Bypass Detection·Jun 2, 2026

Farbenbomber Bypass: PcaSVC & Prefetch Execution Artifacts

Farbenbomber ("color bomber" in German) is a FiveM bypass executable with SHA-256 af10429b...b860b and a DPS first-seen timestamp of 2025/10/15. Despite anti-forensic design intent, execution artifacts survive across multiple independent sources: a PcaSVC entry at offset 0x494000, Windows Prefetch records, NTFS Journal Trace, and System Informer process logs — each providing an independent confirmation path.

FiveMBypass DetectionPcaSVCPrefetchIOC

Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.

Overview

Farbenbomber.exe is a FiveM bypass loader whose German-language filename — translating to "color bomber" — is consistent with a pattern of German-language naming conventions observed in several bypass tools in this research series, suggesting development within a German-speaking community or deliberate use of German strings as an obfuscation signal. The binary carries SHA-256 af10429bea0dff14ad9c452d01b6950cd648a8c6b8f91b9fe9a2388bef8b860b.

The DPS (Diagnostic Policy Service) first-seen timestamp of 2025/10/15 anchors the earliest known in-the-wild deployment of this build. DPS records application execution metadata independently of Event Log state, providing a reliable first-seen date even after standard log clearing.

Despite apparent anti-forensic design intent (likely including attempts to delete the executable after execution and clear standard evidence sources), Farbenbomber leaves artifacts in at least four independent locations: the PcaSVC (Program Compatibility Assistant Service) database at offset 0x494000, Windows Prefetch files, the NTFS USN Journal Trace, and System Informer's process and module history logs. The redundancy of these artifact sources means that clearing any one or two of them is insufficient to eliminate all evidence of execution.

Primary IOCs

1

SHA-256 hash identification

If the binary is still present on disk, compute its SHA-256: certutil -hashfile <path\to\Farbenbomber.exe> SHA256. A result matching af10429bea0dff14ad9c452d01b6950cd648a8c6b8f91b9fe9a2388bef8b860b is a definitive identification of this specific build. Search common staging paths: %TEMP%, %APPDATA%, %USERPROFILE%\Downloads, and any game-adjacent directories. The binary may have been renamed after initial drop.

2

DPS timestamp 2025/10/15

Query the DPS database using a DPS parser (available in KAPE or as a standalone tool). The DPS (Diagnostic Policy Service) records first-execution metadata for executables that trigger compatibility checks. Farbenbomber.exe will appear with a first-seen entry timestamped 2025/10/15. This timestamp persists independently of Prefetch, Event Logs, and filesystem timestamps, making it valuable as a corroboration source when other artifacts have been tampered with.

3

PcaSVC entry at 0x494000

The Program Compatibility Assistant Service (PcaSVC) maintains a database of executed programs for compatibility tracking. Use PcaClient or a hex editor to inspect the PcaSVC database file at C:\Windows\AppCompat\Programs\. The Farbenbomber.exe entry is recorded at binary offset 0x494000 within the PcaAppLaunchDic.bin or associated database file. This artifact records the executable path, the first execution timestamp, and the originating user SID.

4

Prefetch record in WinPrefetchView

Open WinPrefetchView (NirSoft). Search for FARBENBOMBER.EXE-*.pf. The Prefetch file records the executable hash, last run time, run count, and the list of files and DLLs accessed during execution. The DLL list in the Prefetch entry will reveal which system libraries the bypass loader imported, providing additional intelligence on its execution method. If the Prefetch file has been deleted, check the NTFS Journal for a deletion record of the .pf file itself.

5

Journal Trace confirmation

Use MFTECmd or a USN Journal parser to query for file system operations involving Farbenbomber.exe. The Journal will record: file creation (when the binary was written to disk), any rename operations (if the actor renamed it to evade detection), and file deletion (if it was cleaned up post-execution). The Journal Trace timestamps are independent of the file's NTFS timestamps ($STANDARD_INFORMATION), which can be timestomped. Journal records are significantly harder to retroactively modify.

6

System Informer process and module records

System Informer (formerly Process Hacker) maintains a log of all process creation and termination events in its event log if the logging feature was active. Navigate to View → Event Log within System Informer. Search for Farbenbomber. If the bypass was executed while System Informer was running in the background — which it often is on monitored gaming systems — its process creation record will appear here with the full executable path, PID, parent PID, and creation timestamp.

Screenshare Check Methodology

1

Prefetch check via WinPrefetchView

Ask the subject to open WinPrefetchView on their system. Sort the entries by Last Run Time descending. Ask them to use the search function (Ctrl+F) and search for farbenbomber. Any result confirms execution of the bypass. Ask them to scroll the entry into full view so the last run time and run count are visible on screenshare.

2

System Informer event log review

Ask the subject to open System Informer and navigate to View → Event Log. Use the filter or search to look for any process named Farbenbomber or containing German-language strings. Ask them to also check the process tree for any recently terminated processes with no identifiable parent. System Informer process records persist across sessions if the log has not been manually cleared.

3

Filesystem search for the binary

Ask the subject to open an elevated Command Prompt and run where /r C:\ Farbenbomber.exe 2>nul. Also run dir /S /B C:\Users\%USERNAME%\AppData\*.exe | findstr /i farben 2>nul to catch any copies in the user profile. If the binary has been renamed, the Prefetch file (which uses the original name at execution time) and the SHA-256 hash of any found executables remain the primary identification methods.

4

AppCompat / RecentFileCache check

Ask the subject to open an elevated Command Prompt and run reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache". The AppCompatCache (ShimCache) records executables that have been executed or accessed. Ask the subject to pipe the output to a file and review it, or use AppCompatCacheParser to produce a readable CSV. A Farbenbomber.exe entry in ShimCache is an independent corroboration of execution.

5

Recent files and startup entry check

Ask the subject to open Autoruns (Sysinternals) and check all tabs — particularly Scheduled Tasks, Services, and Logon — for any entry referencing Farbenbomber or an unrecognized executable in a user-writable path. Then ask them to open %APPDATA%\Microsoft\Windows\Recent\ in File Explorer and check for any shortcut pointing to the bypass executable path, which would indicate the file was accessed directly from a folder rather than launched programmatically.

Detection Notes

PcaSVC and DPS are the most durable artifact sources for Farbenbomber. Bypass authors who clear Prefetch files and Event Logs frequently overlook the Program Compatibility Assistant database and the Diagnostic Policy Service records, both of which operate in the background and are not targeted by standard evidence-wiping scripts. The specific PcaSVC offset 0x494000 provides a precise location for investigators parsing the database manually.

The DPS first-seen timestamp of 2025/10/15 is significant for timeline reconstruction: any system claiming no exposure to bypass tools that shows a Farbenbomber DPS entry cannot credibly have that entry from a source other than direct execution. DPS records are created on first execution and do not update on subsequent runs, making the 2025/10/15 date the floor for when this build was released into circulation.

Investigators using System Informer should ensure that KSystemInformer (the kernel driver component) was loaded during the session in question, as this extends the observable process data beyond what user-mode monitoring alone can capture. Process records from kernel-mode monitoring are significantly harder for bypass tools to suppress retroactively than user-mode event logs.