Cheat DetectionHighPublished

Macho Cheats FiveM cheat detection & forensic artifacts

Macho Cheats is a FiveM-targeted cheat loader that extracts its loader from a folder inside %TEMP% and uses a randomised executable name (Yb6ul.exe / alternate: mc.exe). It bundles libcurl.dll and injects fivem-internal.dll directly into the FiveM process, communicating with machocheats.com.

CR
Clubhouse AC Research
June 1, 2026 9 min read

Summary

  • Loader extracts to a folder inside %TEMP% containing Yb6ul.exe (or mc.exe), libcurl.dll, and fivem-internal.dll.
  • C2 domain machocheats.com observed in DNS cache, lsass.exe memory, and the FiveM game process simultaneously.
  • DiagTrack service memory and browser history provide additional corroborating artifacts beyond the core memory scan.
  • WinPrefetchView and journal trace confirm loader execution and DLL activity even after the %TEMP% folder is cleared.

Overview

Macho Cheats is a commercially distributed FiveM cheat loader. Its primary executable uses a randomised or obfuscated filename (Yb6ul.exe) alongside an alternate name mc.exe. The random name is regenerated per build, so detection should focus on behavioral artifacts rather than the specific filename.

The loader extracts its components — including a bundled libcurl.dll and an injection DLL named fivem-internal.dll — into a directory inside %TEMP% before execution. It communicates with machocheats.com and leaves artifacts across DNS, memory, DiagTrack, browser history, Prefetch, and the drive journal.

Sample metadata (IOC)

The following files were recovered and added to the research corpus. Three distinct components are tracked.

Main executable

Yb6ul.exe (mc.exe) — file indicatorsIOC
Name        Yb6ul.exe  (alternate: mc.exe)
Size        3,398,656 bytes (3.2 MB)

SHA-1       3c8491311c8f2436632745b35a6990bef5c43699

C2 domain   machocheats.com
  → Observed in: DNS cache, lsass.exe, FiveM_GTAProcess.exe

Bundled DLL

libcurl.dll — file indicatorsIOC
Name        libcurl.dll
Size        7,518,736 bytes (7.2 MB)

SHA-1       7eb00498b77d3c5bb75c85e7252fddca983dacb9

Injection DLL

fivem-internal.dll — injection targetIOC
Name        fivem-internal.dll
  → Injected directly into the FiveM process

Behavioral indicators

Randomised executable name (Yb6ul.exe / mc.exe)

The main loader uses a randomised or obfuscated filename (Yb6ul.exe) in addition to an alternate name mc.exe. The random name is regenerated per build. Focus on behavioral artifacts rather than the filename when confirming identity.

libcurl.dll bundled

The cheat ships with a bundled libcurl.dll. The presence of a libcurl.dll file alongside an unrecognised executable in a non-standard directory is a supporting indicator.

fivem-internal.dll

The injection DLL is named fivem-internal.dll — a name chosen to blend in with legitimate FiveM internal components. Its presence in any directory outside the official FiveM installation path is suspicious.

Loader folder in %TEMP%

Macho Cheats extracts and runs its loader from a folder inside %TEMP%. A directory created in %TEMP% containing Yb6ul.exe, mc.exe, libcurl.dll, or fivem-internal.dll is conclusive.

DiagTrack artifact

As with other loaders that inject broadly, Macho Cheats activity is visible in the DiagTrack service memory. This provides an additional corroborating indicator alongside the primary memory scans.

Memory artifacts

During an active Macho Cheats session, the C2 domain machocheats.com appears across three independent artifact sources simultaneously: the system DNS cache, LSASS process memory, and the FiveM game process working set. The DiagTrack service provides a fourth corroborating memory source.

DNS cache

The DNS resolver cache retains successful lookups for the duration of the TTL set by the authoritative server. Running ipconfig /displaydns or inspecting the cache through System Informer will show machocheats.com as a recently resolved entry.

lsass.exe memory

The C2 domain string appears in lsass.exe process memory — a system process whose memory space contains residual string artifacts from the injection or inter-process communication performed by the loader.

DiagTrack service

Macho Cheats injection artifacts are also visible in the DiagTrack service memory, providing an additional corroborating source beyond the primary lsass and FiveM process scans.

Browser history

Browser history showing visits to machocheats.com provides a further corroborating indicator that the cheat was acquired or accessed from the device being screenshared.

File artifacts

Macho Cheats leaves multiple file system artifacts that partially survive cleanup. The %TEMP% loader directory and its contents are the most immediate finding; Prefetch and journal records persist after the directory is cleared.

WinPrefetchView

Loader folder in %TEMP%

Prefetch

Journal trace

Screenshare check guide

Work through these steps in order. Steps 1 and 2 are the fastest and will catch most active installs. Later steps cover machines where the user has attempted cleanup.

1

%TEMP% loader folder

  • Navigate to %TEMP% and look for a directory containing Yb6ul.exe, mc.exe, libcurl.dll, or fivem-internal.dll.
  • The presence of any of these files in a %TEMP% subdirectory is conclusive. The directory may have a randomised name.
2

Process name and path

  • Open System Informer and look for any running instance of Yb6ul.exe or mc.exe.
  • Check the full executable path — if it resides inside %TEMP%, this is the Macho Cheats loader. Also check for fivem-internal.dll loaded in the FiveM process module list.
3

DNS cache

  • Run ipconfig /displaydns or use System Informer's DNS section.
  • Search for machocheats.com. A cache hit confirms an outbound connection was made during the current or a recent session.
4

lsass memory scan

  • In System Informer, open lsass.exe and perform a string scan.
  • Search for machocheats.com. Any match confirms the loader was active during the current session.
5

FiveM memory scan

  • In System Informer, open FiveM_GTAProcess.exe and perform a string scan.
  • Search for machocheats.com and also check the module list for fivem-internal.dll.
6

DiagTrack

  • In System Informer, locate the DiagTrack service process and perform a string scan.
  • Macho Cheats injection artifacts appear in DiagTrack memory during an active session, providing a corroborating indicator.
7

Browser — machocheats.com

  • Check browser history for any visits to machocheats.com.
  • Browser history may be partially or fully cleared; use System Informer's browser history feature to supplement direct browser inspection.
8

Prefetch

  • Open WinPrefetchView or navigate to C:\Windows\Prefetch and look for entries for Yb6ul.exe or mc.exe.
  • Prefetch entries pointing to a %TEMP% path confirm loader execution even after the directory has been cleared.

Detection summary

Artifact matrix — Macho Cheats / Yb6ul.exeSummary
Artifact                              Survives cleanup?        Check location
────────────────────────────────────────────────────────────────────────────────────
Loader folder in %TEMP%               Until %TEMP% cleared     %TEMP% directory
libcurl.dll / fivem-internal.dll      Until deleted            %TEMP% loader directory
Prefetch (Yb6ul.exe / mc.exe)         Usually                  WinPrefetchView / Prefetch
DNS cache (machocheats.com)           Session-length           ipconfig /displaydns
C2 strings in lsass.exe               Only while running       Memory string scan
C2 strings in FiveM process           Only while running       Memory string scan
DiagTrack artifact                    Only while running       System Informer > DiagTrack
Browser history                       Partial                  Browser + Informer

The most immediately actionable indicators are the loader folder in %TEMP% and the Prefetch / journal records for the loader binaries. The %TEMP% directory contents are conclusive if not yet cleared. Prefetch entries survive %TEMP% cleanup and provide a reliable historical execution marker alongside the drive journal.

Defensive material

All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.