Cheat DetectionHighPublished

Susano FiveM cheat detection & forensic artifacts

Susano is a FiveM-targeted cheat loader distributed as lemon.exe. It injects into the FiveM game process, communicates with a C2 endpoint at api.susano.re, and employs an active stealth mode that purges Prefetch entries and generates randomly-named DLL staging folders on the system drive to evade detection. This page documents all known forensic artifacts and provides a step-by-step screenshare check guide.

CR
Clubhouse AC Research
June 1, 2026 10 min read

Summary

  • C2 domain api.susano.re found resident in lsass.exe (14 string matches) and svchost.exe (4 matches) during active sessions.
  • FiveM process working set inflated by ~40 MB over baseline (115 MB+ vs. ~75 MB clean) with injected WCX-protected memory regions.
  • Stealth mode actively deletes Prefetch entries — an empty Prefetch Journal Trace record is a reliable indicator of activation.
  • USN Journal preserves lemon.exe file-system events even after stealth mode cleans Prefetch.

Overview

Susano is a commercially sold FiveM cheat loader. Its primary executable is named lemon.exe and weighs approximately 26.6 MB. Once launched, it injects code into the running FiveM game process and establishes an outbound connection to api.susano.re for license validation and feature delivery.

Susano includes a dedicated stealth mode that attempts to erase execution evidence after use. Despite this, several artifact categories survive the cleanup sweep and provide reliable detection signals across Discord, browser history, the Windows USN Journal, process memory, and the NVIDIA application registry.

Sample metadata (IOC)

The following file was recovered and submitted to the research corpus. Hash values can be used to match the exact build across scanning platforms.

lemon.exe — file indicatorsIOC
Name        lemon.exe
Size        27,938,605 bytes (26.6 MB)

SHA-256     67d49298255a2a1bd44cbcea4d6a7fa99ae9f08459e613bb7db3122fb355b4f9
SHA-1       cdcb51288fb44d2a2365a0b201cffe072286519e
MD5         696b84dad66424ff8c92a6fd0a34481b

First seen  2025-04-17  14:46:56 UTC  (DPS timestamp)
PcaSVC      0x3bbd000

C2 domain   api.susano.re
  → Observed in: lsass.exe, svchost.exe, FiveM_GTAProcess.exe

The DPS (Program Compatibility Assistant service) timestamp of 2025-04-17 14:46:56 records the first time Windows registered execution of this build. It is written automatically by PcaSvc and persists independently of the cheat's own cleanup routines, making it a reliable first-seen marker even after Prefetch has been wiped.

Behavioral indicators

Stealth mode — Prefetch deletion

Susano's stealth mode actively deletes Prefetch entries for its own executables after injection completes. When performing a Journal Trace on the Prefetch folder, an entirely empty result set is the primary indicator that stealth mode was invoked — legitimate Prefetch folders always contain entries for recently executed processes.

Despite this, the USN Journal record for lemon.exe itself is not erased (see USN Journal evidence), and the PcaSVC AppCompatFlags entry survives independently.

Random-name staging folders

During injection, Susano generates DLL payloads inside randomly-named folders on the root of the system drive (e.g., C:\xk9m2r\, C:\a7b2k9\). These folders contain the staged DLLs and, conditionally, a favorites.cfg configuration file. The folders are created rapidly at injection time and are the most visible on-disk artifact left after stealth mode runs.

The favorites.cfg file is only written when the user explicitly saves their in-cheat settings — it will not be present on every machine. Running a Journal Trace with the filter favorites is the fastest way to locate it if it exists.

FiveM working set inflation

Susano inflates the memory footprint of the FiveM game process (FiveM_GTAProcess.exe) by injecting additional code sections. The injected regions are identifiable in System Informer by their WCX (Write / Copy / Execute) memory protection flags — a combination that is not produced by the legitimate FiveM runtime.

~75 MB

Clean FiveM baseline (Total WS)

115 MB+

Susano-injected FiveM (Total WS)

~40 MB

Injected overhead (delta)

Memory artifacts

Live memory scans on an active Susano session show the C2 domain string api.susano.re resident in multiple unrelated system processes. This cross-process presence is characteristic of a loader that uses reflective injection or shellcode stubs that carry the domain string as an embedded constant.

lsass.exe — 14 string matches

The Windows Local Security Authority (lsass.exe) process is not a target of the cheat, but its memory pages show 14 instances of the C2 domain across two base addresses. The string variants observed include api.susano.re0Y0, api.susano.re0, and api.susano.re.

svchost.exe — 4 string matches

A svchost.exe instance (PID 1796) shows 4 additional matches of the C2 domain across two separate base addresses. The presence in a service host process is consistent with a loader that enumerates or targets multiple host processes during injection.

