Cheat DetectionHighPublished

Keyser (Cracked Build) FiveM cheat detection & forensic artifacts

The Keyser cracked build runs as keycheese and communicates with api.keyser-lts.com — a separate C2 from the official Keyser loader. It drops a DLL into C:\Windows\IME\, sharing this behavior with the official build, and leaves reliable traces in DNS cache, LSASS memory, the FiveM game process, and drive journal records.

CR
Clubhouse AC Research
June 1, 2026 9 min read

Summary

  • Cracked build runs as keycheese — a distinctive executable name that will not be confused with any legitimate application.
  • DLL dropped into C:\Windows\IME\ — identical behavior to the official Keyser build, providing a persistent file artifact.
  • C2 domain api.keyser-lts.com observed in DNS cache, lsass.exe memory, and the FiveM game process. This domain distinguishes the cracked build from the official loader (api.keyser-dashboard.com).
  • DPS first-seen timestamp (2025-04-23 23:50:33) and PcaSVC token 0x1797000 provide a reliable historical execution record.

Overview

This page documents the cracked/leaked build of the Keyser cheat, which uses a different C2 domain (api.keyser-lts.com) and a different executable (keycheese) than the official Keyser loader. The two builds share behavioral patterns — most notably the DLL drop into C:\Windows\IME\ — but are distinct binaries.

The cracked build weighs approximately 11.7 MB and its distinctive executable name makes it straightforward to identify in Prefetch records, journal traces, and running process lists. If DNS or memory scans show keyser-lts.com, this confirms the cracked build specifically.

Sample metadata (IOC)

The following file was recovered and added to the research corpus. All hash values are provided for cross-platform matching.

keycheese — file indicatorsIOC
Name        keycheese
Size        12,283,904 bytes (11.7 MB)

SHA-256     eba3ffbab0d338f7aeac72ae41785cebac3b6371f517c5dd4c506f8121db1850
SHA-1       d4310e90104844482fdfc647a5d62117f6ea875d
MD5         80111b3d79a5f87df4b77554ba69348f

First seen  2025-04-23  23:50:33 UTC  (DPS timestamp)
PcaSVC      0x1797000

C2 domain   api.keyser-lts.com / keyser-lts.com
  → Observed in: DNS cache, lsass.exe, FiveM_GTAProcess.exe

The DPS timestamp of 2025-04-23 23:50:33 is written by the Windows Program Compatibility Assistant service at first execution and cannot be cleared by the same cleanup routines that wipe Prefetch or browser history.

Behavioral indicators

DLL dropped in C:\Windows\IME

Identical behavior to the official Keyser loader. A DLL is dropped into C:\Windows\IME\. This is visible via Journal Trace when searching for IME and by directly inspecting the directory. No legitimate Windows or FiveM component writes additional DLLs to this directory during normal operation.

Executable name — keycheese

The cracked build's executable name (keycheese) is distinctive and unlikely to be confused with a legitimate application. Any instance of keycheese.exe in Prefetch, journal traces, or running processes is conclusive.

Separate C2 domain from official build

The cracked build communicates with api.keyser-lts.com rather than api.keyser-dashboard.com used by the official loader. If DNS or memory scans show keyser-lts.com, this is the cracked build specifically.

Memory artifacts

During an active session, the C2 domain api.keyser-lts.com and the root domain keyser-lts.com appear across three independent artifact sources simultaneously: the system DNS cache, LSASS process memory, and the FiveM game process working set.

DNS cache

The DNS resolver cache retains successful lookups for the duration of the TTL set by the authoritative server. Running ipconfig /displaydns or inspecting the cache through System Informer will show api.keyser-lts.com as a recently resolved entry.

lsass.exe memory

The C2 domain string appears in lsass.exe process memory — a system process whose memory space contains residual string artifacts from the injection or inter-process communication performed by the loader.

FiveM game process

The C2 domain is also present within the FiveM_GTAProcess.exe working set, confirming that the cracked Keyser build injects into or communicates directly with the game process.

File artifacts

The Keyser cracked build leaves several persistent file system artifacts. The most distinctive is the DLL written to C:\Windows\IME\, which survives session cleanup. Prefetch and journal records for keycheese provide further historical confirmation.

IME folder

Prefetch

Journal trace

Loader UI

The cracked build's loader interface is identical to the official Keyser build. Screenshots of the loader open on screen are useful reference points during a screenshare.

Screenshare check guide

Work through these steps in order. Steps 1 and 2 are the fastest and will catch most active or recently-used installs. Later steps cover machines where the user has attempted a manual cleanup.

1

keycheese — Prefetch and journal check

  • Check the Prefetch folder (C:\Windows\Prefetch) for a KEYCHEESE.EXE-*.pf entry, or use WinPrefetchView to search by name.
  • Run a drive C: journal trace and search for keycheese. Any journal entry confirms loader execution.
2

C:\Windows\IME DLL check

  • Navigate to C:\Windows\IME\ and inspect the directory for any DLL files that are not part of the standard Windows IME installation.
  • Also run a journal trace searching for IME to capture any write events to this directory.
3

DNS cache

  • Run ipconfig /displaydns or use System Informer's DNS section.
  • Search for keyser-lts.com or api.keyser-lts.com. A cache hit confirms the cracked build specifically — the official build uses api.keyser-dashboard.com.
4

lsass memory scan

  • In System Informer, open lsass.exe and perform a string scan.
  • Search for keyser-lts.com. Any match confirms the cracked loader was active during the current session.
5

FiveM memory scan

  • In System Informer, open FiveM_GTAProcess.exe and perform a string scan.
  • Search for api.keyser-lts.com. A hit confirms active injection into the game process.
6

DPS / PcaSVC timestamp

  • Use a DFIR tool to inspect the PcaSVC and DPS log entries for keycheese.
  • The known first-seen DPS timestamp for this build is 2025-04-23 23:50:33 UTC with PcaSVC token 0x1797000. This record cannot be cleared by standard user-side cleanup.
7

Loader UI screenshot check

  • Check recent screenshots, taskbar thumbnails, or clipboard history for any images showing the Keyser loader interface.
  • The cracked build's UI is identical to the official build. Its presence in any screenshot or window history is conclusive regardless of whether the binary has been deleted.

Detection summary

Artifact matrix — Keyser cracked build / keycheeseSummary
Artifact                          Survives cleanup?   Check location
──────────────────────────────────────────────────────────────────────────
PcaSVC / DPS timestamp            Yes                 AppCompat / DPS log
DLL in C:\Windows\IME             Yes                 IME directory / journal
Prefetch (keycheese)              Usually             C:\Windows\Prefetch
DNS cache (keyser-lts.com)        Session-length      ipconfig /displaydns
C2 strings in lsass.exe           Only while running  Memory string scan
C2 strings in FiveM process       Only while running  Memory string scan

The most immediately actionable persistent indicators are the DLL in C:\Windows\IME\, the Prefetch record for keycheese, and the DPS/PcaSVC timestamp. All three survive standard user-side cleanup. The distinctive executable name keycheese makes Prefetch and journal confirmation fast and unambiguous.

Defensive material

All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.