Uninstall.exe

  • File Path: C:\Program Files\7-Zip\Uninstall.exe
  • Description: 7-Zip Uninstaller

Hashes

Type Hash
MD5 B0CEC9F342BF95700B602EE376446577
SHA1 B955B1B64280BB0EA873538029CF5EA44081501B
SHA256 24A2472E3BD5016CB22CE14CEFEE112D5BC18354BF099E8E66AD9846AEA15088
SHA384 784E85C86598A1215279F2841E5F9649A0ED1CCE2D9DA3EC2A49FC6BBB505CB4A79AAE9CF7CAF8DEBF45AC855F189FC5
SHA512 05EBECFC8D3E2E7885D3CACC65BFD97DB710C2CBC0FB76B19B7D6CC82B327B25DF953A20AFFC8D84002167DD8AC7710622279D3579C6605E742A98FE7095AA4E
SSDEEP 192:WN8CeeT+a2j12sUr/XKRbU+86HOO7+Bb2NpWP1oynJ+y7ihXar28d/o:xeT+a2jfUrfKRa6HiqpA13+y7+Xa1
IMP 978A83E4E4FC81BD6EC2E78D6B0DAFBD
PESHA1 41D04A73990C4D591B0F895860B2263CA12CED31
PE256 4DA780F6AC1F2D06564D3C56D0D7B26225E8249674B6F1641F59DFDC3378A064

Runtime Data

Child Processes:

Uninst.exe

Loaded Modules:

Path
C:\Program Files\7-Zip\Uninstall.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

  • Status: The file C:\Program Files\7-Zip\Uninstall.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: Uninstall.exe
  • Product Name: 7-Zip
  • Company Name: Igor Pavlov
  • File Version: 19.00
  • Product Version: 19.00
  • Language: English (United States)
  • Legal Copyright: Copyright (c) 1999-2018 Igor Pavlov
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/66
  • VirusTotal Link: https://www.virustotal.com/gui/file/24a2472e3bd5016cb22ce14cefee112d5bc18354bf099e8e66ad9846aea15088/detection/

Possible Misuse

The following table contains possible examples of Uninstall.exe being misused. While Uninstall.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_disable_raccine.yml title: Raccine Uninstall DRL 1.0
sigma win_susp_wmic_security_product_uninstall.yml title: Wmic Uninstall Security Product DRL 1.0
sigma win_susp_wmic_security_product_uninstall.yml - 'call uninstall' DRL 1.0
LOLBAS Installutil.yml Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies  
malware-ioc rtm uninstall © ESET 2014-2018
malware-ioc rtm uninstall-lock © ESET 2014-2018
atomic-red-team index.md - Atomic Test #11: Uninstall Sysmon [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Regasm Uninstall Method Call Test [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #11: Uninstall Sysmon [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Regasm Uninstall Method Call Test [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] MIT License. © 2018 Red Canary
atomic-red-team T1095.md if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall* | ?{$_.DisplayName -like “Microsoft Visual C++*”}) ) { MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md - Atomic Test #5 - InstallUtil Uninstall method call - /U variant MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md - Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md ## Atomic Test #5 - InstallUtil Uninstall method call - /U variant MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output. MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md ## Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md $CommandLine = “/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall "$InstallerAssemblyFullPath”” MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil. MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md - Atomic Test #1 - Regasm Uninstall Method Call Test MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md - Atomic Test #2 - Regsvcs Uninstall Method Call Test MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md ## Atomic Test #1 - Regasm Uninstall Method Call Test MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md Executes the Uninstall Method, No Admin Rights Required. Upon execution, “I shouldn’t really execute either.” will be displayed. MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md ## Atomic Test #2 - Regsvcs Uninstall Method Call Test MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, “I shouldn’t really execute” will be displayed MIT License. © 2018 Red Canary
atomic-red-team T1219.md $file = ‘C:\Program Files (x86)\TeamViewer\uninstall.exe’ MIT License. © 2018 Red Canary
atomic-red-team T1219.md get-package ‘LogMeIn Client’ -ErrorAction Ignore | uninstall-package MIT License. © 2018 Red Canary
atomic-red-team T1505.002.md Uninstall-TransportAgent #{transport_agent_identity} MIT License. © 2018 Red Canary
atomic-red-team T1518.md Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize MIT License. © 2018 Red Canary
atomic-red-team T1518.md Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md - Atomic Test #11 - Uninstall Sysmon MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md - Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md ## Atomic Test #11 - Uninstall Sysmon MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md Uninstall Sysinternals Sysmon for Defense Evasion MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md ## Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller. MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md if (Test-Path “#{falcond_path}”) {. “#{falcond_path}” /repair /uninstall /quiet } else { Get-ChildItem -Path “C:\ProgramData\Package Cache” -Include “WindowsSensor.exe” -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $.FullName); if ($sig.Status -eq “Valid” -and $sig.SignerCertificate.DnsNameList -eq “CrowdStrike, Inc.”) { . “$” /repair /uninstall /quiet; break;} }} MIT License. © 2018 Red Canary
signature-base apt_eqgrp.yar $x4 = “%s version %s already has persistence installed. If you want to uninstall,” fullword ascii CC BY-NC 4.0
signature-base apt_op_cloudhopper.yar $s2 = “rundll32.exe "%s", UnInstall /update %s” fullword wide CC BY-NC 4.0
signature-base crime_buzus_softpulse.yar $s4 = “CurrentVersion\Uninstall\avast” fullword wide CC BY-NC 4.0
signature-base gen_rats_malwareconfig.yar $a7 = “Uninstall.jarPK” CC BY-NC 4.0
signature-base thor-hacktools.yar $a = “Unable to uninstall the fgexec service” CC BY-NC 4.0
signature-base thor-webshells.yar $s3 = “%s -Uninstall –>To Uninstall The Service” CC BY-NC 4.0
signature-base thor-webshells.yar $s6 = “Can’t uninstall,maybe the backdoor is not installed or,the Password you INPUT is” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.