Summary
- Despite the name “Traceless”, DPS and PcaSvc timestamps are irremovable without registry editing — the cheat's anti-forensic branding is a deliberate misdirection.
- DPS first-seen timestamp of 2025/07/30 and PcaSvc entry 0x42d000 survive independently of user-side cleanup routines.
- Prefetch for Traceless.exe survives basic cleanup and provides a persistent execution record.
- If running, Traceless.exe is visible in the process list — no legitimate software uses this executable name.
Overview
Traceless is a commercially distributed FiveM cheat loader. Its primary executable is named Traceless.exe and weighs approximately 4.15 MB. The product name is a direct reference to anti-forensic capability — a marketing claim that does not hold up under forensic scrutiny.
Windows' Diagnostic Policy Service (DPS) and Program Compatibility Assistant (PcaSvc) both record a timestamp and entry at first execution that are stored in the registry and cannot be cleared by the same cleanup scripts that wipe Prefetch or browser history. A user who trusts the cheat's name and believes their system is clean will still carry these artifacts indefinitely. Prefetch additionally survives the most common cleanup approaches.
Sample metadata (IOC)
The following file was recovered and added to the research corpus. All hash values are provided for cross-platform matching.
Name Traceless.exe Size 4,353,536 bytes (4.15 MB) SHA-256 128e13028f0f931d794f10374cbfdc1a550fc4590640e70763b941e09635c309 SHA-1 63f856cb2ff834b82782386b43858672c1f46037 MD5 9d198fba674f7ad4385ef51ee241d79e First seen 2025/07/30 18:09:24 UTC (DPS timestamp) PcaSvc 0x42d000
The DPS timestamp of 2025/07/30 18:09:24 is written by the Windows Diagnostic Policy Service at first execution and cannot be cleared by routine cleanup. The PcaSvc entry 0x42d000 is similarly persistent.
Behavioral indicators
Misleading anti-forensic branding
The name Traceless is a deliberate marketing choice designed to reassure users that using the cheat will not leave forensic evidence on their system. This claim is false. Two registry-backed artifact classes — DPS timestamps and PcaSvc entries — are written at first execution and persist indefinitely unless the user edits the relevant registry keys directly.
This is forensically significant: a user who has attempted cleanup and believes their system is clean based on the product's name will still carry DPS and PcaSvc evidence of execution. Screenshare investigators should not be deterred by the absence of surface-level artifacts such as the binary itself or browser download history.
DPS and PcaSvc persistence
The Diagnostic Policy Service (DPS) logs program first-run timestamps in the Windows registry under the AppCompat telemetry path. The Program Compatibility Assistant service (PcaSvc) records a separate execution indicator. Both survive del operations, Prefetch clearing, and most third-party cleanup tools. Only targeted registry key deletion removes these entries — a step that itself may leave evidence of tampering.
Prefetch survivability
A Prefetch file for Traceless.exe will appear in C:\Windows\Prefetch following execution. While Prefetch can be cleared by an attentive user, it survives basic cleanup and provides corroborating evidence alongside the more persistent DPS and PcaSvc artifacts.
Screenshare check guide
Work through these steps in order. Steps 1 and 2 are registry-backed and cannot be cleared without direct registry editing. Steps 3–5 provide corroborating evidence.
DPS timestamp check for Traceless.exe
- Use a DFIR tool to inspect the DPS log entries for Traceless.exe.
- The known DPS timestamp is 2025/07/30 18:09:24. Any DPS entry for this executable name confirms prior execution and cannot be fabricated by the user after the fact.
PcaSvc entry — 0x42d000
- Inspect the PcaSvc registry keys for an entry corresponding to Traceless.exe with value 0x42d000.
- This entry is written at first execution and survives standard cleanup. Its presence is definitive evidence of execution.
Prefetch for Traceless.exe
- Check the Prefetch folder (C:\Windows\Prefetch) for a TRACELESS.EXE-*.pf entry.
- There is no legitimate process named Traceless.exe in any standard Windows or application installation.
Hash check — SHA-1
- If the binary is still present on the system, compute its SHA-1 hash and compare against 63f856cb2ff834b82782386b43858672c1f46037.
- A match confirms the known Traceless build. Submit to VirusTotal for additional context.
Process list — Traceless.exe
- Open Task Manager or System Informer and look for any running instance of Traceless.exe.
- If found, the cheat is currently active. Confirm the executable path — it is not associated with any legitimate Windows or third-party software component.
Detection summary
Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────── PcaSvc / DPS timestamp Yes AppCompat / DPS log Prefetch (Traceless.exe) Usually C:\Windows\Prefetch Binary (Traceless.exe) No (if deleted) Filesystem search
Despite the product's name, Traceless leaves registry-backed forensic artifacts that cannot be removed without targeted registry editing. The DPS timestamp and PcaSvc entry are the most reliable indicators and should be checked first. Prefetch provides corroborating evidence. Investigators should not be misled by the absence of the binary itself or surface-level cleanup.
Defensive material
All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.