Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.
Overview
XRC employs PowerShell's Invoke-Expression (IEX) cmdlet to receive its payload as a string — downloaded at runtime from a remote source — and execute it entirely within the PowerShell process's memory space. No payload binary is written to the filesystem, which prevents simple file-based scanning from detecting it. This technique is well-established in malware tradecraft but remains detectable through Windows' own script block logging and pipeline execution telemetry.
The DPS (Driver Store / Digital Product Suite) component registered by the installer carries a first-seen timestamp of 2038/07/16 — a date twelve years in the future, far beyond any plausible legitimate installation scenario. This is deliberate timestomping: by setting the timestamp to the distant future, the developer attempts to push the entry to the bottom of any time-sorted investigation view, making it less likely to be noticed during a quick review.
The bypass is distributed with a companion utility, Destemido Cleaner.exe, which is marketed as a log-cleaning tool. Its presence on a system is itself an IOC. The payload was downloaded via Chrome, leaving a .CRDOWNLOAD partial-download journal artifact — a Chrome-specific temporary file extension for in-progress downloads — visible in the NTFS journal even after the download completed and the temporary file was removed. C2 authentication proceeds through keyauth.win.
Primary IOCs
PowerShell Event ID 800 in Event Viewer
Open Event Viewer and navigate to Windows Logs → Windows PowerShell. Filter for Event ID 800, which is logged whenever a pipeline execution involving Invoke-Expression runs. Each IEX invocation produces an event containing the full command line passed to IEX, including any encoded or decoded payload string that was executed in memory.
Search for event entries occurring in the session timeframe under review. An entry with IEX or Invoke-Expression in the detail field, combined with a URL string or encoded payload content, confirms the in-memory loader was active. Export the event to XML for full detail preservation.
DPS timestamp anomaly — 2038/07/16
Open the Driver Store viewer or examine the DPS component manifest for the XRC installer entry. The first-seen timestamp will read 2038/07/16 — a date that is physically impossible for any software first installed in the present. No legitimate driver or system component carries a future first-seen timestamp. This is a definitive indicator of deliberate timestamp manipulation.
In the context of a screenshare review, ask the subject to open Windows Settings → Apps → Installed Apps and sort by install date. Any application showing a 2038 date is immediately anomalous and should be cross-referenced with its executable path for further investigation.
PcaSVC entry at offset 0x11a000
Examine the PcaSVC execution log for an entry at offset 0x11a000. This offset corresponds to the XRC loader component recorded by the Program Compatibility Assistant Service when the installer or a companion executable first ran. The entry includes the binary path and execution timestamp as logged by Windows compatibility telemetry — independent of any user-space cleanup that may have occurred subsequently.
SHA-256 hash of companion binary
If any component of XRC remains on disk, compute its SHA-256 hash. The known hash for this build is 9d8038d5f03503704ee237ed72b8683e0261a254951ad0ce717842a27672b2ff. Run certutil -hashfile <path> SHA256 and compare. Submit to VirusTotal for multi-vendor confirmation. Components to check include the primary loader, any Destemido Cleaner.exe instance, and any unsigned executable recently created in user-writable directories.
Journal Trace — .CRDOWNLOAD file entry
Examine the NTFS change journal using a Journal Trace utility or fsutil usn readjournal C: csv. Filter journal entries for filenames ending in .crdownload. Chrome creates these temporary files during active downloads and normally removes them upon completion — but the NTFS journal retains the creation and deletion record. The presence of a .crdownload entry for a filename associated with the bypass confirms it was downloaded through Chrome during the session under review.
Destemido Cleaner.exe identification
Search the filesystem for Destemido Cleaner.exe using where /r C:\ "Destemido*" from an elevated Command Prompt. If found, hash the file and inspect its strings with DIE. Its presence alongside any other XRC-related artifact confirms that the user is running the full XRC suite, not an isolated PowerShell script. The cleaner's purpose — removing traces — is itself an indicator of knowledge and intent.
keyauth.win C2 in DNS cache and lsass memory
Run ipconfig /displaydns | findstr /i keyauth to check the DNS cache. Then open System Informer, locate lsass.exe, and search its memory for the string keyauth. Either indicator confirms that authentication through keyauth.win occurred in this session. As with other keyauth-based bypasses, this domain has no legitimate presence on a gaming PC.
In-Memory Loading & PowerShell IEX
PowerShell's Invoke-Expression cmdlet takes a string argument and executes it as a PowerShell command or script block. When used as a loader, the operator downloads the payload as an encoded string (often Base64 or AES-encrypted) from a remote URL, decodes it at runtime, and passes it directly to IEX. Because the decoded payload exists only in the PowerShell process's memory heap, it is never written to the filesystem as a standalone file and therefore cannot be detected by file-based on-access scanners or located in a standard directory listing.
However, Windows PowerShell's script block logging and pipeline execution logging — when enabled, and often enabled by default since Windows 10 — record the evaluated content of IEX calls in the Windows PowerShell event log under Event ID 800 (pipeline execution) and Event ID 4104 (script block logging, under Microsoft-Windows-PowerShell/Operational). These logs capture the content of the script block after decoding, exposing the actual payload code even when the loader itself took significant steps to obfuscate the download string.
The XRC loader's use of IEX is therefore detectable not through file forensics but through event log forensics. Investigators should treat any unexplained Event ID 800 or 4104 entry containing encoded content, URL strings, or injection-related API names (such as VirtualAlloc, WriteProcessMemory, or CreateRemoteThread) as a strong indicator of in-memory payload delivery.
Detection Notes
The future-dated DPS timestamp is one of the most visually distinctive artifacts in this IOC set. It requires no specialist tooling to identify — a simple sort of the installed applications list by date will surface it immediately. The deliberate manipulation of timestamps to evade detection is itself evidence of knowledge and intent, which carries independent evidentiary weight beyond simple tool detection.
The IEX in-memory technique is more technically sophisticated but produces reliable Event Viewer artifacts that persist until the event log is cleared or rolls over. Investigators should check the PowerShell operational log size and last-cleared timestamp: a recently cleared log on a system with other bypass indicators suggests deliberate evidence destruction.
The presence of Destemido Cleaner.exe alongside XRC artifacts establishes a pattern of deliberate anti-forensic behavior. Users who possess dedicated log-cleaning utilities distributed with bypass software have demonstrated awareness that their activities are detectable and have taken steps to obstruct detection — context relevant to enforcement severity.