Cheat DetectionHighPublished

Keyser FiveM cheat detection & forensic artifacts

Keyser is a FiveM-targeted cheat loader distributed as loader.exe (16.2 MB). It drops a DLL into the legitimate Windows C:\Windows\IME\ directory, creates memory dump files in unusual locations, and communicates with api.keyser-dashboard.com — a string that appears in both DNS cache and lsass.exe memory.

CR
Clubhouse AC Research
June 1, 2026 9 min read

Summary

  • Keyser drops a DLL into C:\Windows\IME\ — a legitimate Windows Input Method Editor directory rarely written to by normal software.
  • Memory dump (.dmp) files are created in unusual locations outside C:\Windows\Minidump — visible in Journal Trace and directory listings.
  • C2 domain api.keyser-dashboard.com observed in DNS cache and lsass.exe memory during active sessions.
  • DPS first-seen timestamp (2025-07-13 03:47:46) and PcaSVC entry survive independently of any user-side cleanup.

Overview

Keyser is a commercially distributed FiveM cheat loader. Its primary executable is loader.exe, weighing approximately 16.2 MB. The loader connects to api.keyser-dashboard.com for license validation and payload delivery.

Keyser takes the unusual step of writing a DLL into C:\Windows\IME\, a system directory associated with Windows Input Method Editor functionality that is almost never written to by third-party software. This placement is likely chosen to avoid attracting attention in standard directory monitors. The DLL drop is visible in a Journal Trace search filtered for IME.

Sample metadata (IOC)

The following file was recovered and added to the research corpus. Hash values are provided for cross-platform matching.

loader.exe — file indicatorsIOC
Name        loader.exe
Size        16,971,264 bytes (16.2 MB)

SHA-1       d6a7a2e49016a246ebdd507b9356433c41c4f07f
MD5         26f1a7039ba43c8e1b1b0bd5677c7bee

First seen  2025-07-13  03:47:46 UTC  (DPS timestamp)
PcaSVC      0x1ef1000

C2 domain   api.keyser-dashboard.com
  → Observed in: DNS cache, lsass.exe

The DPS timestamp of 2025-07-13 03:47:46 is written by the Windows Program Compatibility Assistant service at first execution and cannot be cleared by the same cleanup routines that wipe Prefetch or browser history.

Behavioral indicators

1. DLL dropped in C:\Windows\IME

Keyser drops a DLL file into C:\Windows\IME\, a legitimate Windows Input Method Editor directory that is rarely written to by normal software. Any recently-created or unrecognised DLL in this directory is a strong indicator of Keyser activity. This drop is visible in a Journal Trace when searching for IME path entries.

2. Crash dump (.dmp) files

Keyser creates .dmp (memory dump) files as part of its operation, likely for crash reporting or anti-analysis purposes. These files are visible in the Journal Trace and in the directory where Keyser writes them. Look for recently created .dmp files in unusual locations outside C:\Windows\Minidump.

Memory artifacts

During an active Keyser session, the C2 domain api.keyser-dashboard.com appears in the system DNS cache and in lsass.exe process memory.

DNS cache

Running ipconfig /displaydns or inspecting the cache through System Informer will show api.keyser-dashboard.com as a recently resolved entry. A cache hit confirms an outbound connection was made during the current or a recent session.

lsass.exe memory

The C2 domain string appears in lsass.exe process memory — a system process whose memory space contains residual string artifacts from the injection or inter-process communication performed by the loader. A memory string scan of lsass.exe for keyser-dashboard.com confirms active cheat operation.

File artifacts

Beyond the IME DLL drop and .dmp files, Keyser leaves a Prefetch record for loader.exe that is most efficiently examined using WinPrefetchView, which displays the full execution path recorded inside the Prefetch file.

Screenshare check guide

Work through these steps in order. Steps 1 and 2 are the fastest and will catch most active or recently-used installs. Steps 3–7 cover machines where the user has attempted a manual cleanup.

1

C:\Windows\IME DLL check

  • Navigate to C:\Windows\IME\ in Windows Explorer or File Explorer with hidden files visible.
  • Look for any DLL file that does not belong to a legitimate Windows IME component. Sort by date modified and look for recent additions that do not match standard Windows IME filenames.
  • Any unrecognised DLL in this directory is a strong indicator of Keyser activity.
2

.dmp files journal trace

  • Run a Journal Trace on the system drive and filter for entries containing .dmp in paths outside C:\Windows\Minidump.
  • Also search the Journal Trace for IME path entries to locate the DLL write event with its timestamp.
3

DNS cache

  • Run ipconfig /displaydns in Command Prompt or use System Informer's DNS section.
  • Search the output for keyser-dashboard.com or api.keyser-dashboard.com. A cache hit confirms an outbound connection was made during the current or a recent session.
4

lsass.exe memory scan (while running)

  • If the session is still active, perform a string scan in System Informer on the lsass.exe process.
  • Search for keyser-dashboard.com. A hit confirms active C2 communication from within lsass memory space.
5

DPS / PcaSVC timestamp

  • Use a DFIR tool to inspect the PcaSVC and DPS log entries for loader.exe.
  • The DPS timestamp of 2025-07-13 03:47:46 and PcaSVC token 0x1ef1000 correspond to the known build. Any loader.exe PcaSVC entry with an unusual path warrants investigation.
6

Prefetch via WinPrefetchView

  • Open WinPrefetchView or navigate to C:\Windows\Prefetch and look for LOADER.EXE-*.pf.
  • WinPrefetchView will display the full executable path recorded in the Prefetch file. Confirm the path is not a legitimate software loader.
7

Browser / Discord

  • Check browser history and downloads for any traffic to or files downloaded from keyser-dashboard.com or related domains.
  • In Discord, check User Settings → Authorized Apps for any Keyser or related application authorisation.

Detection summary

Artifact matrix — Keyser / loader.exeSummary
Artifact                           Survives cleanup?   Check location
────────────────────────────────────────────────────────────────────────────
PcaSVC / DPS timestamp             Yes                 AppCompat / DPS log
DLL in C:\Windows\IME              Yes                 IME directory / journal trace
.dmp files (unusual location)      Yes                 Journal trace / directory search
Prefetch (loader.exe)              Usually             WinPrefetchView / C:\Windows\Prefetch
DNS cache (api.keyser-dashboard)   Session-length      ipconfig /displaydns
C2 strings in lsass.exe            Only while running  Memory string scan

The most immediately actionable indicators are the DLL in C:\Windows\IME and the DPS/PcaSVC timestamp for loader.exe. The IME directory drop is highly unusual and requires no specialist tooling to verify. The DPS timestamp provides a reliable historical first-seen marker that cannot be cleared without registry editing.

Defensive material

All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.