USN Journal evidence

The NTFS USN (Update Sequence Number) Change Journal records file-system events independently of Prefetch and is not targeted by Susano's stealth mode sweep. The following records were recovered from a subject machine after stealth mode had already cleared the Prefetch folder:

USN Journal — lemon.exe eventsEvidence
USN             Name        Date / Time
────────────────────────────────────────────────
24893964120     lemon.exe   28.04.2025  16:01:19
24893964200     lemon.exe   28.04.2025  16:01:19
24893964832     lemon.exe   28.04.2025  16:01:21

Three sequential records within two seconds confirm file system activity for lemon.exe. The cluster of events in a short window is consistent with initial file write, attribute change (e.g., execution flag), and close operations — matching the execution pattern of a loader writing a staged copy before running it.

Screenshare check guide

The following steps constitute a systematic screenshare (SS) investigation for Susano. Work through each section in order — earlier checks are faster and may provide enough evidence on their own, but the later steps are needed to catch stealth-mode-cleaned machines.

1

Discord & browser

  • In Discord, navigate to User Settings → Authorized Apps and check whether any application named Susano or referencing susano.re appears in the list.
  • Open the browser history and review both page visits and downloaded files. Search for susano.re and inspect any matching entries for downloaded executables or installer files.
2

Explorer & Journal Trace (drive C:)

  • Search drive C: for the file favorites.cfg. Susano writes its user configuration to this filename inside a randomly-named staging folder.
  • Run a Journal Trace on drive C: with favorites as the search term to locate the exact folder path. The folder name will be a short random alphanumeric string (e.g., C:\a7b2k9\).
  • If the folder is found, note its full path — it confirms a Susano install even if the executables have been removed. Be aware that the config folder is only present when the user actively saved their settings.
3

System Informer

  • Open System Informer and navigate to Explorer (section 5). Select all entries and search for hwid.exe — Susano ships a hardware ID utility under this name.
  • Switch to Browser (section 4), select all entries, and search for susano.re to surface any cached or residual browser data not visible in standard history.
4

NVIDIA Control Panel & Data Usage

  • Open the NVIDIA Control Panel and navigate to the Add application section. Scroll through the full list of registered executables and look for any suspicious or unrecognised entries — Susano may register itself here to persist NVIDIA overlay state across sessions.
  • Open Windows Settings → Network & Internet → Data Usage and search for Lemon.exe. Any recorded network usage confirms the loader was executed and made outbound connections.
5

Prefetch folder Journal Trace

  • Run a Journal Trace specifically targeting the Prefetch folder (C:\Windows\Prefetch).
  • If the result is completely empty — no records returned — this is a strong indicator that Susano's stealth mode was activated and actively deleted the folder contents. An empty Prefetch Journal record does not occur under normal Windows operation.
6

FiveM working set (System Informer)

  • Open System Informer and locate the FiveM_GTAProcess.exe process.
  • Switch to the Memory tab and check the Total WS (Working Set) value.
  • Compare against the baseline table below. If Total WS significantly exceeds 75 MB, inspect the individual memory regions for entries with WCX (Write / Copy / Execute) protection — these are the injected code segments.
FiveM Total WS baseline vs. injected
State              Total WS    Signal
─────────────────────────────────────
Clean FiveM        ~75 MB      None
Susano injected    115 MB+     WCX regions present
7

USN Journal — lemon.exe

  • Run a Journal Trace on drive C: with the term lemon. Even if Prefetch and Amcache have been cleared, USN records for lemon.exe will remain unless the entire change journal was purged (a far more aggressive and detectable action).
  • Three or more USN events within a few seconds confirm loader execution via the file write / attribute-change / close sequence.

Detection summary

Artifact matrix — Susano / lemon.exeSummary
Artifact                     Survives stealth mode?   Check location
───────────────────────────────────────────────────────────────────────
PcaSVC AppCompat timestamp   Yes                      Registry / DPS log
USN Journal (lemon.exe)      Yes                      Drive C: journal trace
favorites.cfg folder         Yes (if settings saved)  Random root folder on C:
Prefetch entries             No  (wiped)              Absence is the signal
Browser history (susano.re)  Partial                  Browser + Informer
Discord Authorized Apps      Partial                  Discord settings
NVIDIA app registry          Often                    NVIDIA Control Panel
FiveM WS inflation           Only while running       System Informer memory tab
C2 strings in memory         Only while running       Memory string scan
Data Usage (lemon.exe)       Yes                      Windows Settings

The most reliable post-cleanup indicators are the PcaSVC timestamp, the USN Journal records for lemon.exe, and the absence of Prefetch records (which is itself the signal when stealth mode has run). A complete check combining all seven steps above has no known blind spots against the current build.

Defensive material

All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.