Bypass Detection·Jun 2, 2026

Star.xyz Bypass: Win32 EXE with keyauth.win LSASS Strings

The Star.xyz bypass is a 4.54 MB Win32 executable identified by SHA-256 ce5f6779...47b4 that authenticates through keyauth.win, leaving the domain string simultaneously in the DNS cache and in lsass.exe memory. This guide documents all artifact layers from hash identification through runtime memory forensics.

FiveMBypass Detectionkeyauth.winLSASSIOC

Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.

Overview

Star.xyz is a FiveM anti-cheat bypass distributed as a standalone Win32 PE executable with a file size of 4.54 MB. Unlike DLL-based bypasses that require a separate loader, the Star.xyz payload bundles its injection logic and authentication module into a single self-contained binary. This simplifies distribution and reduces the number of discrete on-disk artifacts, though it does not eliminate them.

The binary is authoritatively identified by two cryptographic hashes: SHA-256 ce5f6779fdd9c32e5ad6c9dcbc77c3c80a520d1488e9c026f997790cf7ea47b4 and SHA-1 9f926aac866275bb93925a9294e53dbc839e274a. These hashes provide definitive attribution independent of filename, path, or timestamp manipulation.

Authentication is handled through the keyauth.win infrastructure, a commercial license key service commonly abused by cheat developers. The bypass performs a keyauth license validation on startup, which produces a distinctive dual-artifact signature: the domain appears in the Windows DNS resolver cache at the OS level, and simultaneously the domain string is written into lsass.exe process memory as part of the authentication token exchange. Both artifacts can be independently confirmed during a screenshare investigation.

Primary IOCs

1

Hash identification (SHA-256 and SHA-1)

If the executable is still on disk, compute its hashes using certutil -hashfile <path> SHA256 and certutil -hashfile <path> SHA1. Confirm against SHA-256 ce5f6779fdd9c32e5ad6c9dcbc77c3c80a520d1488e9c026f997790cf7ea47b4 and SHA-1 9f926aac866275bb93925a9294e53dbc839e274a. A match is definitive attribution regardless of what the file is named or where it is stored.

2

DNS cache — keyauth.win resolution record

Run ipconfig /displaydns in an elevated Command Prompt and search for any record whose hostname contains keyauth.win. The DNS cache is populated when the bypass performs its license check and persists until TTL expiry or the next system reboot. On most configurations the TTL for keyauth responses is short, so a live cache hit indicates the bypass ran within the past few minutes to hours.

For targeted output run: ipconfig /displaydns | findstr /i "keyauth". No output from a flushed cache is not exculpatory — proceed to the lsass check.

3

LSASS memory — keyauth.win string artifact

Open System Informer as administrator, locate the lsass.exe process in the process list, and open its Properties. Navigate to the Memory tab and use the Find Strings function with the search term keyauth. The Star.xyz authentication module writes the full endpoint URL into lsass memory during the license validation handshake. This artifact survives DNS cache flushes and persists in lsass memory pages until they are overwritten or the system restarts.

A hit in lsass alongside a DNS cache entry constitutes a high-confidence dual confirmation of the Star.xyz bypass having been active in the current session.

keyauth.win in DNS / lsass.exe (1 of 2)
keyauth.win created in the DNS cache and LSASS process
keyauth.win in DNS / lsass.exe (2 of 2)
keyauth.win string resident in the LSASS process
4

LastActivityView — execution record

LastActivityView (NirSoft) aggregates execution history from multiple Windows sources including prefetch, UserAssist registry keys, and the Windows Event Log. Run it and sort by time. Look for entries corresponding to the Star.xyz executable filename or to any unexpected 4–5 MB executable in a user-writable directory within the timeframe under investigation.

Prefetch entries are particularly valuable as they record a hash of the executable path and a run count. Even if the binary has been deleted from disk, the prefetch file under C:\Windows\Prefetch\ will contain the original filename and last execution timestamp.

