Bypass Detection·Jun 2, 2026

XYZ Corp Bypass: Randomised Executable with xyzcorporation.xyz C2

XYZ Corp generates a randomly-named executable — ear6tkyel9rv.exe in the observed sample — and drops it directly in AppData\Local with no subdirectory. The random filename is weak OPSEC: the hardcoded C2 domain xyzcorporation.xyz and a stable DPS timestamp expose every build regardless of what the file is named.

FiveMBypass DetectionRandom FilenameC2 DomainIOC

Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.

Overview

The XYZ Corp bypass presents an interesting case study in the limits of filename randomisation as an evasion strategy. The operator generates a pseudo-random alphanumeric filename — the observed sample is ear6tkyel9rv.exe, 12 characters with mixed letters and digits — and drops the executable directly into C:\Users\Administrator\AppData\Local\. There is no subdirectory, no folder hierarchy to add legitimacy, and no attempt to mimic a real application name.

This approach correctly anticipates that hash-based detection will fail if the filename changes on each deployment. However, the operator made a critical error: the C2 domain xyzcorporation.xyz is hardcoded into every binary. A domain is far more expensive to rotate than a filename — it requires purchasing a new domain, updating DNS, redistributing the loader to all active users, and waiting for propagation. As a result, the C2 domain is the most durable detection anchor available.

The binary is a 20.14 MB AMD64 PE with six sections, compiled as of 2026/03/06 at 14:38:43 UTC per the DPS timestamp. The file size of 20.14 MB (21,118,464 bytes) is consistent with a packed or resource-heavy loader, potentially embedding the bypass payload in a resource section rather than loading it from disk separately.

Detection does not require knowing the current randomised filename. DNS query logs, lsass network connection state, and the AppData\Local drop path pattern — a 12-character random filename at the root of LocalAppData — are all detectable without prior knowledge of the specific filename in use.

Primary IOCs

1

File Hash — SHA-256, SHA-1, MD5

SHA-256: 6cb47876cd00d14ba9c5a85f9b2ccbc91e34c13190feb1c099310f6969bd35c0

SHA-1: 230ff8ef83c794bc0abacb0570dd66e5a00ed113

MD5: 018601ba436c1ad41b3f52384696251f

These hashes apply to the observed ear6tkyel9rv.exe sample. Future deployments will carry different hashes due to filename-based packing variations, but this sample's hashes are definitive for any instance where the same binary was distributed to multiple users before recompilation. File size is 21,118,464 bytes (20.14 MB) — this distinctive size alone narrows the field significantly during an AppData\Local sweep.

2

DPS Timestamp — 2026/03/06:14:38:43

The PE TimeDateStamp for the observed build is 2026/03/06 at 14:38:43 UTC. This timestamp is embedded in the PE header's Optional Header and is readable by any PE analysis tool including DIE, pestudio, or CFF Explorer. Unlike NTFS file timestamps, the PE header timestamp is set at compile time and reflects when the linker produced the binary.

A random-named executable in AppData\Local with a compile timestamp in early March 2026 and a file size near 20 MB should be immediately treated as a high-priority sample for further analysis. Submit to VirusTotal and run hash comparison against documented XYZ Corp hashes.

3

PcaSvc Entry — Offset 0x142b000

The observed sample carries PcaSvc offset 0x142b000. PcaSvc registry entries persist after the executable is removed from disk, providing a forensic record of execution even if the player attempts to clean up before or during a screenshare.

Check HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers and related AppCompat keys for entries referencing random-named executables in AppData\Local. The presence of such an entry without a corresponding legitimate application is a strong post-execution indicator.

4

AppData\Local Root Drop — No Subdirectory Pattern

A legitimate application that drops a file in AppData\Local will almost always create a named subdirectory (e.g.,AppData\Local\Discord\ orAppData\Local\Google\Chrome\). Dropping an executable directly at the root of AppData\Local with a random 12-character name is not a pattern used by any known legitimate software. This combination — root drop, random name, no company subfolder — is a reliable heuristic for identifying bypass loaders in this family.

During a screenshare, ask the player to open their AppData\Local directory and sort by Type. Any .exe files at the root level — not inside a named application subfolder — should be hashed immediately, regardless of their filename.

