Generated docs from job=generate-docs branch=master [ci skip]

2025-08-21 02:34:45 +00:00
parent 39daa38e2d
commit ad700ef5ee
20 changed files with 230 additions and 16 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1735-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1736-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)


 Atomic Red Team™ is a library of tests mapped to the
@@ -79,8 +79,9 @@ defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Cachi
 defense-evasion,T1542.001,Pre-OS Boot: System Firmware,1,UEFI Persistence via Wpbbin.exe File Creation,b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1,powershell
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
-defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
+defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
+defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,3,Masquerading cmd.exe as VEDetector.exe,03ae82a6-9fa0-465b-91df-124d8ca5c4e8,powershell
 defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
 defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
 defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
@@ -28,7 +28,7 @@ defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Cachi
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,4,Unlimited sudo cache timeout (freebsd),a83ad6e8-6f24-4d7f-8f44-75f8ab742991,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,6,Disable tty_tickets for sudo caching (freebsd),4df6a0fe-2bdd-4be8-8618-a6a19654a57a,sh
-defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
+defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (FreeBSD),e129d73b-3e03-4ae9-bf1e-67fc8921e0fd,sh
 defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
@@ -15,7 +15,7 @@ defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded Fil
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
-defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
+defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via ioreg,a960185f-aef6-4547-8350-d1ce16680d09,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,6,Detect Virtualization Environment using sysctl (hw.model),6beae646-eb4c-4730-95be-691a4094408c,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,7,Check if System Integrity Protection is enabled,2b73cd9b-b2fb-4357-b9d7-c73c41d9e945,sh
@@ -52,6 +52,7 @@ defense-evasion,T1542.001,Pre-OS Boot: System Firmware,1,UEFI Persistence via Wp
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
+defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,3,Masquerading cmd.exe as VEDetector.exe,03ae82a6-9fa0-465b-91df-124d8ca5c4e8,powershell
 defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
 defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
 defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
@@ -105,8 +105,9 @@
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1218.013 Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
-  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
+  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory [macos, linux]
  - Atomic Test #2: Masquerade as a built-in system executable [windows]
+  - Atomic Test #3: Masquerading cmd.exe as VEDetector.exe [windows]
 - T1600 Weaken Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564 Hide Artifacts](../../T1564/T1564.md)
@@ -25,7 +25,7 @@
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1218.013 Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
-  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
+  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory [macos, linux]
 - T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -21,7 +21,7 @@
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1218.013 Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
-  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
+  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory [macos, linux]
 - T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -72,6 +72,7 @@
 - T1218.013 Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1036.005 Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
  - Atomic Test #2: Masquerade as a built-in system executable [windows]
+  - Atomic Test #3: Masquerading cmd.exe as VEDetector.exe [windows]
 - T1036.008 Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564 Hide Artifacts](../../T1564/T1564.md)
  - Atomic Test #1: Extract binary files via VBA [windows]
@@ -3963,7 +3963,7 @@ defense-evasion:
      identifier: T1036.005
    atomic_tests:
    - name: Execute a process from a directory masquerading as the current parent
-        directory.
+        directory
      auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
      description: 'Create and execute a process from a directory masquerading as
        the current parent directory (`...` instead of normal `..`)
@@ -4017,6 +4017,69 @@ defense-evasion:

