taskkill.exe taskkill /im hale.exe /f
2700attrib.exe attrib -r -a -s -h C:\Windows\system32\hale.exe
2872cmd.exe cmd.exe /A /C "del /f %SystemRoot%\system32\hale.exe 2>NUL>NUL"
2916takeown.exe takeown /f C:\Windows\servicing\TrustedInstaller.exe
3004icacls.exe icacls C:\Windows\servicing\TrustedInstaller.exe /grant *S-1-1-0:F
2056bcdedit.exe bcdedit.exe -set testsigning off
2136sc.exe sc config sppsvc start= delayed-auto
2252sc.exe sc config sppuinotify start= demand
2520net1.exe C:\Windows\system32\net1 start sppsvc
2632net1.exe C:\Windows\system32\net1 start sppuinotify
2936cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
3000cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs.removewat slmgr.vbs 2>NUL>NUL"
2080cscript.exe cscript.exe //nologo C:\Windows\system32\slmgr.vbs -rilc
2064sc.exe sc stop uodin86
3032sc.exe sc delete uodin86
2744sc.exe sc stop uodin64
1576sc.exe sc delete uodin64
2420net1.exe C:\Windows\system32\net1 stop sppsvc
2760net1.exe C:\Windows\system32\net1 stop sppuinotify
452takeown.exe takeown /f C:\Windows\system32\drivers\uodin86.sys
2580takeown.exe takeown /f C:\Windows\system32\drivers\uodin64.sys
2012icacls.exe icacls C:\Windows\system32\drivers\uodin86.sys /grant *S-1-1-0:F
1560icacls.exe icacls C:\Windows\system32\drivers\uodin64.sys /grant *S-1-1-0:F
2636cmd.exe cmd.exe /A /C "del /f %SystemRoot%\system32\drivers\uodin86.sys 2>NUL>NUL"
2776cmd.exe cmd.exe /A /C "del /f %SystemRoot%\system32\drivers\uodin64.sys 2>NUL>NUL"
1920takeown.exe takeown /f C:\Windows\SysWOW64\slmgr.vbs
1364icacls.exe icacls C:\Windows\SysWOW64\slmgr.vbs /grant *S-1-1-0:F
916cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slmgr.vbs slmgr.vbs.ngmvy"
1376takeown.exe takeown /f C:\Windows\SysWOW64\user32.dll
2216icacls.exe icacls C:\Windows\SysWOW64\user32.dll /grant *S-1-1-0:F
544cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\user32.dll user32.dll.ngmvy"
3104takeown.exe takeown /f C:\Windows\SysWOW64\slwga.dll
3192icacls.exe icacls C:\Windows\SysWOW64\slwga.dll /grant *S-1-1-0:F
3284cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slwga.dll slwga.dll.ngmvy"
3332takeown.exe takeown /f C:\Windows\SysWOW64\sppcomapi.dll
3444icacls.exe icacls C:\Windows\SysWOW64\sppcomapi.dll /grant *S-1-1-0:F
3536cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppcomapi.dll sppcomapi.dll.ngmvy"
3584takeown.exe takeown /f C:\Windows\SysWOW64\sppcommdlg.dll
3672icacls.exe icacls C:\Windows\SysWOW64\sppcommdlg.dll /grant *S-1-1-0:F
3764cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppcommdlg.dll sppcommdlg.dll.ngmvy"
3812takeown.exe takeown /f C:\Windows\SysWOW64\sppuinotify.dll
3900icacls.exe icacls C:\Windows\SysWOW64\sppuinotify.dll /grant *S-1-1-0:F
3992cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppuinotify.dll sppuinotify.dll.ngmvy"
4040takeown.exe takeown /f C:\Windows\SysWOW64\sppwmi.dll
1848icacls.exe icacls C:\Windows\SysWOW64\sppwmi.dll /grant *S-1-1-0:F
3232cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\sppwmi.dll sppwmi.dll.ngmvy"
3316takeown.exe takeown /f C:\Windows\SysWOW64\systemcpl.dll
