[files]
Total=1

[cmd]
numSections=2
1=FILE_BASED VERB_FILE_COPY OBJ_FILE 1
Total=3
2=REGISTRY_BASED VERB_RESTORE_REG_VALUE OBJ_REG_VALUE 2
3=REGISTRY_BASED VERB_RESTORE_REG_KEY OBJ_REG_METADATA 2

[1]
name=MRT.exe.bak
orig=%SystemRoot%\system32\MRT.exe
DateA=2024/06/17 10:09:34
SD=O:BAG:S-1-5-21-3339660976-4175652973-1130352044-513D:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x1200a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
attrib=2080
DateC=2021/04/19 09:23:59
DateM=2024/06/17 10:09:34
hash=52F82AD3

[reg]
Total=1

[2]
hive=HKLM
type=REG_SZ
redir=0
empty=0
DateM=2024/06/17 10:14:04
SD=O:SYG:SYD:AI(A;ID;KR;;;BU)(A;CIIOID;GR;;;BU)(A;ID;KA;;;BA)(A;CIIOID;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)(A;ID;KR;;;AC)(A;CIIOID;GR;;;AC)(A;ID;KR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)(A;CIIOID;GR;;;S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)S:AI
key=Software\Microsoft\Windows\CurrentVersion\Run
param=MRT
data=\u0022\u0043\u003A\u005C\u0057\u0069\u006E\u0064\u006F\u0077\u0073\u005C\u0073\u0079\u0073\u0074\u0065\u006D\u0033\u0032\u005C\u004D\u0052\u0054\u002E\u0065\u0078\u0065\u0022\u0020\u002F\u0052
dataDecoded="C:\Windows\system32\MRT.exe" /R
hash=AC442C9C