          '
        name: powershell
+    - name: Masquerading cmd.exe as VEDetector.exe
+      auto_generated_guid: 03ae82a6-9fa0-465b-91df-124d8ca5c4e8
+      description: |
+        This test simulates an adversary renaming cmd.exe to VEDetector.exe to masquerade as a legitimate application.
+        The test copies cmd.exe, renames it to VEDetector.exe, adds a registry run key for persistence, and executes the renamed binary.
+        This technique may be used to evade detection by mimicking legitimate software names or locations.
+
+        **Expected Output:**
+        - A new process named VEDetector.exe appears in the process list, but its behavior matches cmd.exe.
+        - SIEM/EDR systems may detect this as suspicious process activity (e.g., Sysmon Event ID 1 for process creation, or Event ID 13 for registry modifications).
+        - Registry modification in HKLM:\Software\Microsoft\Windows\CurrentVersion\Run may trigger persistence alerts in XDR platforms.
+
+        **References:**
+        - [MITRE ATT&CK T1036.005](https://attack.mitre.org/techniques/T1036/005/)
+        - [Sysmon Process Creation](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)
+      supported_platforms:
+      - windows
+      input_arguments:
+        ved_path:
+          description: Directory path where VEDetector.exe will be created
+          type: Path
+          default: "$env:TEMP"
+        source_file:
+          description: Path to the source cmd.exe file
+          type: Path
+          default: "$env:SystemRoot\\System32\\cmd.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The source cmd.exe file must exist on the system.
+
+          '
+        prereq_command: 'if (Test-Path "#{source_file}") { exit 0 } else { exit 1
+          }
+
+          '
+        get_prereq_command: |
+          Write-Host "[-] Source file not found: #{source_file}. Ensure cmd.exe exists in the specified path."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          # Copy and rename cmd.exe to VEDetector.exe
+          Copy-Item -Path "#{source_file}" -Destination "#{ved_path}\VEDetector.exe" -Force
+
+          # Create registry run key for persistence
+          New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -Value "#{ved_path}\VEDetector.exe" -PropertyType String -Force
+
+          # Start the renamed process
+          Start-Process -FilePath "#{ved_path}\VEDetector.exe"
+
+          Start-Sleep -Seconds 5
+        cleanup_command: |
+          # Remove registry key
+          Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -ErrorAction SilentlyContinue
+
+          # Stop the process
+          Stop-Process -Name "VEDetector" -Force -ErrorAction SilentlyContinue
+
+          # Remove the file
+          Remove-Item -Path "#{ved_path}\VEDetector.exe" -Force -ErrorAction SilentlyContinue
+
+          Write-Host "[+] Cleaned up VEDetector artifacts"
  T1600:
    technique:
      type: attack-pattern
@@ -2629,7 +2629,7 @@ defense-evasion:
      identifier: T1036.005
    atomic_tests:
    - name: Execute a process from a directory masquerading as the current parent
-        directory.
+        directory
      auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
      description: 'Create and execute a process from a directory masquerading as
        the current parent directory (`...` instead of normal `..`)
@@ -2177,7 +2177,7 @@ defense-evasion:
      identifier: T1036.005
    atomic_tests:
    - name: Execute a process from a directory masquerading as the current parent
-        directory.
+        directory
      auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
      description: 'Create and execute a process from a directory masquerading as
        the current parent directory (`...` instead of normal `..`)
@@ -3173,6 +3173,69 @@ defense-evasion:

          '
        name: powershell
+    - name: Masquerading cmd.exe as VEDetector.exe
+      auto_generated_guid: 03ae82a6-9fa0-465b-91df-124d8ca5c4e8
+      description: |
+        This test simulates an adversary renaming cmd.exe to VEDetector.exe to masquerade as a legitimate application.
+        The test copies cmd.exe, renames it to VEDetector.exe, adds a registry run key for persistence, and executes the renamed binary.
+        This technique may be used to evade detection by mimicking legitimate software names or locations.
+
+        **Expected Output:**
+        - A new process named VEDetector.exe appears in the process list, but its behavior matches cmd.exe.
+        - SIEM/EDR systems may detect this as suspicious process activity (e.g., Sysmon Event ID 1 for process creation, or Event ID 13 for registry modifications).
+        - Registry modification in HKLM:\Software\Microsoft\Windows\CurrentVersion\Run may trigger persistence alerts in XDR platforms.
+
+        **References:**
+        - [MITRE ATT&CK T1036.005](https://attack.mitre.org/techniques/T1036/005/)
+        - [Sysmon Process Creation](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)
+      supported_platforms:
+      - windows
+      input_arguments:
+        ved_path:
+          description: Directory path where VEDetector.exe will be created
+          type: Path
+          default: "$env:TEMP"
+        source_file:
+          description: Path to the source cmd.exe file
+          type: Path
+          default: "$env:SystemRoot\\System32\\cmd.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The source cmd.exe file must exist on the system.
+
+          '
+        prereq_command: 'if (Test-Path "#{source_file}") { exit 0 } else { exit 1
+          }
+
+          '
+        get_prereq_command: |
+          Write-Host "[-] Source file not found: #{source_file}. Ensure cmd.exe exists in the specified path."
+          exit 1
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          # Copy and rename cmd.exe to VEDetector.exe
+          Copy-Item -Path "#{source_file}" -Destination "#{ved_path}\VEDetector.exe" -Force
+
+          # Create registry run key for persistence
+          New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -Value "#{ved_path}\VEDetector.exe" -PropertyType String -Force
+
+          # Start the renamed process
+          Start-Process -FilePath "#{ved_path}\VEDetector.exe"
+
+          Start-Sleep -Seconds 5
+        cleanup_command: |
+          # Remove registry key
+          Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -ErrorAction SilentlyContinue
+
+          # Stop the process
+          Stop-Process -Name "VEDetector" -Force -ErrorAction SilentlyContinue
+
+          # Remove the file
+          Remove-Item -Path "#{ved_path}\VEDetector.exe" -Force -ErrorAction SilentlyContinue
+
+          Write-Host "[+] Cleaned up VEDetector artifacts"
  T1600:
    technique:
      type: attack-pattern
@@ -10,14 +10,16 @@ This may be done by placing an executable in a commonly trusted directory (ex: u