3432icacls.exe icacls C:\Windows\SysWOW64\systemcpl.dll /grant *S-1-1-0:F
3576cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\systemcpl.dll systemcpl.dll.ngmvy"
3640takeown.exe takeown /f C:\Windows\SysWOW64\winlogon.exe
3796icacls.exe icacls C:\Windows\SysWOW64\winlogon.exe /grant *S-1-1-0:F
3928cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\winlogon.exe winlogon.exe.ngmvy"
4012takeown.exe takeown /f C:\Windows\SysWOW64\winver.exe
2084icacls.exe icacls C:\Windows\SysWOW64\winver.exe /grant *S-1-1-0:F
3364cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\winver.exe winver.exe.ngmvy"
3404takeown.exe takeown /f C:\Windows\SysWOW64\slui.exe
3660icacls.exe icacls C:\Windows\SysWOW64\slui.exe /grant *S-1-1-0:F
3916cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\slui.exe slui.exe.ngmvy"
4036takeown.exe takeown /f C:\Windows\SysWOW64\ntkrnlpa.exe
3456icacls.exe icacls C:\Windows\SysWOW64\ntkrnlpa.exe /grant *S-1-1-0:F
3760cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\ntkrnlpa.exe ntkrnlpa.exe.ngmvy"
3968takeown.exe takeown /f C:\Windows\SysWOW64\ntoskrnl.exe
3312icacls.exe icacls C:\Windows\SysWOW64\ntoskrnl.exe /grant *S-1-1-0:F
3932cmd.exe cmd.exe /A /C "ren %SystemRoot%\SysWOW64\ntoskrnl.exe ntoskrnl.exe.ngmvy"
3524takeown.exe takeown /f C:\Windows\SysWOW64\Wat\*
3920icacls.exe icacls C:\Windows\SysWOW64\Wat\* /grant *S-1-1-0:F
3208takeown.exe takeown /f C:\Windows\system32\slmgr.vbs
740icacls.exe icacls C:\Windows\system32\slmgr.vbs /grant *S-1-1-0:F
4180cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\slmgr.vbs slmgr.vbs.ngmvy"
4228takeown.exe takeown /f C:\Windows\system32\user32.dll
4316icacls.exe icacls C:\Windows\system32\user32.dll /grant *S-1-1-0:F
4436cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\user32.dll user32.dll.ngmvy"
4544takeown.exe takeown /f C:\Windows\system32\slwga.dll
4696icacls.exe icacls C:\Windows\system32\slwga.dll /grant *S-1-1-0:F
4828cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\slwga.dll slwga.dll.ngmvy"
4888takeown.exe takeown /f C:\Windows\system32\sppcomapi.dll
4980icacls.exe icacls C:\Windows\system32\sppcomapi.dll /grant *S-1-1-0:F
5076cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\sppcomapi.dll sppcomapi.dll.ngmvy"
4108takeown.exe takeown /f C:\Windows\system32\sppcommdlg.dll
4220icacls.exe icacls C:\Windows\system32\sppcommdlg.dll /grant *S-1-1-0:F
4384cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\sppcommdlg.dll sppcommdlg.dll.ngmvy"
4448takeown.exe takeown /f C:\Windows\system32\sppuinotify.dll
4632icacls.exe icacls C:\Windows\system32\sppuinotify.dll /grant *S-1-1-0:F
1708cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\sppuinotify.dll sppuinotify.dll.ngmvy"
4860takeown.exe takeown /f C:\Windows\system32\sppwmi.dll
5012icacls.exe icacls C:\Windows\system32\sppwmi.dll /grant *S-1-1-0:F
2344cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\sppwmi.dll sppwmi.dll.ngmvy"
3348takeown.exe takeown /f C:\Windows\system32\systemcpl.dll
4168icacls.exe icacls C:\Windows\system32\systemcpl.dll /grant *S-1-1-0:F
