Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.
Overview
Star.xyz is a FiveM anti-cheat bypass distributed as a standalone Win32 PE executable with a file size of 4.54 MB. Unlike DLL-based bypasses that require a separate loader, the Star.xyz payload bundles its injection logic and authentication module into a single self-contained binary. This simplifies distribution and reduces the number of discrete on-disk artifacts, though it does not eliminate them.
The binary is authoritatively identified by two cryptographic hashes: SHA-256 ce5f6779fdd9c32e5ad6c9dcbc77c3c80a520d1488e9c026f997790cf7ea47b4 and SHA-1 9f926aac866275bb93925a9294e53dbc839e274a. These hashes provide definitive attribution independent of filename, path, or timestamp manipulation.
Authentication is handled through the keyauth.win infrastructure, a commercial license key service commonly abused by cheat developers. The bypass performs a keyauth license validation on startup, which produces a distinctive dual-artifact signature: the domain appears in the Windows DNS resolver cache at the OS level, and simultaneously the domain string is written into lsass.exe process memory as part of the authentication token exchange. Both artifacts can be independently confirmed during a screenshare investigation.
Primary IOCs
Hash identification (SHA-256 and SHA-1)
If the executable is still on disk, compute its hashes using certutil -hashfile <path> SHA256 and certutil -hashfile <path> SHA1. Confirm against SHA-256 ce5f6779fdd9c32e5ad6c9dcbc77c3c80a520d1488e9c026f997790cf7ea47b4 and SHA-1 9f926aac866275bb93925a9294e53dbc839e274a. A match is definitive attribution regardless of what the file is named or where it is stored.
DNS cache — keyauth.win resolution record
Run ipconfig /displaydns in an elevated Command Prompt and search for any record whose hostname contains keyauth.win. The DNS cache is populated when the bypass performs its license check and persists until TTL expiry or the next system reboot. On most configurations the TTL for keyauth responses is short, so a live cache hit indicates the bypass ran within the past few minutes to hours.
For targeted output run: ipconfig /displaydns | findstr /i "keyauth". No output from a flushed cache is not exculpatory — proceed to the lsass check.
LSASS memory — keyauth.win string artifact
Open System Informer as administrator, locate the lsass.exe process in the process list, and open its Properties. Navigate to the Memory tab and use the Find Strings function with the search term keyauth. The Star.xyz authentication module writes the full endpoint URL into lsass memory during the license validation handshake. This artifact survives DNS cache flushes and persists in lsass memory pages until they are overwritten or the system restarts.
A hit in lsass alongside a DNS cache entry constitutes a high-confidence dual confirmation of the Star.xyz bypass having been active in the current session.


LastActivityView — execution record
LastActivityView (NirSoft) aggregates execution history from multiple Windows sources including prefetch, UserAssist registry keys, and the Windows Event Log. Run it and sort by time. Look for entries corresponding to the Star.xyz executable filename or to any unexpected 4–5 MB executable in a user-writable directory within the timeframe under investigation.
Prefetch entries are particularly valuable as they record a hash of the executable path and a run count. Even if the binary has been deleted from disk, the prefetch file under C:\Windows\Prefetch\ will contain the original filename and last execution timestamp.

Journal Trace — DLL drop entries
Use a Journal Trace utility or fsutil usn readjournal C: csv to export the NTFS change journal. Filter the output for any DLL files created in user-writable directories around the time of the suspected bypass execution. Star.xyz may extract or drop auxiliary DLLs as part of its injection process — journal entries for these will outlast the files themselves if they have since been deleted.


Everything tool — file discovery
If the bypass binary is still on the system, the Everything search tool (voidtools) can locate it instantly by searching for the partial SHA hash embedded in the filename if the user renamed it predictably, or by filtering on file size (4.54 MB = approximately 4,762,624 bytes). Sort results by date modified to surface recently placed files. Everything also indexes files in normally hidden directories, unlike Windows Explorer.

VirusTotal hash lookup
Navigate to virustotal.com and submit the SHA-256 hash ce5f6779fdd9c32e5ad6c9dcbc77c3c80a520d1488e9c026f997790cf7ea47b4. Multiple anti-cheat and AV vendors have flagged this sample. Review the detection names, the PE header metadata visible in the Details tab, and the Behaviour tab for recorded network connections to keyauth.win infrastructure.


Detection Notes
The dual keyauth.win signature — DNS cache plus lsass memory string — is the most reliable detection path for Star.xyz. These two indicators come from entirely different OS subsystems (DNS resolver and LSASS process memory) and would require two separate remediation actions to remove. A user who flushes DNS but does not restart will still carry the lsass string; a user who restarts to clear lsass will regenerate the DNS entry the next time the bypass runs.
The known-good SHA-256 and SHA-1 hashes provide static identification that is independent of any runtime behaviour. These hashes should be cross-checked against VirusTotal before and after any screenshare session to establish whether the subject is running a known variant.
Prefetch and LastActivityView entries provide timeline evidence that survives binary deletion. Even if the subject deletes the executable before the screenshare, the execution record in prefetch and the memory artifacts in lsass (pending reboot) provide sufficient evidence of past use within the current session.