 ## Atomic Tests

- [Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.](#atomic-test-1---execute-a-process-from-a-directory-masquerading-as-the-current-parent-directory)
+- [Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory](#atomic-test-1---execute-a-process-from-a-directory-masquerading-as-the-current-parent-directory)

 - [Atomic Test #2 - Masquerade as a built-in system executable](#atomic-test-2---masquerade-as-a-built-in-system-executable)

+- [Atomic Test #3 - Masquerading cmd.exe as VEDetector.exe](#atomic-test-3---masquerading-cmdexe-as-vedetectorexe)
+

 <br/>

-## Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.
+## Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory
 Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)

 **Supported Platforms:** macOS, Linux
@@ -99,4 +101,84 @@ Remove-Item -Path "#{executable_filepath}" -ErrorAction Ignore



+<br/>
+<br/>
+
+## Atomic Test #3 - Masquerading cmd.exe as VEDetector.exe
+This test simulates an adversary renaming cmd.exe to VEDetector.exe to masquerade as a legitimate application.
+The test copies cmd.exe, renames it to VEDetector.exe, adds a registry run key for persistence, and executes the renamed binary.
+This technique may be used to evade detection by mimicking legitimate software names or locations.
+
+**Expected Output:**
+- A new process named VEDetector.exe appears in the process list, but its behavior matches cmd.exe.
+- SIEM/EDR systems may detect this as suspicious process activity (e.g., Sysmon Event ID 1 for process creation, or Event ID 13 for registry modifications).
+- Registry modification in HKLM:\Software\Microsoft\Windows\CurrentVersion\Run may trigger persistence alerts in XDR platforms.
+
+**References:**
+- [MITRE ATT&CK T1036.005](https://attack.mitre.org/techniques/T1036/005/)
+- [Sysmon Process Creation](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 03ae82a6-9fa0-465b-91df-124d8ca5c4e8
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ved_path | Directory path where VEDetector.exe will be created | Path | $env:TEMP|
+| source_file | Path to the source cmd.exe file | Path | $env:SystemRoot&#92;System32&#92;cmd.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+# Copy and rename cmd.exe to VEDetector.exe
+Copy-Item -Path "#{source_file}" -Destination "#{ved_path}\VEDetector.exe" -Force
+
+# Create registry run key for persistence
+New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -Value "#{ved_path}\VEDetector.exe" -PropertyType String -Force
+
+# Start the renamed process
+Start-Process -FilePath "#{ved_path}\VEDetector.exe"
+
+Start-Sleep -Seconds 5
+```
+
+#### Cleanup Commands:
+```powershell
+# Remove registry key
+Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -ErrorAction SilentlyContinue
+
+# Stop the process
+Stop-Process -Name "VEDetector" -Force -ErrorAction SilentlyContinue
+
+# Remove the file
+Remove-Item -Path "#{ved_path}\VEDetector.exe" -Force -ErrorAction SilentlyContinue
+
+Write-Host "[+] Cleaned up VEDetector artifacts"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The source cmd.exe file must exist on the system.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{source_file}") { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "[-] Source file not found: #{source_file}. Ensure cmd.exe exists in the specified path."
+exit 1
+```
+
+
+
+
 <br/>
@@ -53,6 +53,7 @@ atomic_tests:
    name: powershell

 - name: Masquerading cmd.exe as VEDetector.exe
+  auto_generated_guid: 03ae82a6-9fa0-465b-91df-124d8ca5c4e8
  description: |
    This test simulates an adversary renaming cmd.exe to VEDetector.exe to masquerade as a legitimate application.
    The test copies cmd.exe, renames it to VEDetector.exe, adds a registry run key for persistence, and executes the renamed binary.
@@ -1759,3 +1759,4 @@ e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d
 b404caaa-12ce-43c7-9214-62a531c044f7
 05e8942e-f04f-460a-b560-f7781257feec
 825ba8ca-71cc-436b-b1dd-ea0d5e109086
+03ae82a6-9fa0-465b-91df-124d8ca5c4e8