Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.
Overview
Club44 is an older FiveM anti-cheat bypass whose most distinctive characteristic is not its technical injection method but a feature visible in its own user interface: a button explicitly labelled “Clean Traces.” The presence of this button in the bypass loader confirms that its developer was fully aware that running the bypass creates forensic artifacts, and deliberately built an automated cleanup routine into the product to assist users in evading detection during screenshare checks.
The bypass masquerades as two highly recognisable installer names: SteamSetup.exe and WinRARSetup.exe. Both are plausible on any gaming PC — Steam is ubiquitous in the FiveM player base, and WinRAR is among the most-downloaded utilities worldwide. These names reduce suspicion in browser download history, prefetch entries, and BAM registry records during casual review.
With only 16 out of 70 VirusTotal engine detections, Club44 has a lower AV detection rate than many contemporary bypasses. This makes hash-based identification via the known SHA-256 f1d96aca4ddb6b317e43e2cc599ce69f32a2c41a1c1adf94312da48269536fc2 especially important, as heuristic AV coverage alone cannot be relied upon to flag this sample. Authentication is performed through eauth.us.to, the same infrastructure observed in the Spotless bypass, suggesting shared developer infrastructure or a common authentication service provider in the FiveM bypass market.
Primary IOCs
Hash identification — SHA-256 and VirusTotal 16/70
Hash any suspicious file named SteamSetup.exe or WinRARSetup.exe that is not located in an official Steam or WinRAR installation path. Run certutil -hashfile <path> SHA256 and compare against f1d96aca4ddb6b317e43e2cc599ce69f32a2c41a1c1adf94312da48269536fc2. Submit to VirusTotal — the 16/70 detection spread will be visible, and the behaviour sandbox report will show the eauth.us.to network connection and any file system operations performed.
SteamSetup.exe / WinRARSetup.exe filename anomaly
The genuine Steam installer is named SteamSetup.exe and is downloaded from store.steampowered.com. Any copy of this filename outside of a browser download folder (e.g., on the Desktop, in AppData, or in a gaming cheat directory) should be treated as suspicious. Check its digital signature: the real Steam installer is signed by Valve Corporation. The Club44 masquerade will be unsigned or carry a generic or missing signature. Right-click the file → Properties → Digital Signatures to verify.
Likewise, the authentic WinRAR installer is signed by win.rar GmbH. Any unsigned copy of WinRARSetup.exe is anomalous.
eauth.us.to C2 in DNS cache and lsass memory
Run ipconfig /displaydns | findstr /i "eauth"in an elevated Command Prompt. Then open System Informer as administrator, locate lsass.exe, open its Memory tab, and search for the string eauth. The Club44 authentication module contacts eauth.us.to during its license check, producing both a DNS cache entry and a memory string artifact in lsass. Either indicator alone is sufficient to confirm that a bypass using eauth.us.to infrastructure was active in the current session.
Note: the Spotless bypass also uses eauth.us.to. When this domain is observed, both Club44 and Spotless should be considered in the analysis. Hash confirmation distinguishes between them.
Loader UI 'Clean Traces' button identification
If the bypass loader is still running during the screenshare, its UI will be visible and will contain a “Clean Traces” button. The presence of this button in the running application is an unambiguous IOC — document it with a screenshot immediately. Even if the user has already clicked the button before the screenshare, the button's existence in the binary's resources can be confirmed by opening the executable in Resource Hacker or DIE and inspecting the dialog resources.
If the loader is not currently running but the binary is on disk, the dialog resource containing the “Clean Traces” string will be present in the PE resource section and is extractable without executing the binary.
Journal Trace entries — installation and cleanup artifacts
Run fsutil usn readjournal C: csv > journal.csvand filter for entries matching SteamSetup, WinRARSetup, and any other file operations timestamped around the suspected bypass use window. If the user pressed the “Clean Traces” button, the journal may contain deletion records for files the bypass attempted to remove — the act of deletion is itself recorded in the journal, creating an ironic confirmation artifact: the cleanup left a record of its own operation.
The 'Clean Traces' Problem
The “Clean Traces” button in the Club44 loader UI represents an important forensic principle: the act of attempting to remove evidence is itself evidence. A user who clicks this button before a screenshare has confirmed two things: first, that they knowingly ran a bypass that they understood would leave forensic artifacts; and second, that they were aware of and used the cleanup functionality, demonstrating intent to conceal.
The cleanup routine that the button executes is not comprehensive. It cannot clear all artifact layers simultaneously. In practice, investigators consistently find residual indicators even after the button has been pressed:
- The eauth.us.to string in lsass.exe memory persists until reboot — the cleanup routine does not and cannot clear another process's allocated memory pages without privileged memory overwrite operations that would themselves leave traces.
- The NTFS USN change journal records every file deletion the cleanup performs, creating deletion records for each artifact removed. These journal entries document the cleanup operation and its timestamp.
- The BAM registry key entry for the bypass executable persists until the BAM state is manually cleared — the cleanup routine typically does not touch the BAM hive because doing so requires writing to a system-owned registry location.
- If prefetch is enabled, the prefetch file for the bypass executable will be updated (not deleted) by the most recent run, preserving execution history.
In summary: a user who presses “Clean Traces” has not erased the evidence — they have rearranged it. The investigation methodology must account for the post-cleanup artifact state, which differs from a never-cleaned machine but still contains confirming indicators across multiple independent channels.
Detection Notes
Club44's low VirusTotal detection count (16/70) means that relying on AV scanning alone will produce false negatives in the majority of engine coverage. Hash-based identification must be the primary confirmation method for static analysis. The known SHA-256 should be cross-checked against VirusTotal at the start of every Club44-suspected investigation.
The shared eauth.us.to infrastructure with Spotless means that when eauth.us.to is confirmed in DNS cache or lsass memory, both bypass families should be considered. The digital signature check on the masquerade executable (unsigned vs. Valve-signed) and the hash check provide the disambiguation.
The “Clean Traces” button is the most conceptually important IOC in this bypass family. Legitimate software — including legitimate installers for Steam and WinRAR — does not include forensic cleanup functionality. Its mere existence in the binary, visible in dialog resources without execution, proves deliberate anti-forensic design intent and is conclusive evidence that the software was purpose-built to evade post-hoc detection.