Uninstall.exe
- File Path:
C:\Program Files (x86)\WinDirStat\Uninstall.exe - Description: WinDirStat 1.1.2
- Comments: This release contains both, Unicode and ANSI version of WinDirStat
Hashes
| Type | Hash |
|---|---|
| MD5 | A127E6118B9DD2F9D5A7CC4D697A0105 |
| SHA1 | 9AC17D4DCF0884CEAFACF10C42209C0942DFE7A8 |
| SHA256 | AFC864CFCE79B2A6ADD491A27EA672D958233ED7A97A2CBBCE60100D2FA1E670 |
| SHA384 | C2634C0FB3190AEC4DD85D9CF65BFA53E86C870E73FB39585F6A4C45408A94D75C9389D6E78527F0BE198E3BFCDEA75A |
| SHA512 | 0E57D2856C02C55D477D9B3CC1D4BF5FFA3650D4B20BE18B0A9E614D19143AEE325C4CD92FF31BBDDF6E93CD3EBEB47D8727DE6E25FAA366341CC71117122065 |
| SSDEEP | 768:tnCHBjSfD0RDSjiN+WWrHcRtf55M4z54q+F5871mJMOUlNu0ZBA9U:MHFSfARDSW0HefHbmJZUlNu0bP |
| IMP | 97318DA386948415D08CEF4A9006D669 |
| PESHA1 | 7492D98E007624B3E88BEAB28793286C99FF3D3E |
| PE256 | 3D9DB378FDE5D67C2201DD710A9BEB48A3AC00FF024404C95E207A2716ACEA12 |
Runtime Data
Child Processes:
Au_.exe
Loaded Modules:
| Path |
|---|
| C:\Program Files (x86)\WinDirStat\Uninstall.exe |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
Signature
- Status: The file C:\Program Files (x86)\WinDirStat\Uninstall.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: WinDirStat1_1_2_setup.exe
- Product Name: WinDirStat
- Company Name: WDS Team
- File Version: 1.1.2
- Product Version:
- Language: English (United States)
- Legal Copyright: 2003-2007 WDS Team
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/69
- VirusTotal Link: https://www.virustotal.com/gui/file/afc864cfce79b2a6add491a27ea672d958233ed7a97a2cbbce60100d2fa1e670/detection/
Possible Misuse
The following table contains possible examples of Uninstall.exe being misused. While Uninstall.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | win_builtin_remove_application.yml | title: An Application Is Uninstall |
DRL 1.0 |
| sigma | win_susp_system_update_error.yml | - 24 # Uninstallation Failure: Windows failed to uninstall the following update with error |
DRL 1.0 |
| sigma | posh_ps_software_discovery.yml | ScriptBlockText\|contains\|all: # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* \| Select-Object DisplayName, DisplayVersion, Publisher, InstallDate \| Format-Table -Autosize |
DRL 1.0 |
| sigma | proc_creation_win_cleanwipe.yml | CommandLine\|contains: '--uninstall' |
DRL 1.0 |
| sigma | proc_creation_win_cleanwipe.yml | - '/uninstall' |
DRL 1.0 |
| sigma | proc_creation_win_dsim_remove.yml | description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images |
DRL 1.0 |
| sigma | proc_creation_win_susp_disable_raccine.yml | title: Raccine Uninstall |
DRL 1.0 |
| sigma | proc_creation_win_susp_wmic_security_product_uninstall.yml | title: Wmic Uninstall Security Product |
DRL 1.0 |
| sigma | proc_creation_win_susp_wmic_security_product_uninstall.yml | - 'call uninstall' |
DRL 1.0 |
| sigma | proc_creation_win_uninstall_crowdstrike_falcon.yml | title: Uninstall Crowdstrike Falcon |
DRL 1.0 |
| sigma | proc_creation_win_uninstall_crowdstrike_falcon.yml | - ' /uninstall' |
DRL 1.0 |
| sigma | proc_creation_win_uninstall_crowdstrike_falcon.yml | - Uninstall by admin |
DRL 1.0 |
| sigma | proc_creation_win_uninstall_sysmon.yml | title: Uninstall Sysinternals Sysmon |
DRL 1.0 |
| sigma | proc_creation_win_uninstall_sysmon.yml | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon |
DRL 1.0 |
| sigma | proc_creation_win_wmic_remove_application.yml | title: WMI Uninstall An Application |
DRL 1.0 |
| sigma | proc_creation_win_wmic_remove_application.yml | description: Uninstall an application with wmic |
DRL 1.0 |
| sigma | proc_creation_win_wmic_remove_application.yml | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic |
DRL 1.0 |
| sigma | proc_creation_win_wmic_remove_application.yml | CommandLine\|contains: call uninstall |
DRL 1.0 |
| LOLBAS | Installutil.yml | Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies |
|
| malware-ioc | rtm | uninstall |
© ESET 2014-2018 |
| malware-ioc | rtm | uninstall-lock |
© ESET 2014-2018 |
