Summary
- Impersonates AnyDesk — the legitimate binary is signed by philandro Software GmbH. This masquerade is unsigned.
- SHA-256 e7a51618ad0ad0b7bf1b8f9f1d11cd04b793cb200bfb4065f3ad6b9f9acfeb47.
- PcaSVC offset 0x581000 observed in memory forensics.
- Execution path — legitimate AnyDesk runs from %AppData%\AnyDesk or Program Files, not arbitrary user paths.
Overview
This FiveM cheat masquerades as AnyDesk — a widely used remote desktop application — by adopting the filename Anydesk.exe. The social engineering angle relies on users or investigators dismissing the process as a routine remote support tool.
Key distinguishing factors from the legitimate AnyDesk binary:
- The legitimate AnyDesk executable is signed by philandro Software GmbH with a valid Authenticode certificate.
- The legitimate binary installs to %AppData%\AnyDesk\AnyDesk.exe or C:\Program Files (x86)\AnyDesk\AnyDesk.exe.
- This cheat binary is unsigned and runs from an arbitrary user path.
Sample metadata (IOC)
Name Anydesk.exe
Masquerade AnyDesk remote desktop (philandro Software GmbH)
SHA-256 e7a51618ad0ad0b7bf1b8f9f1d11cd04
b793cb200bfb4065f3ad6b9f9acfeb47
PcaSVC 0x581000
Signature None (legitimate AnyDesk is signed)Behavioral indicators
Missing Authenticode signature
The genuine AnyDesk application is signed by philandro Software GmbH. Checking the Digital Signatures tab of the Properties dialog will immediately reveal whether the binary is legitimate — an unsigned file claiming to be AnyDesk is definitively malicious.
Execution path anomaly
Legitimate AnyDesk installations run from predictable system paths. This cheat binary will be present in an unexpected location — such as the Downloads folder, Desktop, or a cheat-specific directory. The Prefetch entry will reveal the actual execution path.
PcaSVC offset
The PcaSVC offset 0x581000 has been observed in memory forensic analysis of systems running this cheat. Combined with the execution path and hash, it provides definitive attribution.
Screenshare check guide
Digital signature verification
- Locate Anydesk.exe on disk (use Everything or search).
- Right-click → Properties → Digital Signatures. The genuine AnyDesk is signed by philandro Software GmbH. An unsigned file is the cheat.
Execution path check
- In Prefetch or AppCompat, check the full path of the Anydesk.exe execution.
- Paths outside %AppData%\AnyDesk or Program Files are suspicious.
File hash verification
- Compute the SHA-256 of the suspect file.
- Match against e7a51618ad0ad0b7bf1b8f9f1d11cd04b793cb200bfb4065f3ad6b9f9acfeb47.
PcaSVC offset check
- In memory forensics, check for PcaSVC entry at offset 0x581000 associated with an Anydesk.exe entry.
Browser and Discord
- Check browser downloads for the source of the file. Legitimate AnyDesk is downloaded from anydesk.com — any other source is suspicious.
Detection summary
Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────── PcaSVC entry (0x581000) Yes AppCompat / DPS log SHA-256 hash Yes (file on disk) File system Missing signature Yes (file on disk) File properties Prefetch + path Usually C:\Windows\Prefetch
The most immediately actionable indicator is the missing Authenticode signature — the real AnyDesk is always signed by philandro Software GmbH.
Defensive material
All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.