Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.
Overview
The XYZ Corp bypass presents an interesting case study in the limits of filename randomisation as an evasion strategy. The operator generates a pseudo-random alphanumeric filename — the observed sample is ear6tkyel9rv.exe, 12 characters with mixed letters and digits — and drops the executable directly into C:\Users\Administrator\AppData\Local\. There is no subdirectory, no folder hierarchy to add legitimacy, and no attempt to mimic a real application name.
This approach correctly anticipates that hash-based detection will fail if the filename changes on each deployment. However, the operator made a critical error: the C2 domain xyzcorporation.xyz is hardcoded into every binary. A domain is far more expensive to rotate than a filename — it requires purchasing a new domain, updating DNS, redistributing the loader to all active users, and waiting for propagation. As a result, the C2 domain is the most durable detection anchor available.
The binary is a 20.14 MB AMD64 PE with six sections, compiled as of 2026/03/06 at 14:38:43 UTC per the DPS timestamp. The file size of 20.14 MB (21,118,464 bytes) is consistent with a packed or resource-heavy loader, potentially embedding the bypass payload in a resource section rather than loading it from disk separately.
Detection does not require knowing the current randomised filename. DNS query logs, lsass network connection state, and the AppData\Local drop path pattern — a 12-character random filename at the root of LocalAppData — are all detectable without prior knowledge of the specific filename in use.
Primary IOCs
File Hash — SHA-256, SHA-1, MD5
SHA-256: 6cb47876cd00d14ba9c5a85f9b2ccbc91e34c13190feb1c099310f6969bd35c0
SHA-1: 230ff8ef83c794bc0abacb0570dd66e5a00ed113
MD5: 018601ba436c1ad41b3f52384696251f
These hashes apply to the observed ear6tkyel9rv.exe sample. Future deployments will carry different hashes due to filename-based packing variations, but this sample's hashes are definitive for any instance where the same binary was distributed to multiple users before recompilation. File size is 21,118,464 bytes (20.14 MB) — this distinctive size alone narrows the field significantly during an AppData\Local sweep.
DPS Timestamp — 2026/03/06:14:38:43
The PE TimeDateStamp for the observed build is 2026/03/06 at 14:38:43 UTC. This timestamp is embedded in the PE header's Optional Header and is readable by any PE analysis tool including DIE, pestudio, or CFF Explorer. Unlike NTFS file timestamps, the PE header timestamp is set at compile time and reflects when the linker produced the binary.
A random-named executable in AppData\Local with a compile timestamp in early March 2026 and a file size near 20 MB should be immediately treated as a high-priority sample for further analysis. Submit to VirusTotal and run hash comparison against documented XYZ Corp hashes.
PcaSvc Entry — Offset 0x142b000
The observed sample carries PcaSvc offset 0x142b000. PcaSvc registry entries persist after the executable is removed from disk, providing a forensic record of execution even if the player attempts to clean up before or during a screenshare.
Check HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers and related AppCompat keys for entries referencing random-named executables in AppData\Local. The presence of such an entry without a corresponding legitimate application is a strong post-execution indicator.
AppData\Local Root Drop — No Subdirectory Pattern
A legitimate application that drops a file in AppData\Local will almost always create a named subdirectory (e.g.,AppData\Local\Discord\ orAppData\Local\Google\Chrome\). Dropping an executable directly at the root of AppData\Local with a random 12-character name is not a pattern used by any known legitimate software. This combination — root drop, random name, no company subfolder — is a reliable heuristic for identifying bypass loaders in this family.
During a screenshare, ask the player to open their AppData\Local directory and sort by Type. Any .exe files at the root level — not inside a named application subfolder — should be hashed immediately, regardless of their filename.
C2 Domain in DNS Query History — xyzcorporation.xyz
The C2 domain xyzcorporation.xyz is hardcoded in the binary and will appear in the system's DNS cache if the loader has communicated with the C2 server. Run:
ipconfig /displaydns | findstr /i "xyzcorporation"
If the domain appears in the DNS cache, the loader has executed and established C2 contact. The DNS cache is typically flushed on reboot; if the player rebooted before the screenshare, absence from the DNS cache does not rule out prior execution. Check browser history, Windows Firewall logs, and Event Log for outbound connection attempts to corroborate.
C2 Domain in lsass Network Connections
If the bypass is currently active, its injected component may maintain a persistent connection to xyzcorporation.xyz. In System Informer, navigate to the Network tab and look for any established TCP connection to an IP address that resolves to this domain. Alternatively, use TCPView to enumerate all active connections and resolve remote addresses in real time.
A connection attributed to an unusual process — particularly lsass, explorer, or a process running from AppData — that terminates to an IP address hosting xyzcorporation.xyz is definitive evidence of active bypass operation. Screenshot and record the connection details before the player has an opportunity to terminate the process.
Detection Notes
The XYZ Corp operator has correctly identified that hash-based detection fails against randomised filenames, but has failed to account for the fact that behavioral and network-layer detection is immune to filename changes. The C2 domain is the highest-value IOC in this family precisely because it cannot be changed without a coordinated infrastructure migration — a much higher operational cost than recompiling with a new random filename.
Server administrators with access to network monitoring should add xyzcorporation.xyz to their DNS blocklist or network-level threat intelligence feeds. Any player whose client machine attempts to resolve this domain during or adjacent to a FiveM session should be flagged for screenshare review regardless of whether a matching executable is found on disk.
The use of the Administrator account's AppData path (C:\Users\Administrator\AppData\Local\) rather than the current user's profile suggests the bypass may be designed for systems where the user runs as Administrator, or that the sample was captured in a VM or test environment configured with the default Administrator account. Reviewers should check both the Administrator and the current user's AppData\Local directories.