Uninstall.exe

  • File Path: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe
  • Description: Mozilla Maintenance Service Installer

Hashes

Type Hash
MD5 E0C02188DF20A7E09159000869EB86D1
SHA1 1A43C53A8C4385B50E811882377E4130D963472A
SHA256 71C82D36F4BD04D742F28ED4BD689DA95614CABE6B0693DC12BED37A4689520B
SHA384 F31AD60D2490E34A8C1583E87D93E69D2260AD671E99FFB36A3587DC3AAFBE44658ED861B1730BA239901BC0DDA1AD1B
SHA512 D33AB7062B736FF19C1AF046DBAE5B55254FAC19A5F15DE47AD44DF224469B0A7725B9B0DD5362EF22AC43C7AF25A5C858C473323FE6F5B54E08E7DFF73D3E9A
SSDEEP 1536:1axBRlYypb5j8ugsQ0DjLiLuJqkSZZZ3gURD8ib8KdBlDZauT41a/kxWO7iIy4Ll:1IlLpNjldDfiLurUNRD5bPdO7y4DP7B
IMP E2A592076B17EF8BFB48B7E03965A3FC

Runtime Data

Child Processes:

Un_A.exe

Loaded Modules:

Path
C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

  • Status: The file C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: maintenanceservice_installer.exe
  • Product Name: Thunderbird
  • Company Name: Mozilla Corporation
  • File Version: 91.3.0
  • Product Version: 91.3.0
  • Language: English (United States)
  • Legal Copyright: Mozilla Corporation
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 1/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/71c82d36f4bd04d742f28ed4bd689da95614cabe6b0693dc12bed37a4689520b/detection

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 90
C:\program files (x86)\Mozilla Maintenance Service\Uninstall.exe 90
C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe 90
C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 74
C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 71
C:\program files\Mozilla Firefox\maintenanceservice_installer.exe 74
C:\program files\Mozilla Thunderbird\maintenanceservice_installer.exe 74
C:\Program Files\Mozilla Thunderbird\maintenanceservice_installer.exe 72
C:\Program Files\Mozilla Thunderbird\maintenanceservice_installer.exe 74
C:\Program Files\Mozilla Thunderbird\maintenanceservice_installer.exe 80

