Cheat DetectionHighPublished

Flyside FiveM cheat detection & forensic artifacts

Flyside is a FiveM cheat that masquerades as cmd.exe, drops TModule.dll directly into the root of C:\, and communicates with C2 gm07-dc04.ouiheberg.com. Its SHA-256 is 01939a2b6ac191c4afb03884c0e6f172c2332c4e4bf4f516718b585541dd31c4.

CR
Clubhouse AC Research
June 2, 2026 8 min read

Summary

  • Masquerades as cmd.exe — distinguish by execution path (real cmd.exe is always in System32 or SysWOW64).
  • Drops TModule.dll to C:\TModule.dll — this path is anomalous and has no legitimate counterpart.
  • C2 domain gm07-dc04.ouiheberg.com observed in DNS cache and LSASS memory during active sessions.
  • SHA-256 01939a2b6ac191c4afb03884c0e6f172c2332c4e4bf4f516718b585541dd31c4.

Overview

Flyside is a FiveM cheat with a multi-indicator artifact footprint. It masquerades as cmd.exe — a process that is ubiquitous enough that users may not scrutinize it — but runs from a non-system path, distinguishing it from the legitimate Windows Command Prompt.

Flyside's most distinctive persistent artifact is TModule.dll dropped directly into the root of the C: drive (C:\TModule.dll). No legitimate Windows component or third-party application creates a DLL at the root of C:\ with this name. It is visible in a Journal Trace search and persists independently of the loader.

Sample metadata (IOC)

Flyside — file indicatorsIOC
Name        cmd.exe  (masquerade — real cmd.exe is in System32)
Brand       Flyside

SHA-256     01939a2b6ac191c4afb03884c0e6f172
            c2332c4e4bf4f516718b585541dd31c4

Dropped     C:\TModule.dll  (no legitimate origin at this path)

C2 domain   gm07-dc04.ouiheberg.com
  → Observed in: DNS cache, lsass.exe

Behavioral indicators

TModule.dll in C:\ root

Flyside drops a file named TModule.dll directly into C:\. This location is immediately anomalous — no legitimate Windows component or application installer places DLLs at the root of the system drive. The file persists after the cheat exits and is visible in a Journal Trace search filtered for TModule.

cmd.exe masquerade

The legitimate Windows Command Prompt executable is located at C:\Windows\System32\cmd.exe or C:\Windows\SysWOW64\cmd.exe. Flyside runs a fake cmd.exe from a non-system path. In the process list or Prefetch, confirm the execution path — any cmd.exe outside System32/SysWOW64 is suspicious.

C2: gm07-dc04.ouiheberg.com

Flyside contacts gm07-dc04.ouiheberg.com for license validation and payload delivery. This domain is observable in the DNS cache and in LSASS process memory during an active session.

Screenshare check guide

1

TModule.dll Journal Trace

  • Open a Journal Trace tool and search for TModule.
  • A creation event for C:\TModule.dll is definitively Flyside — no legitimate software creates this file.
  • Check whether the file still exists on disk at C:\TModule.dll.
2

DNS cache — gm07-dc04.ouiheberg.com

  • Run ipconfig /displaydns or check System Informer's DNS section.
  • Search for ouiheberg. A cache hit confirms an active C2 connection.
3

Process list — cmd.exe path

  • In Task Manager or System Informer, check for any cmd.exe process running from outside C:\Windows\System32 or SysWOW64.
4

LSASS memory scan

  • Scan lsass.exe memory strings for ouiheberg.
  • The C2 domain string in LSASS confirms active injection.
5

File hash verification

  • If the fake cmd.exe is present on disk, compute its SHA-256.
  • Match against 01939a2b6ac191c4afb03884c0e6f172c2332c4e4bf4f516718b585541dd31c4.
6

Browser and Discord

  • Check browser history and downloads for references to Flyside.
  • In Discord, check User Settings → Authorized Apps.

Detection summary

Artifact matrix — FlysideSummary
Artifact                              Survives cleanup?   Check location
─────────────────────────────────────────────────────────────────────────────
C:\TModule.dll                         Yes (if not deleted) C:\ root / journal
PcaSVC entry                          Yes                 AppCompat / DPS log
DNS cache (gm07-dc04.ouiheberg.com)   Session-length      ipconfig /displaydns
C2 strings in lsass.exe               Only while running  Memory string scan
SHA-256 hash match                    Yes (file on disk)  File system

The most immediately actionable indicator is C:\TModule.dll — a file that has no legitimate origin at the root of the C: drive. A Journal Trace search for this filename provides a persistent record even after the file is deleted.

Defensive material

All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.