5

C2 Domain in DNS Query History — xyzcorporation.xyz

The C2 domain xyzcorporation.xyz is hardcoded in the binary and will appear in the system's DNS cache if the loader has communicated with the C2 server. Run:

ipconfig /displaydns | findstr /i "xyzcorporation"

If the domain appears in the DNS cache, the loader has executed and established C2 contact. The DNS cache is typically flushed on reboot; if the player rebooted before the screenshare, absence from the DNS cache does not rule out prior execution. Check browser history, Windows Firewall logs, and Event Log for outbound connection attempts to corroborate.

6

C2 Domain in lsass Network Connections

If the bypass is currently active, its injected component may maintain a persistent connection to xyzcorporation.xyz. In System Informer, navigate to the Network tab and look for any established TCP connection to an IP address that resolves to this domain. Alternatively, use TCPView to enumerate all active connections and resolve remote addresses in real time.

A connection attributed to an unusual process — particularly lsass, explorer, or a process running from AppData — that terminates to an IP address hosting xyzcorporation.xyz is definitive evidence of active bypass operation. Screenshot and record the connection details before the player has an opportunity to terminate the process.

Screenshare Check Methodology

1

Open AppData\Local and Sort Executables by Date

Ask the player to press Win+R, type%localappdata%, and press Enter. In the resulting Explorer window, set the view to Details and sort by Date Modified descending. Any .exe file at the root level — not inside a named application folder — should be immediately noted and hashed.

Request that the player show the full Name and Date Modified columns without truncation. Watch for files with random-looking alphanumeric names (10–15 characters, mixed case and digits) that were modified within the past month.

2

Run DNS Cache Query for xyzcorporation.xyz

Ask the player to open Command Prompt and run ipconfig /displaydns. Instruct them to scroll through the output slowly, or pipe it to a text file and open that file for easier review:ipconfig /displaydns > dns_cache.txt && notepad dns_cache.txt. Search for "xyz" in the Notepad view. Any record for xyzcorporation.xyz or subdomains thereof is a confirmed IOC.

3

Check TCPView for Active C2 Connection

Ask the player to open TCPView (Sysinternals). Allow it to resolve addresses. Scan the Established connections for any remote address that resolves to xyzcorporation.xyz or its registered IP range. If a connection is found, note the process name and PID, then cross-reference in Task Manager or System Informer to confirm whether the owning process is the random-named executable or an injected host process.

4

Hash Any Suspicious AppData\Local Executables

For any .exe found at the root of AppData\Local, compute SHA-256 and compare against the documented XYZ Corp hash. PowerShell command:

Get-FileHash "$env:LOCALAPPDATA\ear6tkyel9rv.exe" -Algorithm SHA256

Replace the filename with whatever random name is observed. The file size (approximately 20 MB) is a quick pre-filter: ask the player to check the file size in Properties before investing time in a full hash computation.

5

Inspect PE Header Timestamp with DIE

If a suspicious executable is found, ask the player to open Detect-It-Easy and drag the file in. Expand the PE header section and note the TimeDateStamp field. A value of 2026/03/06 14:38:43 confirms this is the documented XYZ Corp build even before a hash comparison is complete.

DIE also displays the number of PE sections (six for this sample) and the CPU architecture (AMD64). These secondary characteristics provide additional confirmation points beyond the timestamp alone.

Detection Notes

The XYZ Corp operator has correctly identified that hash-based detection fails against randomised filenames, but has failed to account for the fact that behavioral and network-layer detection is immune to filename changes. The C2 domain is the highest-value IOC in this family precisely because it cannot be changed without a coordinated infrastructure migration — a much higher operational cost than recompiling with a new random filename.

Server administrators with access to network monitoring should add xyzcorporation.xyz to their DNS blocklist or network-level threat intelligence feeds. Any player whose client machine attempts to resolve this domain during or adjacent to a FiveM session should be flagged for screenshare review regardless of whether a matching executable is found on disk.

The use of the Administrator account's AppData path (C:\Users\Administrator\AppData\Local\) rather than the current user's profile suggests the bypass may be designed for systems where the user runs as Administrator, or that the sample was captured in a VM or test environment configured with the default Administrator account. Reviewers should check both the Administrator and the current user's AppData\Local directories.