Bypass Detection·Jun 2, 2026

XRC Bypass: PowerShell IEX In-Memory Loader with Future-Dated DPS

XRC uses PowerShell Invoke-Expression to load its payload entirely in memory — no file is written to disk. Despite this, Event Viewer records the IEX invocation at Event ID 800. A deliberately timestomped DPS first-seen date of 2038/07/16, a PcaSVC entry at 0x11a000, a .CRDOWNLOAD journal artifact, and the companion Destemido Cleaner.exe round out a robust IOC set.

FiveMBypass DetectionPowerShell IEXFuture Timestampkeyauth.win

Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.

Overview

XRC employs PowerShell's Invoke-Expression (IEX) cmdlet to receive its payload as a string — downloaded at runtime from a remote source — and execute it entirely within the PowerShell process's memory space. No payload binary is written to the filesystem, which prevents simple file-based scanning from detecting it. This technique is well-established in malware tradecraft but remains detectable through Windows' own script block logging and pipeline execution telemetry.

The DPS (Driver Store / Digital Product Suite) component registered by the installer carries a first-seen timestamp of 2038/07/16 — a date twelve years in the future, far beyond any plausible legitimate installation scenario. This is deliberate timestomping: by setting the timestamp to the distant future, the developer attempts to push the entry to the bottom of any time-sorted investigation view, making it less likely to be noticed during a quick review.

The bypass is distributed with a companion utility, Destemido Cleaner.exe, which is marketed as a log-cleaning tool. Its presence on a system is itself an IOC. The payload was downloaded via Chrome, leaving a .CRDOWNLOAD partial-download journal artifact — a Chrome-specific temporary file extension for in-progress downloads — visible in the NTFS journal even after the download completed and the temporary file was removed. C2 authentication proceeds through keyauth.win.

Primary IOCs

1

PowerShell Event ID 800 in Event Viewer

Open Event Viewer and navigate to Windows Logs → Windows PowerShell. Filter for Event ID 800, which is logged whenever a pipeline execution involving Invoke-Expression runs. Each IEX invocation produces an event containing the full command line passed to IEX, including any encoded or decoded payload string that was executed in memory.

Search for event entries occurring in the session timeframe under review. An entry with IEX or Invoke-Expression in the detail field, combined with a URL string or encoded payload content, confirms the in-memory loader was active. Export the event to XML for full detail preservation.

2

DPS timestamp anomaly — 2038/07/16

Open the Driver Store viewer or examine the DPS component manifest for the XRC installer entry. The first-seen timestamp will read 2038/07/16 — a date that is physically impossible for any software first installed in the present. No legitimate driver or system component carries a future first-seen timestamp. This is a definitive indicator of deliberate timestamp manipulation.

In the context of a screenshare review, ask the subject to open Windows Settings → Apps → Installed Apps and sort by install date. Any application showing a 2038 date is immediately anomalous and should be cross-referenced with its executable path for further investigation.

3

PcaSVC entry at offset 0x11a000

Examine the PcaSVC execution log for an entry at offset 0x11a000. This offset corresponds to the XRC loader component recorded by the Program Compatibility Assistant Service when the installer or a companion executable first ran. The entry includes the binary path and execution timestamp as logged by Windows compatibility telemetry — independent of any user-space cleanup that may have occurred subsequently.

4

SHA-256 hash of companion binary

If any component of XRC remains on disk, compute its SHA-256 hash. The known hash for this build is 9d8038d5f03503704ee237ed72b8683e0261a254951ad0ce717842a27672b2ff. Run certutil -hashfile <path> SHA256 and compare. Submit to VirusTotal for multi-vendor confirmation. Components to check include the primary loader, any Destemido Cleaner.exe instance, and any unsigned executable recently created in user-writable directories.

5

Journal Trace — .CRDOWNLOAD file entry

Examine the NTFS change journal using a Journal Trace utility or fsutil usn readjournal C: csv. Filter journal entries for filenames ending in .crdownload. Chrome creates these temporary files during active downloads and normally removes them upon completion — but the NTFS journal retains the creation and deletion record. The presence of a .crdownload entry for a filename associated with the bypass confirms it was downloaded through Chrome during the session under review.

6

Destemido Cleaner.exe identification

Search the filesystem for Destemido Cleaner.exe using where /r C:\ "Destemido*" from an elevated Command Prompt. If found, hash the file and inspect its strings with DIE. Its presence alongside any other XRC-related artifact confirms that the user is running the full XRC suite, not an isolated PowerShell script. The cleaner's purpose — removing traces — is itself an indicator of knowledge and intent.

