Uninstall.exe
- File Path:
C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe
- Description: Mozilla Maintenance Service Installer
Hashes
Type | Hash |
---|---|
MD5 | E0C02188DF20A7E09159000869EB86D1 |
SHA1 | 1A43C53A8C4385B50E811882377E4130D963472A |
SHA256 | 71C82D36F4BD04D742F28ED4BD689DA95614CABE6B0693DC12BED37A4689520B |
SHA384 | F31AD60D2490E34A8C1583E87D93E69D2260AD671E99FFB36A3587DC3AAFBE44658ED861B1730BA239901BC0DDA1AD1B |
SHA512 | D33AB7062B736FF19C1AF046DBAE5B55254FAC19A5F15DE47AD44DF224469B0A7725B9B0DD5362EF22AC43C7AF25A5C858C473323FE6F5B54E08E7DFF73D3E9A |
SSDEEP | 1536:1axBRlYypb5j8ugsQ0DjLiLuJqkSZZZ3gURD8ib8KdBlDZauT41a/kxWO7iIy4Ll:1IlLpNjldDfiLurUNRD5bPdO7y4DP7B |
IMP | E2A592076B17EF8BFB48B7E03965A3FC |
Runtime Data
Child Processes:
Un_A.exe
Loaded Modules:
Path |
---|
C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe |
C:\Windows\SYSTEM32\ntdll.dll |
C:\Windows\System32\wow64.dll |
C:\Windows\System32\wow64cpu.dll |
C:\Windows\System32\wow64win.dll |
Signature
- Status: The file C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: maintenanceservice_installer.exe
- Product Name: Thunderbird
- Company Name: Mozilla Corporation
- File Version: 91.3.0
- Product Version: 91.3.0
- Language: English (United States)
- Legal Copyright: Mozilla Corporation
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 1/73
- VirusTotal Link: https://www.virustotal.com/gui/file/71c82d36f4bd04d742f28ed4bd689da95614cabe6b0693dc12bed37a4689520b/detection
File Similarity (ssdeep match)
Possible Misuse
The following table contains possible examples of Uninstall.exe
being misused. While Uninstall.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | win_builtin_remove_application.yml | title: An Application Is Uninstall |
DRL 1.0 |
sigma | win_susp_system_update_error.yml | - 24 # Uninstallation Failure: Windows failed to uninstall the following update with error |
DRL 1.0 |
sigma | posh_ps_software_discovery.yml | ScriptBlockText\|contains\|all: # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* \| Select-Object DisplayName, DisplayVersion, Publisher, InstallDate \| Format-Table -Autosize |
DRL 1.0 |
sigma | proc_creation_win_cleanwipe.yml | CommandLine\|contains: '--uninstall' |
DRL 1.0 |
sigma | proc_creation_win_cleanwipe.yml | - '/uninstall' |
DRL 1.0 |
sigma | proc_creation_win_dsim_remove.yml | description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images |
DRL 1.0 |
sigma | proc_creation_win_susp_disable_raccine.yml | title: Raccine Uninstall |
DRL 1.0 |
sigma | proc_creation_win_susp_wmic_security_product_uninstall.yml | title: Wmic Uninstall Security Product |
DRL 1.0 |
sigma | proc_creation_win_susp_wmic_security_product_uninstall.yml | - 'call uninstall' |
DRL 1.0 |
sigma | proc_creation_win_uninstall_crowdstrike_falcon.yml | title: Uninstall Crowdstrike Falcon |
DRL 1.0 |
sigma | proc_creation_win_uninstall_crowdstrike_falcon.yml | - ' /uninstall' |
DRL 1.0 |
sigma | proc_creation_win_uninstall_crowdstrike_falcon.yml | - Uninstall by admin |
DRL 1.0 |
sigma | proc_creation_win_uninstall_sysmon.yml | title: Uninstall Sysinternals Sysmon |
DRL 1.0 |
sigma | proc_creation_win_uninstall_sysmon.yml | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon |
DRL 1.0 |
sigma | proc_creation_win_wmic_remove_application.yml | title: WMI Uninstall An Application |
DRL 1.0 |
sigma | proc_creation_win_wmic_remove_application.yml | description: Uninstall an application with wmic |
DRL 1.0 |
sigma | proc_creation_win_wmic_remove_application.yml | - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic |
DRL 1.0 |
sigma | proc_creation_win_wmic_remove_application.yml | CommandLine\|contains: call uninstall |
DRL 1.0 |
LOLBAS | Installutil.yml | Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies |
|
malware-ioc | rtm | uninstall |
© ESET 2014-2018 |
malware-ioc | rtm | uninstall-lock |
© ESET 2014-2018 |
atomic-red-team | index.md | - Atomic Test #11: Uninstall Sysmon [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #1: Regasm Uninstall Method Call Test [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #10: Application uninstall using WMIC [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #11: Uninstall Sysmon [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #1: Regasm Uninstall Method Call Test [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #10: Application uninstall using WMIC [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | T1047.md | - Atomic Test #10 - Application uninstall using WMIC | MIT License. © 2018 Red Canary |
atomic-red-team | T1047.md | ## Atomic Test #10 - Application uninstall using WMIC | MIT License. © 2018 Red Canary |