Possible Misuse

The following table contains possible examples of Uninstall.exe being misused. While Uninstall.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_builtin_remove_application.yml title: An Application Is Uninstall DRL 1.0
sigma win_susp_system_update_error.yml - 24 # Uninstallation Failure: Windows failed to uninstall the following update with error DRL 1.0
sigma posh_ps_software_discovery.yml ScriptBlockText\|contains\|all: # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* \| Select-Object DisplayName, DisplayVersion, Publisher, InstallDate \| Format-Table -Autosize DRL 1.0
sigma proc_creation_win_cleanwipe.yml CommandLine\|contains: '--uninstall' DRL 1.0
sigma proc_creation_win_cleanwipe.yml - '/uninstall' DRL 1.0
sigma proc_creation_win_dsim_remove.yml description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images DRL 1.0
sigma proc_creation_win_susp_disable_raccine.yml title: Raccine Uninstall DRL 1.0
sigma proc_creation_win_susp_wmic_security_product_uninstall.yml title: Wmic Uninstall Security Product DRL 1.0
sigma proc_creation_win_susp_wmic_security_product_uninstall.yml - 'call uninstall' DRL 1.0
sigma proc_creation_win_uninstall_crowdstrike_falcon.yml title: Uninstall Crowdstrike Falcon DRL 1.0
sigma proc_creation_win_uninstall_crowdstrike_falcon.yml - ' /uninstall' DRL 1.0
sigma proc_creation_win_uninstall_crowdstrike_falcon.yml - Uninstall by admin DRL 1.0
sigma proc_creation_win_uninstall_sysmon.yml title: Uninstall Sysinternals Sysmon DRL 1.0
sigma proc_creation_win_uninstall_sysmon.yml - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon DRL 1.0
sigma proc_creation_win_wmic_remove_application.yml title: WMI Uninstall An Application DRL 1.0
sigma proc_creation_win_wmic_remove_application.yml description: Uninstall an application with wmic DRL 1.0
sigma proc_creation_win_wmic_remove_application.yml - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic DRL 1.0
sigma proc_creation_win_wmic_remove_application.yml CommandLine\|contains: call uninstall DRL 1.0
LOLBAS Installutil.yml Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies  
malware-ioc rtm uninstall © ESET 2014-2018
malware-ioc rtm uninstall-lock © ESET 2014-2018
atomic-red-team index.md - Atomic Test #11: Uninstall Sysmon [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Regasm Uninstall Method Call Test [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #10: Application uninstall using WMIC [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #11: Uninstall Sysmon [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Regasm Uninstall Method Call Test [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #10: Application uninstall using WMIC [windows] MIT License. © 2018 Red Canary
atomic-red-team T1047.md - Atomic Test #10 - Application uninstall using WMIC MIT License. © 2018 Red Canary
atomic-red-team T1047.md ## Atomic Test #10 - Application uninstall using WMIC MIT License. © 2018 Red Canary
atomic-red-team T1047.md Emulates uninstalling applications using WMIC. This method only works if the product was installed with an msi file. APTs have been seen using this to uninstall security products. MIT License. © 2018 Red Canary
atomic-red-team T1047.md wmic /node:”#{node}” product where “name like ‘#{product}%%’” call uninstall MIT License. © 2018 Red Canary
atomic-red-team T1095.md if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall* | ?{$_.DisplayName -like “Microsoft Visual C++*”}) ) { MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md - Atomic Test #5 - InstallUtil Uninstall method call - /U variant MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md - Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md ## Atomic Test #5 - InstallUtil Uninstall method call - /U variant MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output. MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md ## Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md $CommandLine = “/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall "$InstallerAssemblyFullPath”” MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil. MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md - Atomic Test #1 - Regasm Uninstall Method Call Test MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md - Atomic Test #2 - Regsvcs Uninstall Method Call Test MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md ## Atomic Test #1 - Regasm Uninstall Method Call Test MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md Executes the Uninstall Method, No Admin Rights Required. Upon execution, “I shouldn’t really execute either.” will be displayed. MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md ## Atomic Test #2 - Regsvcs Uninstall Method Call Test MIT License. © 2018 Red Canary
atomic-red-team T1218.009.md Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, “I shouldn’t really execute” will be displayed MIT License. © 2018 Red Canary
atomic-red-team T1219.md $file = ‘C:\Program Files (x86)\TeamViewer\uninstall.exe’ MIT License. © 2018 Red Canary
atomic-red-team T1219.md get-package ‘LogMeIn Client’ -ErrorAction Ignore | uninstall-package MIT License. © 2018 Red Canary
atomic-red-team T1505.002.md Uninstall-TransportAgent #{transport_agent_identity} MIT License. © 2018 Red Canary
atomic-red-team T1518.md Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize MIT License. © 2018 Red Canary
atomic-red-team T1518.md Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md - Atomic Test #11 - Uninstall Sysmon MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md - Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md ## Atomic Test #11 - Uninstall Sysmon MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md Uninstall Sysinternals Sysmon for Defense Evasion MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md ## Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller. MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md if (Test-Path “#{falcond_path}”) {. “#{falcond_path}” /repair /uninstall /quiet } else { Get-ChildItem -Path “C:\ProgramData\Package Cache” -Include “WindowsSensor.exe” -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $.FullName); if ($sig.Status -eq “Valid” -and $sig.SignerCertificate.DnsNameList -eq “CrowdStrike, Inc.”) { . “$” /repair /uninstall /quiet; break;} }} MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images. MIT License. © 2018 Red Canary
signature-base apt_eqgrp.yar $x4 = “%s version %s already has persistence installed. If you want to uninstall,” fullword ascii CC BY-NC 4.0
signature-base apt_op_cloudhopper.yar $s2 = “rundll32.exe "%s", UnInstall /update %s” fullword wide CC BY-NC 4.0
signature-base crime_buzus_softpulse.yar $s4 = “CurrentVersion\Uninstall\avast” fullword wide CC BY-NC 4.0
signature-base gen_rats_malwareconfig.yar $a7 = “Uninstall.jarPK” CC BY-NC 4.0
signature-base thor-hacktools.yar $a = “Unable to uninstall the fgexec service” CC BY-NC 4.0
signature-base thor-webshells.yar $s3 = “%s -Uninstall –>To Uninstall The Service” CC BY-NC 4.0
signature-base thor-webshells.yar $s6 = “Can’t uninstall,maybe the backdoor is not installed or,the Password you INPUT is” CC BY-NC 4.0
signature-base thor_inverse_matches.yar and not filename matches /uninstall/ CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.