Uninstall.exe

  • File Path: C:\Program Files (x86)\WinDirStat\Uninstall.exe
  • Description: WinDirStat 1.1.2
  • Comments: This release contains both, Unicode and ANSI version of WinDirStat

Hashes

Type Hash
MD5 A127E6118B9DD2F9D5A7CC4D697A0105
SHA1 9AC17D4DCF0884CEAFACF10C42209C0942DFE7A8
SHA256 AFC864CFCE79B2A6ADD491A27EA672D958233ED7A97A2CBBCE60100D2FA1E670
SHA384 C2634C0FB3190AEC4DD85D9CF65BFA53E86C870E73FB39585F6A4C45408A94D75C9389D6E78527F0BE198E3BFCDEA75A
SHA512 0E57D2856C02C55D477D9B3CC1D4BF5FFA3650D4B20BE18B0A9E614D19143AEE325C4CD92FF31BBDDF6E93CD3EBEB47D8727DE6E25FAA366341CC71117122065
SSDEEP 768:tnCHBjSfD0RDSjiN+WWrHcRtf55M4z54q+F5871mJMOUlNu0ZBA9U:MHFSfARDSW0HefHbmJZUlNu0bP
IMP 97318DA386948415D08CEF4A9006D669
PESHA1 7492D98E007624B3E88BEAB28793286C99FF3D3E
PE256 3D9DB378FDE5D67C2201DD710A9BEB48A3AC00FF024404C95E207A2716ACEA12

Runtime Data

Child Processes:

Au_.exe

Loaded Modules:

Path
C:\Program Files (x86)\WinDirStat\Uninstall.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

  • Status: The file C:\Program Files (x86)\WinDirStat\Uninstall.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: WinDirStat1_1_2_setup.exe
  • Product Name: WinDirStat
  • Company Name: WDS Team
  • File Version: 1.1.2
  • Product Version:
  • Language: English (United States)
  • Legal Copyright: 2003-2007 WDS Team
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/afc864cfce79b2a6add491a27ea672d958233ed7a97a2cbbce60100d2fa1e670/detection/

Possible Misuse

The following table contains possible examples of Uninstall.exe being misused. While Uninstall.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_disable_raccine.yml title: Raccine Uninstall DRL 1.0
sigma win_susp_wmic_security_product_uninstall.yml title: Wmic Uninstall Security Product DRL 1.0
sigma win_susp_wmic_security_product_uninstall.yml - 'call uninstall' DRL 1.0
LOLBAS Installutil.yml Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies  
malware-ioc rtm uninstall © ESET 2014-2018
malware-ioc rtm uninstall-lock © ESET 2014-2018
atomic-red-team index.md - Atomic Test #11: Uninstall Sysmon [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Regasm Uninstall Method Call Test [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #11: Uninstall Sysmon [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Regasm Uninstall Method Call Test [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] MIT License. © 2018 Red Canary
atomic-red-team T1095.md if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall* | ?{$_.DisplayName -like “Microsoft Visual C++*”}) ) { MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md - Atomic Test #5 - InstallUtil Uninstall method call - /U variant MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md - Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md ## Atomic Test #5 - InstallUtil Uninstall method call - /U variant MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output. MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md ## Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md $CommandLine = “/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall "$InstallerAssemblyFullPath”” MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil. MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md - Atomic Test #1 - Regasm Uninstall Method Call Test MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md - Atomic Test #2 - Regsvcs Uninstall Method Call Test MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md ## Atomic Test #1 - Regasm Uninstall Method Call Test MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md Executes the Uninstall Method, No Admin Rights Required. Upon execution, “I shouldn’t really execute either.” will be displayed. MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md ## Atomic Test #2 - Regsvcs Uninstall Method Call Test MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, “I shouldn’t really execute” will be displayed MIT License. © 2018 Red Canary
atomic-red-team T1219.md $file = ‘C:\Program Files (x86)\TeamViewer\uninstall.exe’ MIT License. © 2018 Red Canary
atomic-red-team T1219.md get-package ‘LogMeIn Client’ -ErrorAction Ignore | uninstall-package MIT License. © 2018 Red Canary
atomic-red-team T1505.002.md Uninstall-TransportAgent #{transport_agent_identity} MIT License. © 2018 Red Canary
atomic-red-team T1518.md Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize MIT License. © 2018 Red Canary
atomic-red-team T1518.md Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md - Atomic Test #11 - Uninstall Sysmon MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md - Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md ## Atomic Test #11 - Uninstall Sysmon MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md Uninstall Sysinternals Sysmon for Defense Evasion MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md ## Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller. MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md if (Test-Path “#{falcond_path}”) {. “#{falcond_path}” /repair /uninstall /quiet } else { Get-ChildItem -Path “C:\ProgramData\Package Cache” -Include “WindowsSensor.exe” -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $.FullName); if ($sig.Status -eq “Valid” -and $sig.SignerCertificate.DnsNameList -eq “CrowdStrike, Inc.”) { . “$” /repair /uninstall /quiet; break;} }} MIT License. © 2018 Red Canary
signature-base apt_eqgrp.yar $x4 = “%s version %s already has persistence installed. If you want to uninstall,” fullword ascii CC BY-NC 4.0
signature-base apt_op_cloudhopper.yar $s2 = “rundll32.exe "%s", UnInstall /update %s” fullword wide CC BY-NC 4.0
signature-base crime_buzus_softpulse.yar $s4 = “CurrentVersion\Uninstall\avast” fullword wide CC BY-NC 4.0
signature-base gen_rats_malwareconfig.yar $a7 = “Uninstall.jarPK” CC BY-NC 4.0
signature-base thor-hacktools.yar $a = “Unable to uninstall the fgexec service” CC BY-NC 4.0
signature-base thor-webshells.yar $s3 = “%s -Uninstall –>To Uninstall The Service” CC BY-NC 4.0
signature-base thor-webshells.yar $s6 = “Can’t uninstall,maybe the backdoor is not installed or,the Password you INPUT is” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.