Bypass Detection·Jun 2, 2026

Apateon Bypass: kokaizanh.exe with March 2026 DPS Timestamp

Apateon distributes its FiveM bypass loader under a randomized executable name (observed: kokaizanh.exe). Despite the filename randomization, the binary carries a definitive Digital Product Support timestamp of 2026/03/18:13:53:33 and a PcaSVC image size entry of 0x287a000 — both of which survive across rename attempts and provide reliable screenshare-visible IOCs for detection.

FiveMBypass DetectionDPS TimestampPcaSVCIOC

Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.

Overview

Apateon's bypass loader is distributed with a randomized filename — the observed sample uses kokaizanh.exe, though this name changes between distribution runs. The randomization is intentional: it prevents naive filename-based blocklists from catching the binary outright. However, it is a superficial layer of evasion that does not affect any of the binary's persistent, forensically recoverable identifiers.

The file is a 24.98 MB (26,196,992 byte) AMD64 PE binary. Its Digital Product Support (DPS) timestamp reads 2026/03/18:13:53:33, recorded by the Windows PcaSVC service at the time of first execution. This timestamp is stored in the registry and is not altered by renaming or moving the file.

The PcaSVC registry entry additionally records the binary's SizeOfImage field from the PE header: 0x287a000. This value matches the PE optional header exactly and serves as a secondary confirmation that the registered entry corresponds to this specific binary rather than a coincidental name collision.

The binary imports IPHLPAPI.DLL, WININET.dll, USER32.dll, and exports the InternetCloseHandle API, indicating active network connectivity capability — consistent with a loader that contacts an authentication or update endpoint before injecting.

Primary IOCs

1

Cryptographic Hash Verification

The authoritative identifiers for this binary are as follows. Any single hash match is sufficient for positive identification regardless of filename.

SHA-256f9ad0e39cebb900f9864a1bfc4101f5d8562d9ba92e4f5bbb8b8d62daae74713
SHA-15b723c7c90c91c87492cbf870cecf90fde3eb6ac
MD511751c3ee355021886dd70dc09843434

Cross-reference this hash on VirusTotal: VT ↗ f9ad0e39...ae74713

2

DPS Timestamp: 2026/03/18:13:53:33

The Windows Digital Product Support service records execution metadata in the registry under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store. The Apateon binary carries a DPS timestamp of 2026/03/18:13:53:33.

This timestamp is set at first execution and persists even after the file is deleted or renamed. During a screenshare review, navigate to the PcaSVC registry key and search for any entry with this date. Its presence confirms the loader was executed on this machine.

3

PcaSVC Image Size: 0x287a000

The Program Compatibility Assistant service (PcaSVC) records the PE SizeOfImage value from the optional header at execution time. For this binary, that value is 0x287a000 (decimal: 42,336,256 bytes).

A match between the PcaSVC-recorded image size and the PE header of any suspicious binary on disk constitutes strong evidence of a match, even if the binary has been renamed or moved. The image size is not user-alterable without recompilation and cannot be changed by simply copying or renaming the file.

4

Prefetch Record (.pf File)

Windows Prefetch records execution events in C:\Windows\Prefetch\. A prefetch file named after the observed executable (e.g., KOKAIZANH.EXE-XXXXXXXX.pf) will be present after execution. The eight-character hex suffix is derived from the file's original path at execution time.

During screenshare, open C:\Windows\Prefetch\ and sort by modification date. Any prefetch entry for an unrecognized executable — particularly one that does not correspond to known system or application files — warrants examination. The last execution timestamp visible in the prefetch filename metadata will correspond to the session in question.

5

YARA Imphash: e3ff36e263cb18c32d2e8447705589f1

The import hash (imphash) of this binary is e3ff36e263cb18c32d2e8447705589f1. The imphash is computed from the ordered list of imported library and function names and does not change with cosmetic alterations to the binary such as section padding or overlay data modification.

A YARA rule matching on this imphash will catch repackaged variants of this loader that share the same import table structure, even if the binary has been re-linked with slightly different resource sections or version information. Include this imphash in your YARA ruleset for ongoing coverage of Apateon distribution variants.

Screenshare Check Methodology

The following procedure is designed for live screenshare review sessions. Steps are ordered from fastest to most thorough. A positive finding at any step is sufficient to flag the session.

1

Open Registry Editor to PcaSVC Compatibility Store

Ask the user to open regedit.exe and navigate to:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store

Search all entries for any with a timestamp value of 2026/03/18. The presence of this date in any entry is a positive indicator. Export the key (File → Export) to preserve the evidence during the session.

2

Check Windows Prefetch Directory

Ask the user to open File Explorer and navigate to C:\Windows\Prefetch\. Sort files by Date Modified (descending). Look for any .pf entries with names that do not correspond to known Windows system binaries or installed applications.

Pay particular attention to short, random-looking executable names (e.g., KOKAIZANH.EXE or similar) or any executable prefetch file that was created or modified in the same session window under review.

3

Verify File via Hash If Binary Is Still Present

If the suspicious file is still present on disk, ask the user to open PowerShell and run:

Get-FileHash "C:\path\to\file.exe" -Algorithm SHA256

Compare the output against the known SHA-256: f9ad0e39cebb900f9864a1bfc4101f5d8562d9ba92e4f5bbb8b8d62daae74713. A match is conclusive.

4

Inspect Network Import Profile

If the binary is present and you have access to static analysis tools, confirm the presence of imports from WININET.dll and IPHLPAPI.DLL, along with the InternetCloseHandle export. This combination is consistent with a network-connected loader binary and is not characteristic of legitimate gaming software.

The file size of approximately 24.98 MB for what presents as a simple game utility is also an anomaly worth noting — legitimate game-adjacent utilities in this category are typically well under 5 MB.

5

Cross-Reference PcaSVC SizeOfImage Value

In the PcaSVC or AppCompatFlags registry entries identified in Step 1, locate the SizeOfImage data associated with the suspicious entry. The Apateon binary's recorded value is 0x287a000.

This value is derived from the PE optional header and cannot be altered by simply renaming the file. A match on both the DPS date and the SizeOfImage value constitutes a definitive two-factor confirmation of the Apateon loader, even if the file itself has been deleted from disk after the session.

Detection Notes

The filename randomization employed by Apateon is the extent of its evasion investment on the file-identity layer. No timestamp manipulation (timestomping) of the PE header or NTFS MFT was observed in the analyzed sample. The DPS and PcaSVC artifacts were written correctly by Windows at execution time and remain unaltered.

The binary does not appear to use any driver-level artifact suppression. Prefetch entries are present, registry traces are written, and the MFT creation timestamp is consistent with the reported DPS execution window. This suggests the Apateon developers rely primarily on the social trust of the screenshare subject (i.e., expecting the checker not to look in the registry) rather than technical anti-forensics.

Server administrators should add the SHA-256, SHA-1, and MD5 hashes to their indicator database and configure automated VirusTotal lookups for any file hashes submitted during screenshare sessions. The imphash (e3ff36e263cb18c32d2e8447705589f1) should be added to YARA rules to catch future repackaged variants.

Network monitoring at the server or gateway level may also surface connections to Apateon authentication endpoints originating from suspicious client processes. The presence of WININET.dll imports indicates HTTP/HTTPS-level outbound connectivity is expected behavior for this binary during its operational window.