access non-existent file “C:\Users\%USERNAME%\..JSON”
“pe_0000.bad.dll.exe” trying to access non-existent file “%APPDATA%\Microsoft\README.TXT” (which is dropped by original setup.exe)

Found potential IP address in binary/memory

Potential IP “1.3.101.110” found in string “X25519:1.3.101.110”
Potential IP “1.3.101.111” found in string “X448:1.3.101.111”
Potential IP “1.3.101.112” found in string “ED25519:1.3.101.112”
Potential IP “1.3.101.113” found in string “ED448:1.3.101.113”

Those IPs are located at some Chinese hosting provider. Probably used for C&C.

Found potential URL in binary/memory

Pattern match: “proxifyme50.com/launcher_077.exe”
Pattern match: “proxy00002.com/launcher_077.exe”
Heuristic match: “nicehash.com”
Heuristic match: “donate.ssl.xmrig.com”
Heuristic match: “donate.v2.xmrig.com”
Heuristic match: “vpnetworkc.com”
Heuristic match: “proxy00004.com”

Found potential URLs in memory dumps

Found URL “ftp://fhqfg8uu:ncz5enfj@proxifyme50.com/launcher_077.exe

Contains ability to perform remote desktop activity (API string)

Found reference to API “WTSSendMessageW” (Indicator: “WTSSendMessage”; File: “pe_0000.bad.dll”)

You can find more info on those files made by vx-underground admin.
https://malwaresourcecode.com/home/my-projects/write-ups/r-piratedgames-drama.-is-it-malware-yes.-is-it-cool-malware-no

The link to this investigation was sent to 1337x.to moderation team, I hope they will ban that Heroskeep forever and remove all of his uploads.
Five years ago he was already distributing malware with a different method.
https://www.reddit.com/r/PiratedGames/comments/jp71l4/beware_of_miner_unpackerexe_decompressexe/

As for TPB – the site doesn’t have proper “report” function, they have a side forum for that. If you have time and will – you can report that user in there to so actions against him would be taken.

But be advised, that people like Heroskeep always return with a new name, and with more sophisticated malware. So be very cautious before downloading something from an unknown source, even if you trust the site itself.

Heroskeep_Malware_Files.zip

Contains all needed files for your own analysis.

1. https://fuckingfast.co/kuriy5xbt5hv#Heroskeep_Malware_Files.zip
2. https://vikingfile.com/f/FZeDrmnbnz#Heroskeep_Malware_Files.zip