Bypass Detection·Jun 2, 2026

Genesis Bypass: pwahelper.exe with Genesis-Rework Hook PDB String

Genesis masquerades as pwahelper.exe — a browser Progressive Web App component — while carrying a fully intact PDB path string of Genesis-Rework\loader\x64\Release\hook.pdb in the release build. The forgotten debug artifact makes this one of the easiest bypasses to identify via strings analysis alone.

FiveMBypass DetectionPDB ArtifactYARApwahelper.exe

Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.

Overview

Genesis is a FiveM bypass loader built around a browser component masquerade. The filenamepwahelper.exe is associated with Progressive Web App (PWA) support infrastructure in Chromium-based browsers — Edge, Chrome, and Electron applications all ship variants of this helper binary. The goal of using this name is to create ambient confusion: a reviewer who sees pwahelper.exe in a process list or file listing may assume it belongs to a browser and move on without investigation.

The masquerade is immediately undermined by one critical oversight: the developer shipped the release build without stripping the PDB path from the binary. The stringC:\Users\8888\Desktop\Genesis-Rework\loader\x64\Release\hook.pdb is present verbatim in the binary. "Genesis-Rework" appears to be the project name — possibly a rebuild or fork of an earlier Genesis loader variant — and "hook.pdb" confirms this is the hooking component of the loader chain rather than a supporting utility.

The binary is 462.50 KB (473,600 bytes), a 64-bit PE executable. Its compact size is consistent with a focused injection hook rather than a full-featured loader with embedded payloads. The import table confirms this: VirtualAllocEx, VirtualFreeEx, WriteProcessMemory, and GetExitCodeThread are all present — this is the classic userland DLL injection API set. The binary allocates memory in a remote process, writes the payload, and executes it.

The YARA imphash for this sample is 599253441bf17fc669123598807625dc. Imphash is computed from the import table and provides a fingerprint that is stable across binaries compiled from the same source with the same imports, even if the binary's content differs in other respects. Matching on imphash can surface builds not yet catalogued by their SHA-256.

Primary IOCs

1

File Hash — SHA-256, SHA-1, MD5, and VirusTotal

SHA-256: 93780adffbda11803c3a6f40730403d09495dd85877700503894f48c1e36a958

SHA-1: 7d4324a0ecaf898627d41fec3141be840dc2393e

MD5: 877d471006155daf5614bf60de06a629

Submit the SHA-256 to VirusTotal immediately when this sample is encountered. Detection coverage for this binary has been established across multiple AV engines. A high VT detection rate combined with a filename of pwahelper.exe found outside of a known browser installation path is conclusive evidence of bypass activity.

2

pwahelper.exe Path Anomaly — Outside Browser Directories

Legitimate pwahelper.exe instances reside within specific browser installation directories:

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\[version]\
C:\Program Files\Google\Chrome\Application\[version]\
C:\Users\[user]\AppData\Local\Microsoft\Edge\Application\[version]\

Any pwahelper.exe found outside of these paths — on the Desktop, in AppData root, in a game directory, or in any ad-hoc folder — is not a browser component. The file size is also a quick discriminator: legitimate Edge/Chrome pwahelper binaries are typically under 2 MB; the Genesis sample is 462.50 KB, within that range but with a very different import profile.

3

PDB String Discovery via DIE or strings Analysis

The most definitive non-hash identification method is extracting the PDB path string from the binary. In Detect-It-Easy, open the file and navigate to the Strings section. Filter for ".pdb" — the stringGenesis-Rework\loader\x64\Release\hook.pdb will appear in the output.

Alternatively, use Sysinternals Strings.exe:strings64.exe -n 10 pwahelper.exe | findstr /i "genesis pdb hook". The presence of "Genesis-Rework" in a file named pwahelper.exe is an immediate and unambiguous identification — no further analysis is required to confirm the file is malicious.

4

DPS Timestamp — 2026/03/21:08:18:16

The PE TimeDateStamp is 2026/03/21 at 08:18:16 UTC, approximately 13 hours before the Stainless bypass documented in the adjacent report — suggesting active bypass development activity on the same date across multiple operators. The PcaSvc offset is 0x79000, consistent with the binary's small footprint.

A pwahelper.exe with a compile timestamp from March 2026 should be treated as suspect unless it can be positively identified as a browser update artifact — verifiable by checking the browser's own version history and whether an update was applied on that date.

5

PcaSvc Entry — Offset 0x79000

Check AppCompatFlags registry keys for PcaSvc entries referencing pwahelper.exe. The offset0x79000 in binary data within the registry value corresponding to a pwahelper.exe entry outside of a browser path confirms execution of this specific build.

PcaSvc records are created at first execution and persist until the registry key is manually cleared. Even if the player has deleted the pwahelper.exe file, the PcaSvc entry documents that it was run on this system — providing post-deletion forensic evidence suitable for ban enforcement.

6

YARA Imphash — 599253441bf17fc669123598807625dc

The imphash 599253441bf17fc669123598807625dc is computed from the binary's import address table. A YARA rule targeting this imphash will match any binary compiled from the same source with the same imports, regardless of surface-level changes to the binary's content, packing, or filename. This makes it particularly useful for identifying future Genesis builds that retain the same core injection API set.

YARA rule fragment:condition: pe.imphash() == "599253441bf17fc669123598807625dc"Combine with the PDB string rule for maximum specificity. The union of both conditions should have a near-zero false positive rate against any clean binary corpus.

