Summary
- Executable name 420-services.exe is distinctive — no legitimate software uses this name.
- SHA-1 888a2575b2a1d8e68ec50a9204eee52700ae168a provides definitive binary identification.
- PcaSVC and Prefetch records persist after execution.
- Also associated with a PcaSVC offset of 0xb21000 in memory forensics.
Overview
420-Services is a FiveM cheat loader distributed under the self-branded executable name 420-services.exe. Unlike cheats that adopt generic or masquerading names, 420-Services uses a branded name that makes it immediately identifiable. No legitimate Windows service or application uses this filename.
The cheat is associated with a PcaSVC memory offset of 0xb21000, which has been observed in memory forensic investigations alongside the known SHA-1 hash.
Sample metadata (IOC)
Name 420-services.exe SHA-1 888a2575b2a1d8e68ec50a9204eee52700ae168a PcaSVC 0xb21000
Behavioral indicators
Distinctive executable name
The filename 420-services.exe is specific to this cheat. Any Prefetch entry, process list entry, or AppCompat record referencing this name is definitively associated with 420-Services.
PcaSVC memory offset
During memory forensic analysis, 420-Services is associated with PcaSVC offset 0xb21000. This offset combined with the executable name provides a dual confirmation pathway in live memory investigations.
Screenshare check guide
Prefetch — 420-services.exe
- Check C:\Windows\Prefetch for 420-SERVICES.EXE-*.pf.
- Any match is definitive — this filename has no legitimate origin.
Process list
- Check Task Manager or System Informer for a running 420-services.exe process.
File hash verification
- If the file is present on disk, compute its SHA-1.
- Match against 888a2575b2a1d8e68ec50a9204eee52700ae168a.
PcaSVC / AppCompat entry
- Inspect the AppCompat PcaSVC log for an entry referencing 420-services.exe at offset 0xb21000.
Browser and Discord
- Check browser history and downloads for references to 420-Services.
- In Discord, check User Settings → Authorized Apps.
Detection summary
Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────── PcaSVC entry (0xb21000) Yes AppCompat / DPS log Prefetch (420-services.exe) Usually C:\Windows\Prefetch SHA-1 hash match Yes (file on disk) File system
Defensive material
All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.