Cheat DetectionHighPublished

Anydesk Cheat FiveM cheat masquerade detection

A FiveM cheat distributed as Anydesk.exe to impersonate the legitimate AnyDesk remote desktop application. The genuine AnyDesk binary carries a valid Authenticode signature from philandro Software GmbH; this masquerade does not. SHA-256 e7a51618ad0ad0b7bf1b8f9f1d11cd04b793cb200bfb4065f3ad6b9f9acfeb47 and PcaSVC offset 0x581000 identify the binary.

CR
Clubhouse AC Research
June 2, 2026 7 min read

Summary

  • Impersonates AnyDesk — the legitimate binary is signed by philandro Software GmbH. This masquerade is unsigned.
  • SHA-256 e7a51618ad0ad0b7bf1b8f9f1d11cd04b793cb200bfb4065f3ad6b9f9acfeb47.
  • PcaSVC offset 0x581000 observed in memory forensics.
  • Execution path — legitimate AnyDesk runs from %AppData%\AnyDesk or Program Files, not arbitrary user paths.

Overview

This FiveM cheat masquerades as AnyDesk — a widely used remote desktop application — by adopting the filename Anydesk.exe. The social engineering angle relies on users or investigators dismissing the process as a routine remote support tool.

Key distinguishing factors from the legitimate AnyDesk binary:

  • The legitimate AnyDesk executable is signed by philandro Software GmbH with a valid Authenticode certificate.
  • The legitimate binary installs to %AppData%\AnyDesk\AnyDesk.exe or C:\Program Files (x86)\AnyDesk\AnyDesk.exe.
  • This cheat binary is unsigned and runs from an arbitrary user path.

Sample metadata (IOC)

Anydesk.exe (FiveM cheat) — file indicatorsIOC
Name        Anydesk.exe
Masquerade  AnyDesk remote desktop (philandro Software GmbH)

SHA-256     e7a51618ad0ad0b7bf1b8f9f1d11cd04
            b793cb200bfb4065f3ad6b9f9acfeb47

PcaSVC      0x581000
Signature   None (legitimate AnyDesk is signed)

Behavioral indicators

Missing Authenticode signature

The genuine AnyDesk application is signed by philandro Software GmbH. Checking the Digital Signatures tab of the Properties dialog will immediately reveal whether the binary is legitimate — an unsigned file claiming to be AnyDesk is definitively malicious.

Execution path anomaly

Legitimate AnyDesk installations run from predictable system paths. This cheat binary will be present in an unexpected location — such as the Downloads folder, Desktop, or a cheat-specific directory. The Prefetch entry will reveal the actual execution path.

PcaSVC offset

The PcaSVC offset 0x581000 has been observed in memory forensic analysis of systems running this cheat. Combined with the execution path and hash, it provides definitive attribution.

Screenshare check guide

1

Digital signature verification

  • Locate Anydesk.exe on disk (use Everything or search).
  • Right-click → Properties → Digital Signatures. The genuine AnyDesk is signed by philandro Software GmbH. An unsigned file is the cheat.
2

Execution path check

  • In Prefetch or AppCompat, check the full path of the Anydesk.exe execution.
  • Paths outside %AppData%\AnyDesk or Program Files are suspicious.
3

File hash verification

  • Compute the SHA-256 of the suspect file.
  • Match against e7a51618ad0ad0b7bf1b8f9f1d11cd04b793cb200bfb4065f3ad6b9f9acfeb47.
4

PcaSVC offset check

  • In memory forensics, check for PcaSVC entry at offset 0x581000 associated with an Anydesk.exe entry.
5

Browser and Discord

  • Check browser downloads for the source of the file. Legitimate AnyDesk is downloaded from anydesk.com — any other source is suspicious.

Detection summary

Artifact matrix — Anydesk.exe FiveM cheatSummary
Artifact                          Survives cleanup?   Check location
──────────────────────────────────────────────────────────────────────────
PcaSVC entry (0x581000)           Yes                 AppCompat / DPS log
SHA-256 hash                      Yes (file on disk)  File system
Missing signature                 Yes (file on disk)  File properties
Prefetch + path                   Usually             C:\Windows\Prefetch

The most immediately actionable indicator is the missing Authenticode signature — the real AnyDesk is always signed by philandro Software GmbH.

Defensive material

All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.