Summary
- Cracked build runs as keycheese — a distinctive executable name that will not be confused with any legitimate application.
- DLL dropped into C:\Windows\IME\ — identical behavior to the official Keyser build, providing a persistent file artifact.
- C2 domain api.keyser-lts.com observed in DNS cache, lsass.exe memory, and the FiveM game process. This domain distinguishes the cracked build from the official loader (api.keyser-dashboard.com).
- DPS first-seen timestamp (2025-04-23 23:50:33) and PcaSVC token 0x1797000 provide a reliable historical execution record.
Overview
This page documents the cracked/leaked build of the Keyser cheat, which uses a different C2 domain (api.keyser-lts.com) and a different executable (keycheese) than the official Keyser loader. The two builds share behavioral patterns — most notably the DLL drop into C:\Windows\IME\ — but are distinct binaries.
The cracked build weighs approximately 11.7 MB and its distinctive executable name makes it straightforward to identify in Prefetch records, journal traces, and running process lists. If DNS or memory scans show keyser-lts.com, this confirms the cracked build specifically.
Sample metadata (IOC)
The following file was recovered and added to the research corpus. All hash values are provided for cross-platform matching.
Name keycheese Size 12,283,904 bytes (11.7 MB) SHA-256 eba3ffbab0d338f7aeac72ae41785cebac3b6371f517c5dd4c506f8121db1850 SHA-1 d4310e90104844482fdfc647a5d62117f6ea875d MD5 80111b3d79a5f87df4b77554ba69348f First seen 2025-04-23 23:50:33 UTC (DPS timestamp) PcaSVC 0x1797000 C2 domain api.keyser-lts.com / keyser-lts.com → Observed in: DNS cache, lsass.exe, FiveM_GTAProcess.exe
The DPS timestamp of 2025-04-23 23:50:33 is written by the Windows Program Compatibility Assistant service at first execution and cannot be cleared by the same cleanup routines that wipe Prefetch or browser history.
Behavioral indicators
DLL dropped in C:\Windows\IME
Identical behavior to the official Keyser loader. A DLL is dropped into C:\Windows\IME\. This is visible via Journal Trace when searching for IME and by directly inspecting the directory. No legitimate Windows or FiveM component writes additional DLLs to this directory during normal operation.
Executable name — keycheese
The cracked build's executable name (keycheese) is distinctive and unlikely to be confused with a legitimate application. Any instance of keycheese.exe in Prefetch, journal traces, or running processes is conclusive.
Separate C2 domain from official build
The cracked build communicates with api.keyser-lts.com rather than api.keyser-dashboard.com used by the official loader. If DNS or memory scans show keyser-lts.com, this is the cracked build specifically.
Memory artifacts
During an active session, the C2 domain api.keyser-lts.com and the root domain keyser-lts.com appear across three independent artifact sources simultaneously: the system DNS cache, LSASS process memory, and the FiveM game process working set.
DNS cache
The DNS resolver cache retains successful lookups for the duration of the TTL set by the authoritative server. Running ipconfig /displaydns or inspecting the cache through System Informer will show api.keyser-lts.com as a recently resolved entry.
lsass.exe memory
The C2 domain string appears in lsass.exe process memory — a system process whose memory space contains residual string artifacts from the injection or inter-process communication performed by the loader.
FiveM game process
The C2 domain is also present within the FiveM_GTAProcess.exe working set, confirming that the cracked Keyser build injects into or communicates directly with the game process.
File artifacts
The Keyser cracked build leaves several persistent file system artifacts. The most distinctive is the DLL written to C:\Windows\IME\, which survives session cleanup. Prefetch and journal records for keycheese provide further historical confirmation.
IME folder
Prefetch
Journal trace
Loader UI
The cracked build's loader interface is identical to the official Keyser build. Screenshots of the loader open on screen are useful reference points during a screenshare.
Screenshare check guide
Work through these steps in order. Steps 1 and 2 are the fastest and will catch most active or recently-used installs. Later steps cover machines where the user has attempted a manual cleanup.
keycheese — Prefetch and journal check
- Check the Prefetch folder (C:\Windows\Prefetch) for a KEYCHEESE.EXE-*.pf entry, or use WinPrefetchView to search by name.
- Run a drive C: journal trace and search for keycheese. Any journal entry confirms loader execution.
C:\Windows\IME DLL check
- Navigate to C:\Windows\IME\ and inspect the directory for any DLL files that are not part of the standard Windows IME installation.
- Also run a journal trace searching for IME to capture any write events to this directory.
DNS cache
- Run ipconfig /displaydns or use System Informer's DNS section.
- Search for keyser-lts.com or api.keyser-lts.com. A cache hit confirms the cracked build specifically — the official build uses api.keyser-dashboard.com.
lsass memory scan
- In System Informer, open lsass.exe and perform a string scan.
- Search for keyser-lts.com. Any match confirms the cracked loader was active during the current session.
FiveM memory scan
- In System Informer, open FiveM_GTAProcess.exe and perform a string scan.
- Search for api.keyser-lts.com. A hit confirms active injection into the game process.
DPS / PcaSVC timestamp
- Use a DFIR tool to inspect the PcaSVC and DPS log entries for keycheese.
- The known first-seen DPS timestamp for this build is 2025-04-23 23:50:33 UTC with PcaSVC token 0x1797000. This record cannot be cleared by standard user-side cleanup.
Loader UI screenshot check
- Check recent screenshots, taskbar thumbnails, or clipboard history for any images showing the Keyser loader interface.
- The cracked build's UI is identical to the official build. Its presence in any screenshot or window history is conclusive regardless of whether the binary has been deleted.
Detection summary
Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────── PcaSVC / DPS timestamp Yes AppCompat / DPS log DLL in C:\Windows\IME Yes IME directory / journal Prefetch (keycheese) Usually C:\Windows\Prefetch DNS cache (keyser-lts.com) Session-length ipconfig /displaydns C2 strings in lsass.exe Only while running Memory string scan C2 strings in FiveM process Only while running Memory string scan
The most immediately actionable persistent indicators are the DLL in C:\Windows\IME\, the Prefetch record for keycheese, and the DPS/PcaSVC timestamp. All three survive standard user-side cleanup. The distinctive executable name keycheese makes Prefetch and journal confirmation fast and unambiguous.
Defensive material
All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.