| atomic-red-team | index.md | - Atomic Test #11: Uninstall Sysmon [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #1: Regasm Uninstall Method Call Test [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #10: Application uninstall using WMIC [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #11: Uninstall Sysmon [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #1: Regasm Uninstall Method Call Test [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #10: Application uninstall using WMIC [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | - Atomic Test #10 - Application uninstall using WMIC | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | ## Atomic Test #10 - Application uninstall using WMIC | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | Emulates uninstalling applications using WMIC. This method only works if the product was installed with an msi file. APTs have been seen using this to uninstall security products. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | wmic /node:”#{node}” product where “name like ‘#{product}%%’” call uninstall | MIT License. © 2018 Red Canary |
| atomic-red-team | T1095.md | if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall* | ?{$_.DisplayName -like “Microsoft Visual C++*”}) ) { | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | - Atomic Test #5 - InstallUtil Uninstall method call - /U variant | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | - Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | ## Atomic Test #5 - InstallUtil Uninstall method call - /U variant | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | ## Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | $CommandLine = “/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall "$InstallerAssemblyFullPath”” |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | - Atomic Test #1 - Regasm Uninstall Method Call Test | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | - Atomic Test #2 - Regsvcs Uninstall Method Call Test | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | ## Atomic Test #1 - Regasm Uninstall Method Call Test | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | Executes the Uninstall Method, No Admin Rights Required. Upon execution, “I shouldn’t really execute either.” will be displayed. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | ## Atomic Test #2 - Regsvcs Uninstall Method Call Test | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, “I shouldn’t really execute” will be displayed | MIT License. © 2018 Red Canary |
| atomic-red-team | T1219.md | $file = ‘C:\Program Files (x86)\TeamViewer\uninstall.exe’ | MIT License. © 2018 Red Canary |
| atomic-red-team | T1219.md | get-package ‘LogMeIn Client’ -ErrorAction Ignore | uninstall-package | MIT License. © 2018 Red Canary |
| atomic-red-team | T1505.002.md | Uninstall-TransportAgent #{transport_agent_identity} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1518.md | Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize | MIT License. © 2018 Red Canary |
| atomic-red-team | T1518.md | Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | - Atomic Test #11 - Uninstall Sysmon | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | - Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | ## Atomic Test #11 - Uninstall Sysmon | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | Uninstall Sysinternals Sysmon for Defense Evasion | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | ## Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | if (Test-Path “#{falcond_path}”) {. “#{falcond_path}” /repair /uninstall /quiet } else { Get-ChildItem -Path “C:\ProgramData\Package Cache” -Include “WindowsSensor.exe” -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $.FullName); if ($sig.Status -eq “Valid” -and $sig.SignerCertificate.DnsNameList -eq “CrowdStrike, Inc.”) { . “$” /repair /uninstall /quiet; break;} }} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images. | MIT License. © 2018 Red Canary |
| signature-base | apt_eqgrp.yar | $x4 = “%s version %s already has persistence installed. If you want to uninstall,” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_op_cloudhopper.yar | $s2 = “rundll32.exe "%s", UnInstall /update %s” fullword wide | CC BY-NC 4.0 |
| signature-base | crime_buzus_softpulse.yar | $s4 = “CurrentVersion\Uninstall\avast” fullword wide | CC BY-NC 4.0 |
| signature-base | gen_rats_malwareconfig.yar | $a7 = “Uninstall.jarPK” | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $a = “Unable to uninstall the fgexec service” | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s3 = “%s -Uninstall –>To Uninstall The Service” | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s6 = “Can’t uninstall,maybe the backdoor is not installed or,the Password you INPUT is” | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | and not filename matches /uninstall/ | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.