PDB Strings as Reliable YARA Anchors

PDB (Program Database) files are generated by the Visual C++ compiler and linker to store debug symbol information including source file paths, variable names, and line numbers. In release builds, the PDB file itself is typically not distributed — but the path to that PDB file is embedded in the PE binary in the .rdata or debug directory section. This path reflects the developer's local filesystem at compile time.

For a YARA analyst, a PDB path string has several highly desirable properties as a detection anchor. First, it is highly specific: the combination of developer username, project directory name, and subpath is essentially unique to one developer's machine and one project. Second, it is stable across builds: unless the developer explicitly strips PDB references (a deliberate compilation flag) or restructures their project directory, the string remains identical across every binary built from that project. Third, it survives most packing attempts: packers that compress or encrypt the binary's code section typically do not process the debug directory, leaving PDB strings readable in plaintext in the packed binary.

The Genesis-Rework PDB path is an exceptionally strong anchor. The stringGenesis-Rework does not appear in any known legitimate application. A YARA rule matching on this substring will never produce a false positive against a clean system and will catch every build from this project until the developer renames their working directory — a change they may not think to make if they are unaware that the PDB path is embedded in their binary.

The developer username "8888" visible in the pathC:\Users\8888\ is unusual — a four-digit numeric username suggests either a deliberately anonymized development account or a locale-specific naming convention. This username is stable across all builds from this machine and can be used as an additional YARA condition for attribution purposes.

Bypass developers who become aware of PDB path exposure typically respond by adding the /PDBSTRIPPED linker flag or using a build step that zeros the debug directory. Until Genesis-Rework developers implement this measure, the PDB string remains the most reliable and forensically defensible identification method for this bypass family.

Screenshare Check Methodology

1

Search for pwahelper.exe Outside Browser Paths

Ask the player to open PowerShell and run:

Get-ChildItem -Path C:\ -Filter "pwahelper.exe" -Recurse -ErrorAction SilentlyContinue | Select-Object FullName, LastWriteTime, Length

Review each result. Any pwahelper.exe not located within a versioned browser application directory is anomalous and should be hashed immediately. The file size (462.50 KB / 473,600 bytes) distinguishes the Genesis sample from legitimate browser pwahelper builds, which typically differ in size.

2

Extract PDB String with Strings.exe or DIE

For any suspicious pwahelper.exe, ask the player to run Detect-It-Easy or Sysinternals Strings.exe. In DIE, open the file and view the Strings output filtered to ".pdb". In Strings.exe:

strings64.exe pwahelper.exe | findstr /i "genesis rework hook pdb"

If the Genesis-Rework PDB path appears in the output, the identification is complete. Screenshot the full string output for documentation. No hash comparison is needed once this string is confirmed — it is uniquely identifying on its own.

3

Inspect the Import Table for Injection APIs

Open the suspicious pwahelper.exe in CFF Explorer, pestudio, or DIE and navigate to the Imports section. Look for the presence of all four documented injection APIs: VirtualAllocEx, VirtualFreeEx, WriteProcessMemory, and GetExitCodeThread.

A legitimate pwahelper.exe has no need for remote process memory allocation or write primitives. The presence of this import combination in a pwahelper binary is functionally impossible to explain as legitimate behavior and constitutes independent confirmation of malicious intent without requiring the PDB string or hash match.

4

Check PE Timestamp and PcaSvc Registry

Verify the PE compile timestamp in DIE's info panel. A value of 2026/03/21 08:18:16 confirms the Genesis sample. Cross-reference with PcaSvc registry entries: open regedit and search inHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags for any entry referencing a pwahelper.exe outside of browser paths.

If the player claims the file is old and was not recently executed, the PcaSvc record will still show the execution timestamp. The absence of a corresponding browser update on that date in the browser's own history further confirms the execution was not part of a legitimate browser update workflow.

5

Compute SHA-256 and Cross-Reference Hash Database

Run:

Get-FileHash "path\to\pwahelper.exe" -Algorithm SHA256

Compare against the documented hash93780adffbda11803c3a6f40730403d09495dd85877700503894f48c1e36a958. Also submit to VirusTotal for community detection coverage. Any VT result showing high-confidence bypass-family detections on a file the player cannot legitimately explain confirms the infraction. Document the VT URL and detection summary alongside the hash and PDB string evidence.

Detection Notes

Genesis is unusual in the bypass landscape because it provides three overlapping, independent detection surfaces that all survive hash rotation: the PDB string, the imphash, and the path anomaly pattern. A new build would need to simultaneously strip PDB references, change the injection API set, and modify the filename strategy to defeat all three. That level of coordinated evasion would constitute a substantial rewrite rather than a routine build rotation.

The pwahelper.exe masquerade is plausible in environments where reviewers are not methodical about path verification. Chromium-based browsers are nearly ubiquitous on Windows gaming PCs, and the mental model of "browser helper = safe" is deeply ingrained in non-technical users. Reviewers must establish a practice of always checking the full path of any process or file with a browser-sounding name, not just the filename itself.

The compact 462.50 KB file size warrants note: this binary is a hook/injection component, not a standalone bypass. There is likely a companion loader or installer that drops this file and orchestrates the injection. A complete investigation should attempt to identify the parent process that launched pwahelper.exe, as that parent process is likely the primary bypass loader and may carry additional IOCs not present in this component alone.