Summary
- Loader extracts to a folder inside %TEMP% containing Yb6ul.exe (or mc.exe), libcurl.dll, and fivem-internal.dll.
- C2 domain machocheats.com observed in DNS cache, lsass.exe memory, and the FiveM game process simultaneously.
- DiagTrack service memory and browser history provide additional corroborating artifacts beyond the core memory scan.
- WinPrefetchView and journal trace confirm loader execution and DLL activity even after the %TEMP% folder is cleared.
Overview
Macho Cheats is a commercially distributed FiveM cheat loader. Its primary executable uses a randomised or obfuscated filename (Yb6ul.exe) alongside an alternate name mc.exe. The random name is regenerated per build, so detection should focus on behavioral artifacts rather than the specific filename.
The loader extracts its components — including a bundled libcurl.dll and an injection DLL named fivem-internal.dll — into a directory inside %TEMP% before execution. It communicates with machocheats.com and leaves artifacts across DNS, memory, DiagTrack, browser history, Prefetch, and the drive journal.
Sample metadata (IOC)
The following files were recovered and added to the research corpus. Three distinct components are tracked.
Main executable
Name Yb6ul.exe (alternate: mc.exe) Size 3,398,656 bytes (3.2 MB) SHA-1 3c8491311c8f2436632745b35a6990bef5c43699 C2 domain machocheats.com → Observed in: DNS cache, lsass.exe, FiveM_GTAProcess.exe
Bundled DLL
Name libcurl.dll Size 7,518,736 bytes (7.2 MB) SHA-1 7eb00498b77d3c5bb75c85e7252fddca983dacb9
Injection DLL
Name fivem-internal.dll → Injected directly into the FiveM process
Behavioral indicators
Randomised executable name (Yb6ul.exe / mc.exe)
The main loader uses a randomised or obfuscated filename (Yb6ul.exe) in addition to an alternate name mc.exe. The random name is regenerated per build. Focus on behavioral artifacts rather than the filename when confirming identity.
libcurl.dll bundled
The cheat ships with a bundled libcurl.dll. The presence of a libcurl.dll file alongside an unrecognised executable in a non-standard directory is a supporting indicator.
fivem-internal.dll
The injection DLL is named fivem-internal.dll — a name chosen to blend in with legitimate FiveM internal components. Its presence in any directory outside the official FiveM installation path is suspicious.
Loader folder in %TEMP%
Macho Cheats extracts and runs its loader from a folder inside %TEMP%. A directory created in %TEMP% containing Yb6ul.exe, mc.exe, libcurl.dll, or fivem-internal.dll is conclusive.
DiagTrack artifact
As with other loaders that inject broadly, Macho Cheats activity is visible in the DiagTrack service memory. This provides an additional corroborating indicator alongside the primary memory scans.
Memory artifacts
During an active Macho Cheats session, the C2 domain machocheats.com appears across three independent artifact sources simultaneously: the system DNS cache, LSASS process memory, and the FiveM game process working set. The DiagTrack service provides a fourth corroborating memory source.
DNS cache
The DNS resolver cache retains successful lookups for the duration of the TTL set by the authoritative server. Running ipconfig /displaydns or inspecting the cache through System Informer will show machocheats.com as a recently resolved entry.
lsass.exe memory
The C2 domain string appears in lsass.exe process memory — a system process whose memory space contains residual string artifacts from the injection or inter-process communication performed by the loader.
DiagTrack service
Macho Cheats injection artifacts are also visible in the DiagTrack service memory, providing an additional corroborating source beyond the primary lsass and FiveM process scans.
Browser history
Browser history showing visits to machocheats.com provides a further corroborating indicator that the cheat was acquired or accessed from the device being screenshared.
File artifacts
Macho Cheats leaves multiple file system artifacts that partially survive cleanup. The %TEMP% loader directory and its contents are the most immediate finding; Prefetch and journal records persist after the directory is cleared.
WinPrefetchView
Loader folder in %TEMP%
Prefetch
Journal trace
Screenshare check guide
Work through these steps in order. Steps 1 and 2 are the fastest and will catch most active installs. Later steps cover machines where the user has attempted cleanup.
%TEMP% loader folder
- Navigate to %TEMP% and look for a directory containing Yb6ul.exe, mc.exe, libcurl.dll, or fivem-internal.dll.
- The presence of any of these files in a %TEMP% subdirectory is conclusive. The directory may have a randomised name.
Process name and path
- Open System Informer and look for any running instance of Yb6ul.exe or mc.exe.
- Check the full executable path — if it resides inside %TEMP%, this is the Macho Cheats loader. Also check for fivem-internal.dll loaded in the FiveM process module list.
DNS cache
- Run ipconfig /displaydns or use System Informer's DNS section.
- Search for machocheats.com. A cache hit confirms an outbound connection was made during the current or a recent session.
lsass memory scan
- In System Informer, open lsass.exe and perform a string scan.
- Search for machocheats.com. Any match confirms the loader was active during the current session.
FiveM memory scan
- In System Informer, open FiveM_GTAProcess.exe and perform a string scan.
- Search for machocheats.com and also check the module list for fivem-internal.dll.
DiagTrack
- In System Informer, locate the DiagTrack service process and perform a string scan.
- Macho Cheats injection artifacts appear in DiagTrack memory during an active session, providing a corroborating indicator.
Browser — machocheats.com
- Check browser history for any visits to machocheats.com.
- Browser history may be partially or fully cleared; use System Informer's browser history feature to supplement direct browser inspection.
Prefetch
- Open WinPrefetchView or navigate to C:\Windows\Prefetch and look for entries for Yb6ul.exe or mc.exe.
- Prefetch entries pointing to a %TEMP% path confirm loader execution even after the directory has been cleared.
Detection summary
Artifact Survives cleanup? Check location ──────────────────────────────────────────────────────────────────────────────────── Loader folder in %TEMP% Until %TEMP% cleared %TEMP% directory libcurl.dll / fivem-internal.dll Until deleted %TEMP% loader directory Prefetch (Yb6ul.exe / mc.exe) Usually WinPrefetchView / Prefetch DNS cache (machocheats.com) Session-length ipconfig /displaydns C2 strings in lsass.exe Only while running Memory string scan C2 strings in FiveM process Only while running Memory string scan DiagTrack artifact Only while running System Informer > DiagTrack Browser history Partial Browser + Informer
The most immediately actionable indicators are the loader folder in %TEMP% and the Prefetch / journal records for the loader binaries. The %TEMP% directory contents are conclusive if not yet cleared. Prefetch entries survive %TEMP% cleanup and provide a reliable historical execution marker alongside the drive journal.
Defensive material
All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.