Summary
- Masquerades as cmd.exe — distinguish by execution path (real cmd.exe is always in System32 or SysWOW64).
- Drops TModule.dll to C:\TModule.dll — this path is anomalous and has no legitimate counterpart.
- C2 domain gm07-dc04.ouiheberg.com observed in DNS cache and LSASS memory during active sessions.
- SHA-256 01939a2b6ac191c4afb03884c0e6f172c2332c4e4bf4f516718b585541dd31c4.
Overview
Flyside is a FiveM cheat with a multi-indicator artifact footprint. It masquerades as cmd.exe — a process that is ubiquitous enough that users may not scrutinize it — but runs from a non-system path, distinguishing it from the legitimate Windows Command Prompt.
Flyside's most distinctive persistent artifact is TModule.dll dropped directly into the root of the C: drive (C:\TModule.dll). No legitimate Windows component or third-party application creates a DLL at the root of C:\ with this name. It is visible in a Journal Trace search and persists independently of the loader.
Sample metadata (IOC)
Name cmd.exe (masquerade — real cmd.exe is in System32)
Brand Flyside
SHA-256 01939a2b6ac191c4afb03884c0e6f172
c2332c4e4bf4f516718b585541dd31c4
Dropped C:\TModule.dll (no legitimate origin at this path)
C2 domain gm07-dc04.ouiheberg.com
→ Observed in: DNS cache, lsass.exeBehavioral indicators
TModule.dll in C:\ root
Flyside drops a file named TModule.dll directly into C:\. This location is immediately anomalous — no legitimate Windows component or application installer places DLLs at the root of the system drive. The file persists after the cheat exits and is visible in a Journal Trace search filtered for TModule.
cmd.exe masquerade
The legitimate Windows Command Prompt executable is located at C:\Windows\System32\cmd.exe or C:\Windows\SysWOW64\cmd.exe. Flyside runs a fake cmd.exe from a non-system path. In the process list or Prefetch, confirm the execution path — any cmd.exe outside System32/SysWOW64 is suspicious.
C2: gm07-dc04.ouiheberg.com
Flyside contacts gm07-dc04.ouiheberg.com for license validation and payload delivery. This domain is observable in the DNS cache and in LSASS process memory during an active session.
Screenshare check guide
TModule.dll Journal Trace
- Open a Journal Trace tool and search for TModule.
- A creation event for C:\TModule.dll is definitively Flyside — no legitimate software creates this file.
- Check whether the file still exists on disk at C:\TModule.dll.
DNS cache — gm07-dc04.ouiheberg.com
- Run ipconfig /displaydns or check System Informer's DNS section.
- Search for ouiheberg. A cache hit confirms an active C2 connection.
Process list — cmd.exe path
- In Task Manager or System Informer, check for any cmd.exe process running from outside C:\Windows\System32 or SysWOW64.
LSASS memory scan
- Scan lsass.exe memory strings for ouiheberg.
- The C2 domain string in LSASS confirms active injection.
File hash verification
- If the fake cmd.exe is present on disk, compute its SHA-256.
- Match against 01939a2b6ac191c4afb03884c0e6f172c2332c4e4bf4f516718b585541dd31c4.
Browser and Discord
- Check browser history and downloads for references to Flyside.
- In Discord, check User Settings → Authorized Apps.
Detection summary
Artifact Survives cleanup? Check location ───────────────────────────────────────────────────────────────────────────── C:\TModule.dll Yes (if not deleted) C:\ root / journal PcaSVC entry Yes AppCompat / DPS log DNS cache (gm07-dc04.ouiheberg.com) Session-length ipconfig /displaydns C2 strings in lsass.exe Only while running Memory string scan SHA-256 hash match Yes (file on disk) File system
The most immediately actionable indicator is C:\TModule.dll — a file that has no legitimate origin at the root of the C: drive. A Journal Trace search for this filename provides a persistent record even after the file is deleted.
Defensive material
All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.