Summary
- Distributed as generic Loader.exe — attribution requires hash confirmation or PcaSVC offset match.
- SHA-256 01a27b1ce601280792941524b4b108330eb2ffe3e0a0151e3ba44257c3585476.
- PcaSVC offset 0x1c86000 observed in memory forensics.
- Prefetch and AppCompat records persist after execution.
Overview
Seryx is a FiveM cheat loader. Like several other cheats in the FiveM ecosystem, it distributes its primary executable under the generic name Loader.exe. This means the filename alone is insufficient for attribution — hash verification and PcaSVC offset matching are the primary identification methods.
The PcaSVC offset 0x1c86000 is a memory forensic indicator observed during active Seryx sessions, providing a complementary identification pathway alongside the SHA-256 hash.
Sample metadata (IOC)
Name Loader.exe
Brand Seryx
SHA-256 01a27b1ce601280792941524b4b10833
0eb2ffe3e0a0151e3ba44257c3585476
PcaSVC 0x1c86000Behavioral indicators
Generic filename — attribution by hash
The executable name Loader.exe is shared by many FiveM cheats. When investigating a suspect Loader.exe, always confirm attribution by computing the SHA-256 hash and matching it against the known Seryx value. Alternatively, the PcaSVC offset 0x1c86000 provides a memory-side confirmation.
PcaSVC memory offset
During memory forensic analysis of a system running Seryx, the PcaSVC offset 0x1c86000 has been consistently observed. This offset combined with the executable name allows attribution even when the file has been deleted.
Screenshare check guide
File hash verification
- If Loader.exe is present on disk, compute its SHA-256.
- Match against 01a27b1ce601280792941524b4b108330eb2ffe3e0a0151e3ba44257c3585476.
PcaSVC offset check
- In memory forensic tools, search for PcaSVC entries at offset 0x1c86000.
- This offset combined with a Loader.exe entry confirms Seryx.
Process list — Loader.exe
- Check for a running Loader.exe process. Note the full executable path — non-system paths are suspicious.
AppCompat / PcaSVC log
- Inspect the AppCompat database for a Loader.exe entry. Cross-reference the path and timestamp with other indicators.
Browser and Discord
- Check browser history and downloads for references to Seryx.
- In Discord, check User Settings → Authorized Apps.
Detection summary
Artifact Survives cleanup? Check location ────────────────────────────────────────────────────────────────────── PcaSVC entry (0x1c86000) Yes AppCompat / DPS log SHA-256 hash match Yes (file on disk) File system Prefetch (Loader.exe) Usually C:\Windows\Prefetch
Defensive material
All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.