atomic-red-team | T1047.md | Emulates uninstalling applications using WMIC. This method only works if the product was installed with an msi file. APTs have been seen using this to uninstall security products. | MIT License. © 2018 Red Canary |
atomic-red-team | T1047.md | wmic /node:”#{node}” product where “name like ‘#{product}%%’” call uninstall | MIT License. © 2018 Red Canary |
atomic-red-team | T1095.md | if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall* | ?{$_.DisplayName -like “Microsoft Visual C++*”}) ) { | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.004.md | - Atomic Test #5 - InstallUtil Uninstall method call - /U variant | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.004.md | - Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.004.md | ## Atomic Test #5 - InstallUtil Uninstall method call - /U variant | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.004.md | Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.004.md | InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output. | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.004.md | ## Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.004.md | $CommandLine = “/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall "$InstallerAssemblyFullPath ”” |
MIT License. © 2018 Red Canary |
atomic-red-team | T1218.004.md | Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil. | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.009.md | - Atomic Test #1 - Regasm Uninstall Method Call Test | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.009.md | - Atomic Test #2 - Regsvcs Uninstall Method Call Test | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.009.md | ## Atomic Test #1 - Regasm Uninstall Method Call Test | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.009.md | Executes the Uninstall Method, No Admin Rights Required. Upon execution, “I shouldn’t really execute either.” will be displayed. | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.009.md | ## Atomic Test #2 - Regsvcs Uninstall Method Call Test | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.009.md | Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, “I shouldn’t really execute” will be displayed | MIT License. © 2018 Red Canary |
atomic-red-team | T1219.md | $file = ‘C:\Program Files (x86)\TeamViewer\uninstall.exe’ | MIT License. © 2018 Red Canary |
atomic-red-team | T1219.md | get-package ‘LogMeIn Client’ -ErrorAction Ignore | uninstall-package | MIT License. © 2018 Red Canary |
atomic-red-team | T1505.002.md | Uninstall-TransportAgent #{transport_agent_identity} | MIT License. © 2018 Red Canary |
atomic-red-team | T1518.md | Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize | MIT License. © 2018 Red Canary |
atomic-red-team | T1518.md | Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.001.md | - Atomic Test #11 - Uninstall Sysmon | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.001.md | - Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.001.md | ## Atomic Test #11 - Uninstall Sysmon | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.001.md | Uninstall Sysinternals Sysmon for Defense Evasion | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.001.md | ## Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.001.md | Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller. | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.001.md | if (Test-Path “#{falcond_path}”) {. “#{falcond_path}” /repair /uninstall /quiet } else { Get-ChildItem -Path “C:\ProgramData\Package Cache” -Include “WindowsSensor.exe” -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $.FullName); if ($sig.Status -eq “Valid” -and $sig.SignerCertificate.DnsNameList -eq “CrowdStrike, Inc.”) { . “$” /repair /uninstall /quiet; break;} }} | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.001.md | DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images. | MIT License. © 2018 Red Canary |
signature-base | apt_eqgrp.yar | $x4 = “%s version %s already has persistence installed. If you want to uninstall,” fullword ascii | CC BY-NC 4.0 |
signature-base | apt_op_cloudhopper.yar | $s2 = “rundll32.exe "%s", UnInstall /update %s” fullword wide | CC BY-NC 4.0 |
signature-base | crime_buzus_softpulse.yar | $s4 = “CurrentVersion\Uninstall\avast” fullword wide | CC BY-NC 4.0 |
signature-base | gen_rats_malwareconfig.yar | $a7 = “Uninstall.jarPK” | CC BY-NC 4.0 |
signature-base | thor-hacktools.yar | $a = “Unable to uninstall the fgexec service” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s3 = “%s -Uninstall –>To Uninstall The Service” | CC BY-NC 4.0 |
signature-base | thor-webshells.yar | $s6 = “Can’t uninstall,maybe the backdoor is not installed or,the Password you INPUT is” | CC BY-NC 4.0 |
signature-base | thor_inverse_matches.yar | and not filename matches /uninstall/ | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.