uninstall.exe
- File Path:
C:\Program Files\VideoLAN\VLC\uninstall.exe
Hashes
Type | Hash |
---|---|
MD5 | 1733CB587F613028B3CD0C2CAB65F537 |
SHA1 | DCACD804242A7CE0F2176F410411C61895183A45 |
SHA256 | 8E98238FD2B28836F2D5B50D25D7B704B62CBF697DB08BC42543F3E5870006A4 |
SHA384 | 4FDB550DC3E424A110B90D3E72660261D5AF6C7EFF07C2E9559763EFE116F73C3C0C089075612E872D0B6EB2072CCF1E |
SHA512 | 5793B5B46E7F536B696087F7A7050666F1E7B930FB6BEAFB4888D4FFF74E1BBBF11374EEB74DD2B49E973D6A0DEA380CBDA7EDE4A6218B012165C74397EA3DF9 |
SSDEEP | 6144:pzO5Qvk6R4ziUk96kADCqkQWzvnIlF/2OiCypQkf:9Oh6BbqtWzvIlR2OiT1 |
IMP | 0A20B8E464E26D9DEB5556274A8BE70A |
Runtime Data
Child Processes:
Un_A.exe
Loaded Modules:
Path |
---|
C:\Program Files\VideoLAN\VLC\uninstall.exe |
C:\Windows\SYSTEM32\ntdll.dll |
C:\Windows\System32\wow64.dll |
C:\Windows\System32\wow64cpu.dll |
C:\Windows\System32\wow64win.dll |
Signature
- Status: The file C:\Program Files\VideoLAN\VLC\uninstall.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename:
- Product Name:
- Company Name:
- File Version:
- Product Version:
- Language:
- Legal Copyright:
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/71
- VirusTotal Link: https://www.virustotal.com/gui/file/8e98238fd2b28836f2d5b50d25d7b704b62cbf697db08bc42543f3e5870006a4/detection/
Possible Misuse
The following table contains possible examples of uninstall.exe
being misused. While uninstall.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | win_builtin_remove_application.yml | title: An Application Is Uninstall |
DRL 1.0 |
sigma | win_susp_system_update_error.yml | - 24 # Uninstallation Failure: Windows failed to uninstall the following update with error |
DRL 1.0 |
sigma | posh_ps_software_discovery.yml | ScriptBlockText\|contains\|all: # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* \| Select-Object DisplayName, DisplayVersion, Publisher, InstallDate \| Format-Table -Autosize |
DRL 1.0 |
sigma | proc_creation_win_cleanwipe.yml | CommandLine\|contains: '--uninstall' |
DRL 1.0 |
sigma | proc_creation_win_cleanwipe.yml | - '/uninstall' |
DRL 1.0 |
sigma | proc_creation_win_dsim_remove.yml | description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images |
DRL 1.0 |
sigma | proc_creation_win_susp_disable_raccine.yml | title: Raccine Uninstall |
DRL 1.0 |
sigma | proc_creation_win_susp_wmic_security_product_uninstall.yml | title: Wmic Uninstall Security Product |
DRL 1.0 |
sigma | proc_creation_win_susp_wmic_security_product_uninstall.yml | - 'call uninstall' |
DRL 1.0 |
sigma | proc_creation_win_uninstall_crowdstrike_falcon.yml | title: Uninstall Crowdstrike Falcon |
DRL 1.0 |
sigma | proc_creation_win_uninstall_crowdstrike_falcon.yml | - ' /uninstall' |
DRL 1.0 |
sigma | proc_creation_win_uninstall_crowdstrike_falcon.yml | - Uninstall by admin |
DRL 1.0 |
sigma | proc_creation_win_uninstall_sysmon.yml | title: Uninstall Sysinternals Sysmon |
DRL 1.0 |
sigma | proc_creation_win_uninstall_sysmon.yml | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon |
DRL 1.0 |
sigma | proc_creation_win_wmic_remove_application.yml | title: WMI Uninstall An Application |
DRL 1.0 |
sigma | proc_creation_win_wmic_remove_application.yml | description: Uninstall an application with wmic |
DRL 1.0 |
sigma | proc_creation_win_wmic_remove_application.yml | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic |
DRL 1.0 |
sigma | proc_creation_win_wmic_remove_application.yml | CommandLine\|contains: call uninstall |
DRL 1.0 |
LOLBAS | Installutil.yml | Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies |
|
malware-ioc | rtm | uninstall |
© ESET 2014-2018 |
malware-ioc | rtm | uninstall-lock |
© ESET 2014-2018 |
atomic-red-team | index.md | - Atomic Test #11: Uninstall Sysmon [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #1: Regasm Uninstall Method Call Test [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #10: Application uninstall using WMIC [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #11: Uninstall Sysmon [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #1: Regasm Uninstall Method Call Test [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #10: Application uninstall using WMIC [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | T1047.md | - Atomic Test #10 - Application uninstall using WMIC | MIT License. © 2018 Red Canary |
atomic-red-team | T1047.md | ## Atomic Test #10 - Application uninstall using WMIC | MIT License. © 2018 Red Canary |
atomic-red-team | T1047.md | Emulates uninstalling applications using WMIC. This method only works if the product was installed with an msi file. APTs have been seen using this to uninstall security products. | MIT License. © 2018 Red Canary |
