Cheat DetectionHighPublished

HX Software FiveM cheat detection & forensic artifacts

HX Software is a FiveM-targeted cheat loader that runs under the generic name updated.exe to blend in as a routine software update process. It communicates with api.hxsoftwares.com, leaving reliable traces across DNS cache, LSASS memory, and the FiveM game process simultaneously, as well as a persistent journal trace artifact.

CR
Clubhouse AC Research
June 1, 2026 8 min read

Summary

  • Loader runs as updated.exe — a generic name designed to impersonate routine software update processes and avoid casual inspection.
  • C2 domains api.hxsoftwares.com and hxsoftwares.com appear simultaneously in DNS cache, lsass.exe memory, and the FiveM game process.
  • Journal Trace records updated.exe file system activity that persists after session cleanup.
  • DPS first-seen timestamp (2025-04-07 16:07:09) and PcaSVC token 0xf93000 provide a reliable historical execution record.

Overview

HX Software is a commercially distributed FiveM cheat loader. Its primary executable is named updated.exe — a deliberate choice to impersonate a generic software update process and avoid detection in a basic process listing. The binary weighs approximately 7.9 MB and connects to api.hxsoftwares.com for license validation and payload delivery.

HX Software leaves several distinctive artifacts visible during a screenshare: the C2 domain appears across all three standard memory artifact sources simultaneously, and the journal trace captures file system activity associated with updated.exe that survives standard user-side cleanup.

Sample metadata (IOC)

The following file was recovered and added to the research corpus. All hash values are provided for cross-platform matching.

updated.exe — file indicatorsIOC
Name        updated.exe
Size        8,291,840 bytes (7.9 MB)

SHA-256     b421fab6652baa707329981f268a0e2c1c2e16550c113aa87d8227a848ee9d64
SHA-1       a8c34a1c4974478225a4370f51ea975fd30ab4ec
SHA-512     caed84a60b47807ffcdf980c565b590d37702804c46713e51bcbc73059636ab3
            0ed492587435b36a5f81cc775ca891777e00c3410617d5fa827d9910b8343f79
MD5         5a5ccb8dd06e456a377f22b48c0298f7

First seen  2025-04-07  16:07:09 UTC  (DPS timestamp)
PcaSVC      0xf93000

C2 domain   api.hxsoftwares.com / hxsoftwares.com
  → Observed in: DNS cache, lsass.exe, FiveM_GTAProcess.exe

The DPS timestamp of 2025-04-07 16:07:09 is written by the Windows Program Compatibility Assistant service at first execution and cannot be cleared by the same cleanup routines that wipe Prefetch or browser history.

Behavioral indicators

Process name — updated.exe

The loader uses the generic name updated.exe, designed to blend in as a routine software update process. Any updated.exe running outside a known software update framework (Windows Update, a vendor's update service) should be treated as suspicious. Check the full executable path in System Informer — a legitimate updater will reside under a vendor's program folder, not in user-writable locations like %AppData% or %Temp%.

C2 across all three artifact sources

api.hxsoftwares.com and hxsoftwares.com appear simultaneously in DNS cache, lsass.exe memory, and the FiveM game process. This cross-source presence is a strong, multi-layered indicator. Observing the domain in any single source warrants further investigation; finding it across all three in the same session is conclusive.

Memory artifacts

During an active HX Software session, the C2 domain api.hxsoftwares.com and the root domain hxsoftwares.com appear across three independent artifact sources simultaneously: the system DNS cache, LSASS process memory, and the FiveM game process working set.

DNS cache

The DNS resolver cache retains successful lookups for the duration of the TTL set by the authoritative server. Running ipconfig /displaydns or inspecting the cache through System Informer will show api.hxsoftwares.com and hxsoftwares.com as recently resolved entries.

lsass.exe memory

The C2 domain string appears in lsass.exe process memory — a system process whose memory space contains residual string artifacts from the injection or inter-process communication performed by the loader.

FiveM game process

The C2 domain is also present within the FiveM_GTAProcess.exe working set, confirming that HX Software injects into or communicates directly with the game process.

File artifacts

Beyond memory, HX Software leaves file system artifacts that survive session termination. The most reliable of these is the Journal Trace record of updated.exe activity on the drive.

Screenshare check guide

Work through these steps in order. Steps 1 and 2 are the fastest and will catch most active or recently-used installs. Steps 3–6 cover machines where the user has attempted a manual cleanup.

1

Process name check — updated.exe path

  • Open System Informer and look for any running instance of updated.exe.
  • If found, verify the full executable path. A legitimate software updater runs from a vendor's program directory. Any updated.exe in %AppData%, %Temp%, the Desktop, or any other user-writable path should be treated as the HX Software loader.
2

DNS cache

  • Run ipconfig /displaydns in Command Prompt, or use System Informer's DNS section.
  • Search the output for hxsoftwares.com or api.hxsoftwares.com. A cache hit confirms an outbound connection was made during the current or a recent session.
3

lsass memory scan

  • In System Informer, open the lsass.exe process and perform a string scan.
  • Search for hxsoftwares.com. Any match confirms the loader was active during the current session.
4

FiveM memory scan

  • In System Informer, open the FiveM_GTAProcess.exe process and perform a string scan.
  • Search for api.hxsoftwares.com. A hit confirms active injection into the game process.
5

Journal trace

  • Run a drive C: journal trace and search for updated.exe.
  • Journal entries for updated.exe outside a known software update path confirm loader execution even after the file has been deleted.
6

DPS / PcaSVC timestamp

  • Use a DFIR tool to inspect the PcaSVC and DPS log entries for updated.exe.
  • The known first-seen DPS timestamp for this build is 2025-04-07 16:07:09 UTC with PcaSVC token 0xf93000. Any anomalous updated.exe entry in an unexpected path warrants further investigation.

Detection summary

Artifact matrix — HX Software / updated.exeSummary
Artifact                          Survives cleanup?   Check location
──────────────────────────────────────────────────────────────────────────
PcaSVC / DPS timestamp            Yes                 AppCompat / DPS log
Prefetch (updated.exe)            Usually             C:\Windows\Prefetch
DNS cache (hxsoftwares.com)       Session-length      ipconfig /displaydns
C2 strings in lsass.exe           Only while running  Memory string scan
C2 strings in FiveM process       Only while running  Memory string scan
Journal Trace entries             Yes                 Drive C: journal trace

The most immediately actionable persistent indicators are the Journal Trace entries for updated.exe and the DPS/PcaSVC timestamp. Both survive standard user-side cleanup and require no live memory access. During an active session, the cross-source C2 presence across DNS, lsass.exe, and the FiveM process provides a conclusive multi-layered confirmation.

Defensive material

All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.