Cheat DetectionHighPublished

Seryx FiveM cheat detection & forensic artifacts

Seryx is a FiveM cheat loader distributed as Loader.exe. It is identified by SHA-256 01a27b1ce601280792941524b4b108330eb2ffe3e0a0151e3ba44257c3585476 and a PcaSVC offset of 0x1c86000. Because the filename is generic, hash and PcaSVC confirmation are required for attribution.

CR
Clubhouse AC Research
June 2, 2026 6 min read

Summary

  • Distributed as generic Loader.exe — attribution requires hash confirmation or PcaSVC offset match.
  • SHA-256 01a27b1ce601280792941524b4b108330eb2ffe3e0a0151e3ba44257c3585476.
  • PcaSVC offset 0x1c86000 observed in memory forensics.
  • Prefetch and AppCompat records persist after execution.

Overview

Seryx is a FiveM cheat loader. Like several other cheats in the FiveM ecosystem, it distributes its primary executable under the generic name Loader.exe. This means the filename alone is insufficient for attribution — hash verification and PcaSVC offset matching are the primary identification methods.

The PcaSVC offset 0x1c86000 is a memory forensic indicator observed during active Seryx sessions, providing a complementary identification pathway alongside the SHA-256 hash.

Sample metadata (IOC)

Loader.exe (Seryx) — file indicatorsIOC
Name        Loader.exe
Brand       Seryx

SHA-256     01a27b1ce601280792941524b4b10833
            0eb2ffe3e0a0151e3ba44257c3585476

PcaSVC      0x1c86000

Behavioral indicators

Generic filename — attribution by hash

The executable name Loader.exe is shared by many FiveM cheats. When investigating a suspect Loader.exe, always confirm attribution by computing the SHA-256 hash and matching it against the known Seryx value. Alternatively, the PcaSVC offset 0x1c86000 provides a memory-side confirmation.

PcaSVC memory offset

During memory forensic analysis of a system running Seryx, the PcaSVC offset 0x1c86000 has been consistently observed. This offset combined with the executable name allows attribution even when the file has been deleted.

Screenshare check guide

1

File hash verification

  • If Loader.exe is present on disk, compute its SHA-256.
  • Match against 01a27b1ce601280792941524b4b108330eb2ffe3e0a0151e3ba44257c3585476.
2

PcaSVC offset check

  • In memory forensic tools, search for PcaSVC entries at offset 0x1c86000.
  • This offset combined with a Loader.exe entry confirms Seryx.
3

Process list — Loader.exe

  • Check for a running Loader.exe process. Note the full executable path — non-system paths are suspicious.
4

AppCompat / PcaSVC log

  • Inspect the AppCompat database for a Loader.exe entry. Cross-reference the path and timestamp with other indicators.
5

Browser and Discord

  • Check browser history and downloads for references to Seryx.
  • In Discord, check User Settings → Authorized Apps.

Detection summary

Artifact matrix — Seryx / Loader.exeSummary
Artifact                      Survives cleanup?   Check location
──────────────────────────────────────────────────────────────────────
PcaSVC entry (0x1c86000)      Yes                 AppCompat / DPS log
SHA-256 hash match            Yes (file on disk)  File system
Prefetch (Loader.exe)         Usually             C:\Windows\Prefetch

Defensive material

All indicators and methodology documented here are published for server administrators, DFIR practitioners, and anti-cheat researchers. This material describes detection techniques only. For vulnerability disclosures or to contribute to the research corpus, contact security@clubhouseac.shop.