atomic-red-team | T1047.md | wmic /node:”#{node}” product where “name like ‘#{product}%%’” call uninstall | MIT License. © 2018 Red Canary |
atomic-red-team | T1095.md | if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall* | ?{$_.DisplayName -like “Microsoft Visual C++*”}) ) { | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.004.md | - Atomic Test #5 - InstallUtil Uninstall method call - /U variant | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.004.md | - Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.004.md | ## Atomic Test #5 - InstallUtil Uninstall method call - /U variant | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.004.md | Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.004.md | InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output. | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.004.md | ## Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.004.md | $CommandLine = “/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall "$InstallerAssemblyFullPath ”” |
MIT License. © 2018 Red Canary |
atomic-red-team | T1218.004.md | Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil. | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.009.md | - Atomic Test #1 - Regasm Uninstall Method Call Test | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.009.md | - Atomic Test #2 - Regsvcs Uninstall Method Call Test | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.009.md | ## Atomic Test #1 - Regasm Uninstall Method Call Test | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.009.md | Executes the Uninstall Method, No Admin Rights Required. Upon execution, “I shouldn’t really execute either.” will be displayed. | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.009.md | ## Atomic Test #2 - Regsvcs Uninstall Method Call Test | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.009.md | Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, “I shouldn’t really execute” will be displayed | MIT License. © 2018 Red Canary |
atomic-red-team | T1219.md | $file = ‘C:\Program Files (x86)\TeamViewer\uninstall.exe’ | MIT License. © 2018 Red Canary |
atomic-red-team | T1219.md | get-package ‘LogMeIn Client’ -ErrorAction Ignore | uninstall-package | MIT License. © 2018 Red Canary |
atomic-red-team | T1505.002.md | Uninstall-TransportAgent #{transport_agent_identity} | MIT License. © 2018 Red Canary |
atomic-red-team | T1518.md | Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize | MIT License. © 2018 Red Canary |
atomic-red-team | T1518.md | Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.001.md | - Atomic Test #11 - Uninstall Sysmon | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.001.md | - Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.001.md | ## Atomic Test #11 - Uninstall Sysmon | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.001.md | Uninstall Sysinternals Sysmon for Defense Evasion | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.001.md | ## Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.001.md | Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller. | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.001.md | if (Test-Path “#{falcond_path}”) {. “#{falcond_path}” /repair /uninstall /quiet } else { Get-ChildItem -Path “C:\ProgramData\Package Cache” -Include “WindowsSensor.exe” -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $.FullName); if ($sig.Status -eq “Valid” -and $sig.SignerCertificate.DnsNameList -eq “CrowdStrike, Inc.”) { . “$” /repair /uninstall /quiet; break;} }} | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.001.md | DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images. | MIT License. © 2018 Red Canary |
signature-base | apt_eqgrp.yar | $x4 = “%s version %s already has persistence installed. If you want to uninstall,” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_op_cloudhopper.yar | $s2 = “rundll32.exe "%s", UnInstall /update %s” fullword wide | CC BY-NC 4.0 |
signature-base | crime_buzus_softpulse.yar | $s4 = “CurrentVersion\Uninstall\avast” fullword wide | CC BY-NC 4.0 |
signature-base | gen_rats_malwareconfig.yar | $a7 = “Uninstall.jarPK” | CC BY-NC 4.0 |
signature-base | thor-hacktools.yar | $a = “Unable to uninstall the fgexec service” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s3 = “%s -Uninstall –>To Uninstall The Service” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s6 = “Can’t uninstall,maybe the backdoor is not installed or,the Password you INPUT is” | CC BY-NC 4.0 |
signature-base | thor_inverse_matches.yar | and not filename matches /uninstall/ | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.