LastActivityView — Star.xyz execution record
LastActivityView execution record for the Star.xyz bypass
5

Journal Trace — DLL drop entries

Use a Journal Trace utility or fsutil usn readjournal C: csv to export the NTFS change journal. Filter the output for any DLL files created in user-writable directories around the time of the suspected bypass execution. Star.xyz may extract or drop auxiliary DLLs as part of its injection process — journal entries for these will outlast the files themselves if they have since been deleted.

Journal Trace — Star.xyz DLL drop (1 of 2)
USN Journal trace for the Star.xyz DLL (1 of 2)
Journal Trace — Star.xyz DLL drop (2 of 2)
USN Journal trace for the Star.xyz DLL (2 of 2)
6

Everything tool — file discovery

If the bypass binary is still on the system, the Everything search tool (voidtools) can locate it instantly by searching for the partial SHA hash embedded in the filename if the user renamed it predictably, or by filtering on file size (4.54 MB = approximately 4,762,624 bytes). Sort results by date modified to surface recently placed files. Everything also indexes files in normally hidden directories, unlike Windows Explorer.

Everything — Star.xyz file located by size
Everything search locating the Star.xyz files by size
7

VirusTotal hash lookup

Navigate to virustotal.com and submit the SHA-256 hash ce5f6779fdd9c32e5ad6c9dcbc77c3c80a520d1488e9c026f997790cf7ea47b4. Multiple anti-cheat and AV vendors have flagged this sample. Review the detection names, the PE header metadata visible in the Details tab, and the Behaviour tab for recorded network connections to keyauth.win infrastructure.

VirusTotal — Star.xyz (SHA-256 ce5f6779…f7ea47b4)
VirusTotal detections for the Star.xyz bypass
Star.xyz bypass — interface opened
Star.xyz bypass interface opened

Screenshare Check Methodology

1

Hash the executable if present on disk

Ask the subject to open a Command Prompt and run certutil -hashfile <path> SHA256 on the suspicious file. Compare the output in real time against the known SHA-256. If the file has been deleted, proceed directly to runtime memory and artifact checks.

2

DNS cache dump for keyauth.win

In an elevated Command Prompt: ipconfig /displaydns | findstr /i keyauth. Watch the output together. A blank result after this command does not clear suspicion — the DNS cache may have been flushed. Proceed to the lsass check.

3

System Informer lsass memory string search

Open System Informer as administrator. Locate lsass.exe → Properties → Memory → Find Strings. Search for keyauth. A result here is a strong positive indicator and cannot be dismissed as a DNS cache artefact — it requires the authentication module to have actively run within the current Windows session.

4

LastActivityView execution history review

Run LastActivityView and sort by the Action Time column in descending order. Scroll through the most recent activity looking for unfamiliar executables. Ask the subject to not close or filter the results. Any entry for a file matching the approximate size or name of the Star.xyz binary is a corroborating indicator of execution.

5

Prefetch directory spot check

Navigate to C:\Windows\Prefetch\ in Windows Explorer (requires admin). Sort by date modified. Look for any prefetch file (extension .pf) created or modified around the suspected bypass run time. The filename portion before the dash is the executable name. Open a suspicious prefetch file with WinPrefetchView to see the full original path and run count.

6

USN journal DLL entry review

Run fsutil usn readjournal C: csv > journal.csvand open the file. Filter on the .dll extension and sort by timestamp. Any DLL creation event in a temp or user directory close to the suspected execution window is a supporting artifact confirming the bypass deployed a secondary component.

Detection Notes

The dual keyauth.win signature — DNS cache plus lsass memory string — is the most reliable detection path for Star.xyz. These two indicators come from entirely different OS subsystems (DNS resolver and LSASS process memory) and would require two separate remediation actions to remove. A user who flushes DNS but does not restart will still carry the lsass string; a user who restarts to clear lsass will regenerate the DNS entry the next time the bypass runs.

The known-good SHA-256 and SHA-1 hashes provide static identification that is independent of any runtime behaviour. These hashes should be cross-checked against VirusTotal before and after any screenshare session to establish whether the subject is running a known variant.

Prefetch and LastActivityView entries provide timeline evidence that survives binary deletion. Even if the subject deletes the executable before the screenshare, the execution record in prefetch and the memory artifacts in lsass (pending reboot) provide sufficient evidence of past use within the current session.