Uninstall.exe
- File Path:
C:\Program Files\7-Zip\Uninstall.exe - Description: 7-Zip Uninstaller
Hashes
| Type | Hash |
|---|---|
| MD5 | B0CEC9F342BF95700B602EE376446577 |
| SHA1 | B955B1B64280BB0EA873538029CF5EA44081501B |
| SHA256 | 24A2472E3BD5016CB22CE14CEFEE112D5BC18354BF099E8E66AD9846AEA15088 |
| SHA384 | 784E85C86598A1215279F2841E5F9649A0ED1CCE2D9DA3EC2A49FC6BBB505CB4A79AAE9CF7CAF8DEBF45AC855F189FC5 |
| SHA512 | 05EBECFC8D3E2E7885D3CACC65BFD97DB710C2CBC0FB76B19B7D6CC82B327B25DF953A20AFFC8D84002167DD8AC7710622279D3579C6605E742A98FE7095AA4E |
| SSDEEP | 192:WN8CeeT+a2j12sUr/XKRbU+86HOO7+Bb2NpWP1oynJ+y7ihXar28d/o:xeT+a2jfUrfKRa6HiqpA13+y7+Xa1 |
| IMP | 978A83E4E4FC81BD6EC2E78D6B0DAFBD |
| PESHA1 | 41D04A73990C4D591B0F895860B2263CA12CED31 |
| PE256 | 4DA780F6AC1F2D06564D3C56D0D7B26225E8249674B6F1641F59DFDC3378A064 |
Runtime Data
Child Processes:
Uninst.exe
Loaded Modules:
| Path |
|---|
| C:\Program Files\7-Zip\Uninstall.exe |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
Signature
- Status: The file C:\Program Files\7-Zip\Uninstall.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: Uninstall.exe
- Product Name: 7-Zip
- Company Name: Igor Pavlov
- File Version: 19.00
- Product Version: 19.00
- Language: English (United States)
- Legal Copyright: Copyright (c) 1999-2018 Igor Pavlov
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/66
- VirusTotal Link: https://www.virustotal.com/gui/file/24a2472e3bd5016cb22ce14cefee112d5bc18354bf099e8e66ad9846aea15088/detection/
Possible Misuse
The following table contains possible examples of Uninstall.exe being misused. While Uninstall.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | win_builtin_remove_application.yml | title: An Application Is Uninstall |
DRL 1.0 |
| sigma | win_susp_system_update_error.yml | - 24 # Uninstallation Failure: Windows failed to uninstall the following update with error |
DRL 1.0 |
| sigma | posh_ps_software_discovery.yml | ScriptBlockText\|contains\|all: # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* \| Select-Object DisplayName, DisplayVersion, Publisher, InstallDate \| Format-Table -Autosize |
DRL 1.0 |
| sigma | proc_creation_win_cleanwipe.yml | CommandLine\|contains: '--uninstall' |
DRL 1.0 |
| sigma | proc_creation_win_cleanwipe.yml | - '/uninstall' |
DRL 1.0 |
| sigma | proc_creation_win_dsim_remove.yml | description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images |
DRL 1.0 |
| sigma | proc_creation_win_susp_disable_raccine.yml | title: Raccine Uninstall |
DRL 1.0 |
| sigma | proc_creation_win_susp_wmic_security_product_uninstall.yml | title: Wmic Uninstall Security Product |
DRL 1.0 |
| sigma | proc_creation_win_susp_wmic_security_product_uninstall.yml | - 'call uninstall' |
DRL 1.0 |
| sigma | proc_creation_win_uninstall_crowdstrike_falcon.yml | title: Uninstall Crowdstrike Falcon |
DRL 1.0 |
| sigma | proc_creation_win_uninstall_crowdstrike_falcon.yml | - ' /uninstall' |
DRL 1.0 |
| sigma | proc_creation_win_uninstall_crowdstrike_falcon.yml | - Uninstall by admin |
DRL 1.0 |
| sigma | proc_creation_win_uninstall_sysmon.yml | title: Uninstall Sysinternals Sysmon |
DRL 1.0 |
| sigma | proc_creation_win_uninstall_sysmon.yml | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon |
DRL 1.0 |
| sigma | proc_creation_win_wmic_remove_application.yml | title: WMI Uninstall An Application |
DRL 1.0 |
| sigma | proc_creation_win_wmic_remove_application.yml | description: Uninstall an application with wmic |
DRL 1.0 |
| sigma | proc_creation_win_wmic_remove_application.yml | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic |
DRL 1.0 |
| sigma | proc_creation_win_wmic_remove_application.yml | CommandLine\|contains: call uninstall |
DRL 1.0 |
| LOLBAS | Installutil.yml | Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies |
|
| malware-ioc | rtm | uninstall |
© ESET 2014-2018 |
| malware-ioc | rtm | uninstall-lock |
© ESET 2014-2018 |
