Reconstructing cheat execution after cleaner-tool sweeps

Eulen is a long-running FiveM (GTA V multiplayer) cheat with mature anti-forensic tooling. Recent versions ship a post-execution sweep that targets the artifacts server administrators are known to inspect: the Prefetch directory, the BAM service registry hive, the UserAssist ROT13 entries, and the user's recent-files list. The sweep is deliberate — it targets exactly what most detection guides tell administrators to check.

Our claim is that the sweep targets the checklist, not the underlying Windows architecture. Windows preserves execution evidence in at least four additional locations that the public sweepers we examined do not touch.

We reverse-engineered three publicly-distributed Eulen cleaner builds (March 2025 through January 2026) and observed the following coverage:

The pattern is consistent: cleaners go after artifacts cataloged in popular DFIR cheat-sheets and miss the second-tier compatibility-and-telemetry stores Windows populates as a side effect of normal execution.

For each Eulen variant we recover at least three independent artifacts, ranked by fidelity:

• Amcache.hve — preserves SHA-1, file size, link date, and binary path under Root\InventoryApplicationFile. The hash alone identifies known Eulen builds against our maintained signature set (90+ Eulen hashes as of this writing).
• ShimCache — stored in the SYSTEM hive under ControlSet001\Control\Session Manager\AppCompatCache, it records up to 1,024 executable paths with last-modified times. Crucially, ShimCache is only flushed to disk on shutdown, so a reboot after the cleaner pass paradoxically commits the evidence rather than removing it.
• RecentFileCache.bcf — a lesser-known compatibility cache at %SystemRoot%\AppCompat\Programs\ that lists executables run by an unprivileged user. Eulen runs unelevated, so it lands here reliably.
• Registry transaction logs (LOG1/LOG2) — when the cleaner deletes the BAM State subkey, the deletion itself is journalled. We replay the transaction log to recover the pre-deletion key contents, including the original last-execution timestamp.
• USN journal — every file operation on the Eulen binary, its loader, and its dropped artifacts is recorded with reason flags and timestamp. The journal preserves filename and parent directory even after MFT entries are recycled.

Each artifact above carries a different timestamp class. We fuse them into a single super-timeline by aligning to the closest reliable anchor — typically the Amcache FileId first-seen time, which has shown sub-minute accuracy against ground truth in our controlled trials.

for binary in candidate_binaries:
    anchor   := amcache.first_seen(binary.sha1)
    shim_t   := shimcache.last_modified(binary.path)
    rfc_t    := recent_file_cache.timestamp(binary.path)
    bam_t    := registry_log_replay("bam\\State", binary.exe).last_run
    usn_t    := usn_journal.first_create(binary.path)

    timeline := merge_within_window(
        events  = [anchor, shim_t, rfc_t, bam_t, usn_t],
        window  = 5min,
        anchor  = amcache_first_seen,
    )

    confidence := count(timeline.sources) / 5
    emit Detection {
        binary       = binary,
        first_seen   = timeline.min(),
        last_seen    = timeline.max(),
        sources      = timeline.sources,
        confidence   = confidence,
    }

A detection requires at least three independent sources. We have observed that even the most aggressive cleaner pass in our corpus left at least four of these five sources intact, so the three-source threshold rarely false-negatives.

The 6% non-recovery cases all involved either a full disk-image rotation between cheat session and scan, or an OS reinstall — neither of which we consider realistically deniable, since both leave their own characteristic forensic fingerprint (a fresh Windows install timestamp on a multi-year-old motherboard, an EFI boot variable older than the OS install date, etc.).

• Recovery quality degrades sharply when the suspect machine has more than a week of post-cleanup usage. ShimCache rolls; Amcache compacts; the USN journal wraps. Scan cadence matters.
• A determined operator can target the second-tier artifacts directly — Amcache can be wiped, transaction logs can be flushed. We have not seen this in publicly-distributed cheat tooling, but private builds may include it.
• Disk encryption with key rotation between sessions defeats this approach entirely. The realistic operator population in the FiveM ecosystem does not do this.