Cheat DetectionHighPublished

Traceless FiveM cheat detection & forensic artifacts

Traceless is a FiveM-targeted cheat distributed as Traceless.exe. Despite branding that implies anti-forensic capability, the cheat leaves persistent DPS and PcaSvc artifacts that are irremovable without direct registry editing. Prefetch also survives basic cleanup attempts. The name is deliberately misleading.

CR
Clubhouse AC Research
June 2, 2026 7 min read

Summary

  • Despite the name “Traceless”, DPS and PcaSvc timestamps are irremovable without registry editing — the cheat's anti-forensic branding is a deliberate misdirection.
  • DPS first-seen timestamp of 2025/07/30 and PcaSvc entry 0x42d000 survive independently of user-side cleanup routines.
  • Prefetch for Traceless.exe survives basic cleanup and provides a persistent execution record.
  • If running, Traceless.exe is visible in the process list — no legitimate software uses this executable name.

Overview

Traceless is a commercially distributed FiveM cheat loader. Its primary executable is named Traceless.exe and weighs approximately 4.15 MB. The product name is a direct reference to anti-forensic capability — a marketing claim that does not hold up under forensic scrutiny.

Windows' Diagnostic Policy Service (DPS) and Program Compatibility Assistant (PcaSvc) both record a timestamp and entry at first execution that are stored in the registry and cannot be cleared by the same cleanup scripts that wipe Prefetch or browser history. A user who trusts the cheat's name and believes their system is clean will still carry these artifacts indefinitely. Prefetch additionally survives the most common cleanup approaches.

Sample metadata (IOC)

The following file was recovered and added to the research corpus. All hash values are provided for cross-platform matching.

Traceless.exe — file indicatorsIOC
Name        Traceless.exe
Size        4,353,536 bytes (4.15 MB)

SHA-256     128e13028f0f931d794f10374cbfdc1a550fc4590640e70763b941e09635c309
SHA-1       63f856cb2ff834b82782386b43858672c1f46037
MD5         9d198fba674f7ad4385ef51ee241d79e

First seen  2025/07/30  18:09:24 UTC  (DPS timestamp)
PcaSvc      0x42d000

The DPS timestamp of 2025/07/30 18:09:24 is written by the Windows Diagnostic Policy Service at first execution and cannot be cleared by routine cleanup. The PcaSvc entry 0x42d000 is similarly persistent.

Behavioral indicators

Misleading anti-forensic branding

The name Traceless is a deliberate marketing choice designed to reassure users that using the cheat will not leave forensic evidence on their system. This claim is false. Two registry-backed artifact classes — DPS timestamps and PcaSvc entries — are written at first execution and persist indefinitely unless the user edits the relevant registry keys directly.

This is forensically significant: a user who has attempted cleanup and believes their system is clean based on the product's name will still carry DPS and PcaSvc evidence of execution. Screenshare investigators should not be deterred by the absence of surface-level artifacts such as the binary itself or browser download history.

DPS and PcaSvc persistence

The Diagnostic Policy Service (DPS) logs program first-run timestamps in the Windows registry under the AppCompat telemetry path. The Program Compatibility Assistant service (PcaSvc) records a separate execution indicator. Both survive del operations, Prefetch clearing, and most third-party cleanup tools. Only targeted registry key deletion removes these entries — a step that itself may leave evidence of tampering.

Prefetch survivability

A Prefetch file for Traceless.exe will appear in C:\Windows\Prefetch following execution. While Prefetch can be cleared by an attentive user, it survives basic cleanup and provides corroborating evidence alongside the more persistent DPS and PcaSvc artifacts.

Screenshare check guide

Work through these steps in order. Steps 1 and 2 are registry-backed and cannot be cleared without direct registry editing. Steps 3–5 provide corroborating evidence.

1

DPS timestamp check for Traceless.exe

  • Use a DFIR tool to inspect the DPS log entries for Traceless.exe.
  • The known DPS timestamp is 2025/07/30 18:09:24. Any DPS entry for this executable name confirms prior execution and cannot be fabricated by the user after the fact.
2

PcaSvc entry — 0x42d000

  • Inspect the PcaSvc registry keys for an entry corresponding to Traceless.exe with value 0x42d000.
  • This entry is written at first execution and survives standard cleanup. Its presence is definitive evidence of execution.
3

Prefetch for Traceless.exe

  • Check the Prefetch folder (C:\Windows\Prefetch) for a TRACELESS.EXE-*.pf entry.
  • There is no legitimate process named Traceless.exe in any standard Windows or application installation.
4

Hash check — SHA-1

  • If the binary is still present on the system, compute its SHA-1 hash and compare against 63f856cb2ff834b82782386b43858672c1f46037.
  • A match confirms the known Traceless build. Submit to VirusTotal for additional context.
5

Process list — Traceless.exe

  • Open Task Manager or System Informer and look for any running instance of Traceless.exe.
  • If found, the cheat is currently active. Confirm the executable path — it is not associated with any legitimate Windows or third-party software component.

Detection summary

Artifact matrix — Traceless / Traceless.exeSummary
Artifact                          Survives cleanup?   Check location
──────────────────────────────────────────────────────────────────────────
PcaSvc / DPS timestamp            Yes                 AppCompat / DPS log
Prefetch (Traceless.exe)          Usually             C:\Windows\Prefetch
Binary (Traceless.exe)            No (if deleted)     Filesystem search

Despite the product's name, Traceless leaves registry-backed forensic artifacts that cannot be removed without targeted registry editing. The DPS timestamp and PcaSvc entry are the most reliable indicators and should be checked first. Prefetch provides corroborating evidence. Investigators should not be misled by the absence of the binary itself or surface-level cleanup.

Defensive material

All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.