Cheat DetectionHighPublished

Aorist FiveM cheat detection & forensic artifacts

Aorist is a FiveM-targeted cheat distributed under the executable name Aorist.exe. Execution artifacts are recorded across multiple forensic artifact sources including the Windows DPS log, PcaSvc registry hive, Prefetch directory, and on-disk visibility via the Everything tool.

CR
Clubhouse AC Research
June 2, 2026 7 min read

Summary

  • DPS timestamp of 2025/06/05:00:03:40 provides a cleanup-resistant first-seen marker for Aorist.exe.
  • PcaSvc entry 0x2d1000 independently records execution in the Windows Application Compatibility registry hive.
  • Prefetch records for Aorist.exe survive in C:\Windows\Prefetch and can be parsed to confirm execution time and path.
  • The Everything tool confirms on-disk presence of Aorist.exe if the file has not been deleted post-session.

Overview

Aorist is a commercially distributed FiveM cheat loader. Its primary executable is named Aorist.exe. Unlike cheats that masquerade as legitimate software, Aorist operates under its own branded name, making the filename itself a direct indicator of compromise when found in Prefetch, DPS logs, or on disk.

The cheat's execution footprint spans multiple Windows forensic artifact sources. The DPS first-seen timestamp and PcaSvc registry entry are written at initial execution and cannot be removed by the same cleanup routines that clear Prefetch or browser history, making them reliable persistence indicators for investigators.

Sample metadata (IOC)

The following file was recovered and added to the research corpus. All hash values are provided for cross-platform matching.

Aorist.exe — file indicatorsIOC
Name        Aorist.exe

SHA-256     cc6cbfaed2bb4b124c32d71d2c581a5e70c91fcd2c7b039526e54dc89855129a
SHA-1       660f98a98e6ea3534fa1c6876b298013648d43fd
MD5         89b2b5712bd94be073a2d222fc45a0ce

First seen  2025/06/05:00:03:40  (DPS timestamp)
PcaSvc      0x2d1000

The DPS timestamp of 2025/06/05:00:03:40 is written by the Windows Program Compatibility Assistant service at first execution and cannot be cleared by the same cleanup routines that wipe Prefetch or browser history.

Behavioral indicators

Prefetch records

Following execution, Windows creates a Prefetch entry for Aorist.exe in C:\Windows\Prefetch. The Prefetch file records the executable's full path, the last run time, and run count. Even if Aorist.exe is deleted from disk, the Prefetch entry persists until the Prefetch folder is manually cleared.

On-disk visibility via Everything

The Everything tool (voidtools) indexes the NTFS Master File Table and can locate Aorist.exe on disk in real time, even if the file is stored in an unusual directory. A search for Aorist.exe in Everything will reveal the full path if the binary has not been deleted.

Screenshare check guide

Work through these steps in order. Step 1 (DPS timestamp) is the most cleanup-resistant. Steps 3–5 cover Prefetch, on-disk evidence, and hash confirmation.

1

DPS timestamp for Aorist.exe

  • Use a DFIR tool to inspect the DPS log for an entry corresponding to Aorist.exe.
  • The expected timestamp is 2025/06/05. Any DPS entry for this executable is definitive evidence of execution and cannot be removed by standard user-side cleanup.
2

PcaSvc entry 0x2d1000

  • Check the PcaSvc registry hive for an entry associated with Aorist.exe.
  • The value 0x2d1000 is the known PcaSvc flag written at execution. This entry is stored in the Application Compatibility registry and survives independent of Prefetch cleanup.
3

Prefetch for Aorist.exe

  • Check C:\Windows\Prefetch for an AORIST.EXE-*.pf file.
  • Parse the Prefetch entry to confirm last run time and full executable path.
  • There is no legitimate Windows or application component named Aorist.exe, so any Prefetch entry is unambiguous.
4

Everything tool search for Aorist.exe

  • Open the Everything tool and search for Aorist.exe.
  • If the binary is still on disk, Everything will display the full path instantly via MFT indexing.
  • Note the directory — legitimate software does not ship a binary with this name.
5

Hash check — SHA-256

  • If the file is still present, hash it and compare against the known SHA-256:
  • cc6cbfaed2bb4b124c32d71d2c581a5e70c91fcd2c7b039526e54dc89855129a
  • A match confirms this is the known Aorist sample from the research corpus.

Detection summary

Artifact matrix — Aorist / Aorist.exeSummary
Artifact                          Survives cleanup?   Check location
──────────────────────────────────────────────────────────────────────────
PcaSvc / DPS timestamp            Yes                 AppCompat / DPS log
Prefetch (Aorist.exe)             Usually             C:\Windows\Prefetch
File on disk (Aorist.exe)         Until deleted       Everything / Explorer
Hash match (SHA-256)              If file present     Hash utility

The DPS timestamp and PcaSvc entry are the most reliable long-term indicators, persisting after the cheat exits and surviving standard cleanup. Prefetch provides corroborating execution evidence with timestamp detail. Hash matching confirms sample identity when the file is still present on disk.

Defensive material

All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.