Cheat DetectionHighPublished

420-Services FiveM cheat detection & forensic artifacts

420-Services is a FiveM cheat loader distributed as 420-services.exe. The distinctive brand name in the executable makes it trivially identifiable in Prefetch and process listings. SHA-1 888a2575b2a1d8e68ec50a9204eee52700ae168a provides unambiguous binary identification.

CR
Clubhouse AC Research
June 2, 2026 6 min read

Summary

  • Executable name 420-services.exe is distinctive — no legitimate software uses this name.
  • SHA-1 888a2575b2a1d8e68ec50a9204eee52700ae168a provides definitive binary identification.
  • PcaSVC and Prefetch records persist after execution.
  • Also associated with a PcaSVC offset of 0xb21000 in memory forensics.

Overview

420-Services is a FiveM cheat loader distributed under the self-branded executable name 420-services.exe. Unlike cheats that adopt generic or masquerading names, 420-Services uses a branded name that makes it immediately identifiable. No legitimate Windows service or application uses this filename.

The cheat is associated with a PcaSVC memory offset of 0xb21000, which has been observed in memory forensic investigations alongside the known SHA-1 hash.

Sample metadata (IOC)

420-services.exe — file indicatorsIOC
Name        420-services.exe

SHA-1       888a2575b2a1d8e68ec50a9204eee52700ae168a

PcaSVC      0xb21000

Behavioral indicators

Distinctive executable name

The filename 420-services.exe is specific to this cheat. Any Prefetch entry, process list entry, or AppCompat record referencing this name is definitively associated with 420-Services.

PcaSVC memory offset

During memory forensic analysis, 420-Services is associated with PcaSVC offset 0xb21000. This offset combined with the executable name provides a dual confirmation pathway in live memory investigations.

Screenshare check guide

1

Prefetch — 420-services.exe

  • Check C:\Windows\Prefetch for 420-SERVICES.EXE-*.pf.
  • Any match is definitive — this filename has no legitimate origin.
2

Process list

  • Check Task Manager or System Informer for a running 420-services.exe process.
3

File hash verification

  • If the file is present on disk, compute its SHA-1.
  • Match against 888a2575b2a1d8e68ec50a9204eee52700ae168a.
4

PcaSVC / AppCompat entry

  • Inspect the AppCompat PcaSVC log for an entry referencing 420-services.exe at offset 0xb21000.
5

Browser and Discord

  • Check browser history and downloads for references to 420-Services.
  • In Discord, check User Settings → Authorized Apps.

Detection summary

Artifact matrix — 420-ServicesSummary
Artifact                        Survives cleanup?   Check location
──────────────────────────────────────────────────────────────────────
PcaSVC entry (0xb21000)         Yes                 AppCompat / DPS log
Prefetch (420-services.exe)     Usually             C:\Windows\Prefetch
SHA-1 hash match                Yes (file on disk)  File system

Defensive material

All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.