| atomic-red-team | index.md | - Atomic Test #11: Uninstall Sysmon [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #1: Regasm Uninstall Method Call Test [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #10: Application uninstall using WMIC [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #11: Uninstall Sysmon [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #1: Regasm Uninstall Method Call Test [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #10: Application uninstall using WMIC [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | - Atomic Test #10 - Application uninstall using WMIC | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | ## Atomic Test #10 - Application uninstall using WMIC | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | Emulates uninstalling applications using WMIC. This method only works if the product was installed with an msi file. APTs have been seen using this to uninstall security products. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | wmic /node:”#{node}” product where “name like ‘#{product}%%’” call uninstall | MIT License. © 2018 Red Canary |
| atomic-red-team | T1095.md | if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall* | ?{$_.DisplayName -like “Microsoft Visual C++*”}) ) { | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | - Atomic Test #5 - InstallUtil Uninstall method call - /U variant | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | - Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | ## Atomic Test #5 - InstallUtil Uninstall method call - /U variant | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | ## Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | $CommandLine = “/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall "$InstallerAssemblyFullPath”” |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | - Atomic Test #1 - Regasm Uninstall Method Call Test | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | - Atomic Test #2 - Regsvcs Uninstall Method Call Test | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | ## Atomic Test #1 - Regasm Uninstall Method Call Test | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | Executes the Uninstall Method, No Admin Rights Required. Upon execution, “I shouldn’t really execute either.” will be displayed. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | ## Atomic Test #2 - Regsvcs Uninstall Method Call Test | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.009.md | Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, “I shouldn’t really execute” will be displayed | MIT License. © 2018 Red Canary |
| atomic-red-team | T1219.md | $file = ‘C:\Program Files (x86)\TeamViewer\uninstall.exe’ | MIT License. © 2018 Red Canary |
| atomic-red-team | T1219.md | get-package ‘LogMeIn Client’ -ErrorAction Ignore | uninstall-package | MIT License. © 2018 Red Canary |
| atomic-red-team | T1505.002.md | Uninstall-TransportAgent #{transport_agent_identity} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1518.md | Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize | MIT License. © 2018 Red Canary |
| atomic-red-team | T1518.md | Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | - Atomic Test #11 - Uninstall Sysmon | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | - Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | ## Atomic Test #11 - Uninstall Sysmon | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | Uninstall Sysinternals Sysmon for Defense Evasion | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | ## Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | if (Test-Path “#{falcond_path}”) {. “#{falcond_path}” /repair /uninstall /quiet } else { Get-ChildItem -Path “C:\ProgramData\Package Cache” -Include “WindowsSensor.exe” -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $.FullName); if ($sig.Status -eq “Valid” -and $sig.SignerCertificate.DnsNameList -eq “CrowdStrike, Inc.”) { . “$” /repair /uninstall /quiet; break;} }} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images. | MIT License. © 2018 Red Canary |
| signature-base | apt_eqgrp.yar | $x4 = “%s version %s already has persistence installed. If you want to uninstall,” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_op_cloudhopper.yar | $s2 = “rundll32.exe "%s", UnInstall /update %s” fullword wide | CC BY-NC 4.0 |
| signature-base | crime_buzus_softpulse.yar | $s4 = “CurrentVersion\Uninstall\avast” fullword wide | CC BY-NC 4.0 |
| signature-base | gen_rats_malwareconfig.yar | $a7 = “Uninstall.jarPK” | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $a = “Unable to uninstall the fgexec service” | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s3 = “%s -Uninstall –>To Uninstall The Service” | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s6 = “Can’t uninstall,maybe the backdoor is not installed or,the Password you INPUT is” | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | and not filename matches /uninstall/ | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.