Cheat DetectionHighPublished

MrCheat / Turkish Kebab FiveM cheat detection & forensic artifacts

MrCheat (also marketed as Turkish Kebab) is a FiveM-targeted cheat loader distributed as Loader.exe. It communicates with api.mrcheat.api-ir for license validation. The binary carries a distinctive SHA-1 fingerprint and leaves a PcaSVC entry at offset 0x1b0000 as a persistent execution record.

CR
Clubhouse AC Research
June 2, 2026 7 min read

Summary

  • Distributed as Loader.exe — a generic name shared across many cheat loaders; distinguish by hash and C2.
  • C2 endpoint api.mrcheat.api-ir observed in LSASS memory and DNS cache during active sessions.
  • SHA-1 5c568ed13cae97ab5bb20fbe3e70032d610c4f2f provides unambiguous binary identification.
  • PcaSVC execution record survives user-side cleanup and confirms first execution time.

Overview

MrCheat, marketed under the alias Turkish Kebab, is a commercially distributed FiveM cheat. Its primary executable is named Loader.exe — a generic filename shared with many other loaders — making hash and C2 confirmation necessary for attribution. The loader contacts api.mrcheat.api-ir for license validation and payload delivery.

Because the filename is generic, Prefetch entries alone are insufficient for attribution. The C2 domain string appearing in LSASS memory or DNS cache combined with the SHA-1 hash provides definitive identification.

Sample metadata (IOC)

The following file was recovered and added to the research corpus.

Loader.exe — file indicatorsIOC
Name        Loader.exe
Alias       Turkish Kebab / MrCheat

SHA-1       5c568ed13cae97ab5bb20fbe3e70032d610c4f2f

C2 domain   api.mrcheat.api-ir
  → Observed in: DNS cache, lsass.exe

Behavioral indicators

C2 communication via api.mrcheat.api-ir

Upon execution, MrCheat contacts api.mrcheat.api-ir for license validation. This domain string is observable in the DNS cache and in LSASS process memory as a residual from injection or inter-process communication. The domain is not associated with any legitimate software.

Generic loader filename

The executable name Loader.exe is deliberately generic. A process list or Prefetch entry alone cannot attribute the file to MrCheat without hash confirmation or C2 observation. During a live session, check DNS and memory first; for post-session investigation, confirm the SHA-1 hash.

PcaSVC execution record

Windows Program Compatibility Assistant records a PcaSVC entry for Loader.exe at first execution. This entry persists in the AppCompat database and is not cleared by standard user-side cleanup. It provides a timestamp-anchored record of when the loader was first run.

Screenshare check guide

Work through these steps in order. Steps 1–2 are fastest during a live session. Steps 3–5 cover persistent artifacts for post-session investigation.

1

DNS cache — api.mrcheat.api-ir

  • Run ipconfig /displaydns or check System Informer's DNS section.
  • Search for mrcheat. A cache hit confirms an outbound connection during the current or recent session.
2

LSASS memory scan

  • In System Informer, scan lsass.exe memory strings for mrcheat.
  • The C2 domain string in LSASS confirms active loader injection.
3

Process list — Loader.exe

  • Check Task Manager or System Informer for a running Loader.exe process.
  • Note: many cheats use this name — confirm by checking the executable path and hash before attributing.
4

File hash verification

  • If Loader.exe is present on disk, compute its SHA-1.
  • Match against 5c568ed13cae97ab5bb20fbe3e70032d610c4f2f for definitive attribution to MrCheat.
5

PcaSVC / AppCompat entry

  • Inspect the AppCompat PcaSVC log for an entry referencing Loader.exe.
  • Cross-reference the timestamp and path with other indicators to confirm MrCheat attribution.
6

Browser and Discord

  • Check browser history and downloads for references to mrcheat or Turkish Kebab.
  • In Discord, check User Settings → Authorized Apps for related authorisations.

Detection summary

Artifact matrix — MrCheat / Loader.exeSummary
Artifact                          Survives cleanup?   Check location
──────────────────────────────────────────────────────────────────────────
PcaSVC entry (Loader.exe)         Yes                 AppCompat / DPS log
SHA-1 hash match                  Yes (file on disk)  File system
DNS cache (api.mrcheat.api-ir)    Session-length      ipconfig /displaydns
C2 strings in lsass.exe           Only while running  Memory string scan

The most actionable live indicator is the api.mrcheat.api-ir domain in DNS cache or LSASS memory. For post-session investigation, the SHA-1 hash provides unambiguous attribution if the file remains on disk.

Defensive material

All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.