Summary
- Masquerades as ReShade_Setup_6.6.1.exe — the legitimate ReShade installer is signed by crosire; this is unsigned.
- SHA-256 841757e9118e0c09c3693c7d60e142535d576b558ae373d8d808501f2b3d59c9.
- PcaSVC offset 0x80000 observed in memory forensics.
- Triggerbot function — registers keyboard/mouse hooks to autofire on target detection.
Overview
Aqua TriggerBot impersonates the ReShade graphics post-processing installer — a well-known and widely trusted tool in the gaming community. By naming the cheat ReShade_Setup_6.6.1.exe, the author exploits the legitimacy of the ReShade brand to reduce user suspicion.
The legitimate ReShade installer is signed by crosire (the author) with a valid Authenticode certificate. This cheat binary is unsigned, providing an immediate differentiator. Additionally, the authentic ReShade setup does not function as a triggerbot — the functionality is entirely different.
Sample metadata (IOC)
Name ReShade_Setup_6.6.1.exe
Masquerade ReShade graphics installer (crosire)
Brand Aqua TriggerBot
Type TriggerBot / FiveM cheat
SHA-256 841757e9118e0c09c3693c7d60e14253
5d576b558ae373d8d808501f2b3d59c9
PcaSVC 0x80000
Signature None (legitimate ReShade is signed)Behavioral indicators
ReShade masquerade
The legitimate ReShade setup installer is signed by crosire. Key differentiators:
- Real ReShade: signed by crosire, downloaded from reshade.me, does not register keyboard hooks.
- This cheat: unsigned, may be distributed via Discord or cheat forums, registers keyboard/mouse hooks.
The version number 6.6.1 in the filename may or may not correspond to any real ReShade version — investigators should not assume the version number is accurate.
TriggerBot hook behavior
As a triggerbot, Aqua registers low-level keyboard and/or mouse hooks to intercept input and inject synthetic fire commands when the crosshair is over a target. During an active session, these hooks are observable in System Informer's global hooks view.
PcaSVC memory offset
The PcaSVC offset 0x80000 has been observed in memory forensic analysis of systems running Aqua TriggerBot. This offset combined with the filename and hash provides a multi-indicator confirmation.
Screenshare check guide
Digital signature verification
- Locate ReShade_Setup_6.6.1.exe on disk.
- Right-click → Properties → Digital Signatures. Legitimate ReShade is signed by crosire. An unsigned file is the cheat.
Download source check
- Check browser downloads for the origin of the file. Legitimate ReShade is only distributed via reshade.me. Any other source is suspect.
File hash verification
- Compute the SHA-256 of the file.
- Match against 841757e9118e0c09c3693c7d60e142535d576b558ae373d8d808501f2b3d59c9.
System hooks
- In System Informer, check the global hooks view for any hook registered by a process matching this filename.
PcaSVC offset check
- In memory forensics, check for PcaSVC entry at offset 0x80000 associated with ReShade_Setup_6.6.1.exe.
Prefetch and AppCompat
- Check C:\Windows\Prefetch for RESHADE_SETUP_6.6.1.EXE-*.pf and confirm the execution path.
Detection summary
Artifact Survives cleanup? Check location ───────────────────────────────────────────────────────────────────────────────── PcaSVC entry (0x80000) Yes AppCompat / DPS log SHA-256 hash Yes (file on disk) File system Missing crosire signature Yes (file on disk) File properties Prefetch (ReShade_Setup_6.6.1.exe) Usually C:\Windows\Prefetch Hook registration (if running) Only while running System Informer
The most immediately actionable indicator is the missing Authenticode signature — legitimate ReShade is always signed by crosire, and any copy of the file without this signature is definitively the cheat.
Defensive material
All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.