4392cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\systemcpl.dll systemcpl.dll.ngmvy"
4548takeown.exe takeown /f C:\Windows\system32\winlogon.exe
4880icacls.exe icacls C:\Windows\system32\winlogon.exe /grant *S-1-1-0:F
5088cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\winlogon.exe winlogon.exe.ngmvy"
4128takeown.exe takeown /f C:\Windows\system32\winver.exe
4336icacls.exe icacls C:\Windows\system32\winver.exe /grant *S-1-1-0:F
1868cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\winver.exe winver.exe.ngmvy"
4756takeown.exe takeown /f C:\Windows\system32\slui.exe
1172icacls.exe icacls C:\Windows\system32\slui.exe /grant *S-1-1-0:F
252takeown.exe takeown /f C:\Windows\system32\ntkrnlpa.exe
4672icacls.exe icacls C:\Windows\system32\ntkrnlpa.exe /grant *S-1-1-0:F
4224cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\ntkrnlpa.exe ntkrnlpa.exe.ngmvy"
4416takeown.exe takeown /f C:\Windows\system32\ntoskrnl.exe
4260icacls.exe icacls C:\Windows\system32\ntoskrnl.exe /grant *S-1-1-0:F
4656cmd.exe cmd.exe /A /C "ren %SystemRoot%\system32\ntoskrnl.exe ntoskrnl.exe.ngmvy"
4512takeown.exe takeown /f C:\Windows\system32\Wat\*
2128icacls.exe icacls C:\Windows\system32\Wat\* /grant *S-1-1-0:F
5124cmd.exe cmd.exe /A /C "rmdir /s /q %ALLUSERSPROFILE%\Microsoft\Windows\RAI 2>NUL>NUL"
5196cmd.exe cmd.exe /A /C "rmdir /s /q %ALLUSERSPROFILE%\Microsoft\Windows\SXS 2>NUL>NUL"
5240reg.exe reg delete HKLM\SOFTWARE\HAL7600 /f
5328reg.exe reg delete HKLM\SOFTWARE\Chew7 /f
5416cmd.exe cmd.exe /A /C "reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Chew7Hale /f 2>NUL>NUL"
5460reg.exe reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Chew7Hale /f
5504schtasks.exe schtasks.exe /delete /tn \Microsoft\Windows\RAI\RaiTask /f
5592schtasks.exe schtasks.exe /delete /tn \Microsoft\Windows\PMS\ResetDTL /f
5684net1.exe C:\Windows\system32\net1 START "Windows Modules Installer"
5820sfc.exe /scanfile=C:\Windows\SysWOW64\slmgr.vbs
5900sfc.exe /scanfile=C:\Windows\System32\slmgr.vbs
5980sfc.exe /scanfile=C:\Windows\SysWOW64\user32.dll
6080sfc.exe /scanfile=C:\Windows\System32\user32.dll
5156sfc.exe /scanfile=C:\Windows\SysWOW64\slwga.dll
5256sfc.exe /scanfile=C:\Windows\System32\slwga.dll
5324sfc.exe /scanfile=C:\Windows\SysWOW64\sppcomapi.dll
5492sfc.exe /scanfile=C:\Windows\System32\sppcomapi.dll
5624sfc.exe /scanfile=C:\Windows\SysWOW64\sppcommdlg.dll
5688sfc.exe /scanfile=C:\Windows\System32\sppcommdlg.dll
5892sfc.exe /scanfile=C:\Windows\SysWOW64\sppuinotify.dll
5952sfc.exe /scanfile=C:\Windows\System32\sppuinotify.dll
6024sfc.exe /scanfile=C:\Windows\SysWOW64\sppwmi.dll
5168sfc.exe /scanfile=C:\Windows\System32\sppwmi.dll
5340sfc.exe /scanfile=C:\Windows\SysWOW64\systemcpl.dll
5436sfc.exe /scanfile=C:\Windows\System32\systemcpl.dll
5656sfc.exe /scanfile=C:\Windows\SysWOW64\winlogon.exe
5884sfc.exe /scanfile=C:\Windows\System32\winlogon.exe
5976sfc.exe /scanfile=C:\Windows\SysWOW64\winver.exe
6096sfc.exe /scanfile=C:\Windows\System32\winver.exe
5228sfc.exe /scanfile=C:\Windows\SysWOW64\slui.exe
5288sfc.exe /scanfile=C:\Windows\System32\slui.exe
5500sfc.exe /scannow
5748