7

keyauth.win C2 in DNS cache and lsass memory

Run ipconfig /displaydns | findstr /i keyauth to check the DNS cache. Then open System Informer, locate lsass.exe, and search its memory for the string keyauth. Either indicator confirms that authentication through keyauth.win occurred in this session. As with other keyauth-based bypasses, this domain has no legitimate presence on a gaming PC.

In-Memory Loading & PowerShell IEX

PowerShell's Invoke-Expression cmdlet takes a string argument and executes it as a PowerShell command or script block. When used as a loader, the operator downloads the payload as an encoded string (often Base64 or AES-encrypted) from a remote URL, decodes it at runtime, and passes it directly to IEX. Because the decoded payload exists only in the PowerShell process's memory heap, it is never written to the filesystem as a standalone file and therefore cannot be detected by file-based on-access scanners or located in a standard directory listing.

However, Windows PowerShell's script block logging and pipeline execution logging — when enabled, and often enabled by default since Windows 10 — record the evaluated content of IEX calls in the Windows PowerShell event log under Event ID 800 (pipeline execution) and Event ID 4104 (script block logging, under Microsoft-Windows-PowerShell/Operational). These logs capture the content of the script block after decoding, exposing the actual payload code even when the loader itself took significant steps to obfuscate the download string.

The XRC loader's use of IEX is therefore detectable not through file forensics but through event log forensics. Investigators should treat any unexplained Event ID 800 or 4104 entry containing encoded content, URL strings, or injection-related API names (such as VirtualAlloc, WriteProcessMemory, or CreateRemoteThread) as a strong indicator of in-memory payload delivery.

Screenshare Check Methodology

1

Event Viewer PowerShell log — Event ID 800

Open Event Viewer (eventvwr.msc) and navigate to Windows Logs → Windows PowerShell. Click Filter Current Log and enter 800 in the Event IDs field. Walk through results in the session timeframe. Share the detail pane on screen for any entry referencing IEX, a URL, or encoded content. Also check Microsoft-Windows-PowerShell/Operational for Event ID 4104.

2

Installed apps date sort — 2038 timestamp check

Open Settings → Apps → Installed Apps and sort by install date descending, then ascending. Entries with dates in 2038 or otherwise in the future will appear at the extreme end of the list in either direction. Ask the subject to scroll through both ends of the sorted list on screen. A 2038-dated entry for any application not associated with a time-synchronized enterprise deployment tool is conclusive timestomping.

3

Destemido Cleaner.exe filesystem search

In an elevated Command Prompt, run where /r C:\ "Destemido*". Share the output on screen. Any match confirms the companion cleaner is present. Also check the user's Downloads and Desktop directories manually by navigating them in Explorer with hidden files visible (View → Show → Hidden items).

4

DNS cache and lsass keyauth.win check

Run ipconfig /displaydns | findstr /i keyauth in the elevated Command Prompt. Follow up with System Informer: locate lsass.exe → Properties → Memory → Find Strings → search keyauth. Share both outputs on screen.

5

Journal Trace CRDOWNLOAD artifact

Run a Journal Trace scan or export the USN journal with fsutil usn readjournal C: csv > journal.csv. Open the output and filter for .crdownload filenames. Timestamps on any matching entries will indicate when the download occurred and can be correlated with the PowerShell Event ID 800 timestamp to reconstruct the delivery timeline.

6

Hash any remaining XRC components

If any XRC-related file is found on disk, hash it with certutil -hashfile <path> SHA256 and compare against the known hash 9d8038d5...2ff. Submit to VirusTotal live on screen to show the detection result in context. Even a clean VirusTotal result for a file with a future-dated DPS entry and IEX Event Viewer logs remains highly suspicious.

Detection Notes

The future-dated DPS timestamp is one of the most visually distinctive artifacts in this IOC set. It requires no specialist tooling to identify — a simple sort of the installed applications list by date will surface it immediately. The deliberate manipulation of timestamps to evade detection is itself evidence of knowledge and intent, which carries independent evidentiary weight beyond simple tool detection.

The IEX in-memory technique is more technically sophisticated but produces reliable Event Viewer artifacts that persist until the event log is cleared or rolls over. Investigators should check the PowerShell operational log size and last-cleared timestamp: a recently cleared log on a system with other bypass indicators suggests deliberate evidence destruction.

The presence of Destemido Cleaner.exe alongside XRC artifacts establishes a pattern of deliberate anti-forensic behavior. Users who possess dedicated log-cleaning utilities distributed with bypass software have demonstrated awareness that their activities are detectable and have taken steps to obstruct detection — context relevant to enforcement severity.