Summary
- Executable name MWPriv+_Cheat_x64.exe contains the string “Cheat” — self-identifying and immediately flaggable.
- Detected by 11 antivirus engines based on PE analysis — high confidence malicious classification.
- SHA-256 b21c2afe99160f24b403962b7b15b191b785c2a4b5c38f49a5cbd74bcfd0415c for definitive identification.
- Prefetch and PcaSVC records persist after execution.
Overview
MW-Privat is a privately distributed FiveM cheat. Its executable name MWPriv+_Cheat_x64.exe is self-describing — it explicitly contains the word "Cheat" alongside the brand abbreviation and architecture suffix. This makes it one of the more straightforwardly identifiable cheats during a screenshare: any Prefetch or process entry bearing this name requires no further analysis to flag.
The binary is detected by 11 PE antivirus engines, confirming its malicious classification through multiple independent analysis paths.
Sample metadata (IOC)
Name MWPriv+_Cheat_x64.exe
Brand MW-Privat
SHA-256 b21c2afe99160f24b403962b7b15b191
b785c2a4b5c38f49a5cbd74bcfd0415c
AV hits 11 engines (PE analysis)Behavioral indicators
Self-identifying executable name
The filename MWPriv+_Cheat_x64.exe explicitly identifies itself as a cheat. No legitimate software — Windows components, game clients, or third-party applications — would include the string "Cheat" in an executable filename. Any occurrence in Prefetch or the process list is immediately actionable.
Multi-engine antivirus detection
The binary is flagged by 11 PE antivirus engines. During an investigation where the file is available, submission to a multi-engine scanner will return positive detections across multiple independent classification systems. This provides corroborating evidence independent of behavioral or timestamp indicators.
Screenshare check guide
Prefetch — MWPriv+_Cheat_x64.exe
- Check C:\Windows\Prefetch for MWPRIV+_CHEAT_X64.EXE-*.pf.
- The string “CHEAT” in the Prefetch filename is definitive — flag immediately.
Process list
- Check Task Manager or System Informer for a running MWPriv+_Cheat_x64.exe process.
File hash verification
- If the file is present on disk, compute its SHA-256.
- Match against b21c2afe99160f24b403962b7b15b191b785c2a4b5c38f49a5cbd74bcfd0415c.
PcaSVC / AppCompat entry
- Inspect the AppCompat PcaSVC log for an entry referencing MWPriv+_Cheat_x64.exe.
Browser and Discord
- Check browser history and downloads for references to MW-Privat or MWPriv.
- In Discord, check User Settings → Authorized Apps.
Detection summary
Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────────── PcaSVC entry Yes AppCompat / DPS log Prefetch (MWPriv+_Cheat_x64.exe) Usually C:\Windows\Prefetch SHA-256 hash / AV detection Yes (file on disk) File system / scanner
The most immediately actionable indicator is the Prefetch entry containing “CHEAT” in the filename — a string that has no legitimate counterpart in any standard software.
Defensive material
All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.