Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.
Overview
Apateon's bypass loader is distributed with a randomized filename — the observed sample uses kokaizanh.exe, though this name changes between distribution runs. The randomization is intentional: it prevents naive filename-based blocklists from catching the binary outright. However, it is a superficial layer of evasion that does not affect any of the binary's persistent, forensically recoverable identifiers.
The file is a 24.98 MB (26,196,992 byte) AMD64 PE binary. Its Digital Product Support (DPS) timestamp reads 2026/03/18:13:53:33, recorded by the Windows PcaSVC service at the time of first execution. This timestamp is stored in the registry and is not altered by renaming or moving the file.
The PcaSVC registry entry additionally records the binary's SizeOfImage field from the PE header: 0x287a000. This value matches the PE optional header exactly and serves as a secondary confirmation that the registered entry corresponds to this specific binary rather than a coincidental name collision.
The binary imports IPHLPAPI.DLL, WININET.dll, USER32.dll, and exports the InternetCloseHandle API, indicating active network connectivity capability — consistent with a loader that contacts an authentication or update endpoint before injecting.
Primary IOCs
Cryptographic Hash Verification
The authoritative identifiers for this binary are as follows. Any single hash match is sufficient for positive identification regardless of filename.
f9ad0e39cebb900f9864a1bfc4101f5d8562d9ba92e4f5bbb8b8d62daae747135b723c7c90c91c87492cbf870cecf90fde3eb6ac11751c3ee355021886dd70dc09843434Cross-reference this hash on VirusTotal: VT ↗ f9ad0e39...ae74713
DPS Timestamp: 2026/03/18:13:53:33
The Windows Digital Product Support service records execution metadata in the registry under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store. The Apateon binary carries a DPS timestamp of 2026/03/18:13:53:33.
This timestamp is set at first execution and persists even after the file is deleted or renamed. During a screenshare review, navigate to the PcaSVC registry key and search for any entry with this date. Its presence confirms the loader was executed on this machine.
PcaSVC Image Size: 0x287a000
The Program Compatibility Assistant service (PcaSVC) records the PE SizeOfImage value from the optional header at execution time. For this binary, that value is 0x287a000 (decimal: 42,336,256 bytes).
A match between the PcaSVC-recorded image size and the PE header of any suspicious binary on disk constitutes strong evidence of a match, even if the binary has been renamed or moved. The image size is not user-alterable without recompilation and cannot be changed by simply copying or renaming the file.
Prefetch Record (.pf File)
Windows Prefetch records execution events in C:\Windows\Prefetch\. A prefetch file named after the observed executable (e.g., KOKAIZANH.EXE-XXXXXXXX.pf) will be present after execution. The eight-character hex suffix is derived from the file's original path at execution time.
During screenshare, open C:\Windows\Prefetch\ and sort by modification date. Any prefetch entry for an unrecognized executable — particularly one that does not correspond to known system or application files — warrants examination. The last execution timestamp visible in the prefetch filename metadata will correspond to the session in question.
YARA Imphash: e3ff36e263cb18c32d2e8447705589f1
The import hash (imphash) of this binary is e3ff36e263cb18c32d2e8447705589f1. The imphash is computed from the ordered list of imported library and function names and does not change with cosmetic alterations to the binary such as section padding or overlay data modification.
A YARA rule matching on this imphash will catch repackaged variants of this loader that share the same import table structure, even if the binary has been re-linked with slightly different resource sections or version information. Include this imphash in your YARA ruleset for ongoing coverage of Apateon distribution variants.
Detection Notes
The filename randomization employed by Apateon is the extent of its evasion investment on the file-identity layer. No timestamp manipulation (timestomping) of the PE header or NTFS MFT was observed in the analyzed sample. The DPS and PcaSVC artifacts were written correctly by Windows at execution time and remain unaltered.
The binary does not appear to use any driver-level artifact suppression. Prefetch entries are present, registry traces are written, and the MFT creation timestamp is consistent with the reported DPS execution window. This suggests the Apateon developers rely primarily on the social trust of the screenshare subject (i.e., expecting the checker not to look in the registry) rather than technical anti-forensics.
Server administrators should add the SHA-256, SHA-1, and MD5 hashes to their indicator database and configure automated VirusTotal lookups for any file hashes submitted during screenshare sessions. The imphash (e3ff36e263cb18c32d2e8447705589f1) should be added to YARA rules to catch future repackaged variants.
Network monitoring at the server or gateway level may also surface connections to Apateon authentication endpoints originating from suspicious client processes. The presence of WININET.dll imports indicates HTTP/HTTPS-level outbound connectivity is expected behavior for this binary during its operational window.