Summary
- Distributed as Loader.exe — a generic name shared across many cheat loaders; distinguish by hash and C2.
- C2 endpoint api.mrcheat.api-ir observed in LSASS memory and DNS cache during active sessions.
- SHA-1 5c568ed13cae97ab5bb20fbe3e70032d610c4f2f provides unambiguous binary identification.
- PcaSVC execution record survives user-side cleanup and confirms first execution time.
Overview
MrCheat, marketed under the alias Turkish Kebab, is a commercially distributed FiveM cheat. Its primary executable is named Loader.exe — a generic filename shared with many other loaders — making hash and C2 confirmation necessary for attribution. The loader contacts api.mrcheat.api-ir for license validation and payload delivery.
Because the filename is generic, Prefetch entries alone are insufficient for attribution. The C2 domain string appearing in LSASS memory or DNS cache combined with the SHA-1 hash provides definitive identification.
Sample metadata (IOC)
The following file was recovered and added to the research corpus.
Name Loader.exe Alias Turkish Kebab / MrCheat SHA-1 5c568ed13cae97ab5bb20fbe3e70032d610c4f2f C2 domain api.mrcheat.api-ir → Observed in: DNS cache, lsass.exe
Behavioral indicators
C2 communication via api.mrcheat.api-ir
Upon execution, MrCheat contacts api.mrcheat.api-ir for license validation. This domain string is observable in the DNS cache and in LSASS process memory as a residual from injection or inter-process communication. The domain is not associated with any legitimate software.
Generic loader filename
The executable name Loader.exe is deliberately generic. A process list or Prefetch entry alone cannot attribute the file to MrCheat without hash confirmation or C2 observation. During a live session, check DNS and memory first; for post-session investigation, confirm the SHA-1 hash.
PcaSVC execution record
Windows Program Compatibility Assistant records a PcaSVC entry for Loader.exe at first execution. This entry persists in the AppCompat database and is not cleared by standard user-side cleanup. It provides a timestamp-anchored record of when the loader was first run.
Screenshare check guide
Work through these steps in order. Steps 1–2 are fastest during a live session. Steps 3–5 cover persistent artifacts for post-session investigation.
DNS cache — api.mrcheat.api-ir
- Run ipconfig /displaydns or check System Informer's DNS section.
- Search for mrcheat. A cache hit confirms an outbound connection during the current or recent session.
LSASS memory scan
- In System Informer, scan lsass.exe memory strings for mrcheat.
- The C2 domain string in LSASS confirms active loader injection.
Process list — Loader.exe
- Check Task Manager or System Informer for a running Loader.exe process.
- Note: many cheats use this name — confirm by checking the executable path and hash before attributing.
File hash verification
- If Loader.exe is present on disk, compute its SHA-1.
- Match against 5c568ed13cae97ab5bb20fbe3e70032d610c4f2f for definitive attribution to MrCheat.
PcaSVC / AppCompat entry
- Inspect the AppCompat PcaSVC log for an entry referencing Loader.exe.
- Cross-reference the timestamp and path with other indicators to confirm MrCheat attribution.
Browser and Discord
- Check browser history and downloads for references to mrcheat or Turkish Kebab.
- In Discord, check User Settings → Authorized Apps for related authorisations.
Detection summary
Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────────── PcaSVC entry (Loader.exe) Yes AppCompat / DPS log SHA-1 hash match Yes (file on disk) File system DNS cache (api.mrcheat.api-ir) Session-length ipconfig /displaydns C2 strings in lsass.exe Only while running Memory string scan
The most actionable live indicator is the api.mrcheat.api-ir domain in DNS cache or LSASS memory. For post-session investigation, the SHA-1 hash provides unambiguous attribution if the file remains on disk.
Defensive material
All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.