Uninstall.exe

File Path: C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe
Description: Mozilla Maintenance Service Installer

Hashes

Type	Hash
MD5	`E0C02188DF20A7E09159000869EB86D1`
SHA1	`1A43C53A8C4385B50E811882377E4130D963472A`
SHA256	`71C82D36F4BD04D742F28ED4BD689DA95614CABE6B0693DC12BED37A4689520B`
SHA384	`F31AD60D2490E34A8C1583E87D93E69D2260AD671E99FFB36A3587DC3AAFBE44658ED861B1730BA239901BC0DDA1AD1B`
SHA512	`D33AB7062B736FF19C1AF046DBAE5B55254FAC19A5F15DE47AD44DF224469B0A7725B9B0DD5362EF22AC43C7AF25A5C858C473323FE6F5B54E08E7DFF73D3E9A`
SSDEEP	`1536:1axBRlYypb5j8ugsQ0DjLiLuJqkSZZZ3gURD8ib8KdBlDZauT41a/kxWO7iIy4Ll:1IlLpNjldDfiLurUNRD5bPdO7y4DP7B`
IMP	`E2A592076B17EF8BFB48B7E03965A3FC`

Runtime Data

Child Processes:

Un_A.exe

Loaded Modules:

Path
C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

Status: The file C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170
Serial: ``
Thumbprint: ``
Issuer:
Subject:

File Metadata

Original Filename: maintenanceservice_installer.exe
Product Name: Thunderbird
Company Name: Mozilla Corporation
File Version: 91.3.0
Product Version: 91.3.0
Language: English (United States)
Legal Copyright: Mozilla Corporation
Machine Type: 32-bit

File Scan

VirusTotal Detections: 1/73
VirusTotal Link: https://www.virustotal.com/gui/file/71c82d36f4bd04d742f28ed4bd689da95614cabe6b0693dc12bed37a4689520b/detection

File Similarity (ssdeep match)

File	Score
C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	90
C:\program files (x86)\Mozilla Maintenance Service\Uninstall.exe	90
C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	90
C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	74
C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	71
C:\program files\Mozilla Firefox\maintenanceservice_installer.exe	74
C:\program files\Mozilla Thunderbird\maintenanceservice_installer.exe	74
C:\Program Files\Mozilla Thunderbird\maintenanceservice_installer.exe	72
C:\Program Files\Mozilla Thunderbird\maintenanceservice_installer.exe	74
C:\Program Files\Mozilla Thunderbird\maintenanceservice_installer.exe	80

Possible Misuse

The following table contains possible examples of Uninstall.exe being misused. While Uninstall.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	win_builtin_remove_application.yml	`title: An Application Is Uninstall`	DRL 1.0
sigma	win_susp_system_update_error.yml	`- 24 # Uninstallation Failure: Windows failed to uninstall the following update with error`	DRL 1.0
sigma	posh_ps_software_discovery.yml	`ScriptBlockText\\|contains\\|all: # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* \\| Select-Object DisplayName, DisplayVersion, Publisher, InstallDate \\| Format-Table -Autosize`	DRL 1.0
sigma	proc_creation_win_cleanwipe.yml	`CommandLine\\|contains: '--uninstall'`	DRL 1.0
sigma	proc_creation_win_cleanwipe.yml	`- '/uninstall'`	DRL 1.0
sigma	proc_creation_win_dsim_remove.yml	`description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images`	DRL 1.0
sigma	proc_creation_win_susp_disable_raccine.yml	`title: Raccine Uninstall`	DRL 1.0
sigma	proc_creation_win_susp_wmic_security_product_uninstall.yml	`title: Wmic Uninstall Security Product`	DRL 1.0
sigma	proc_creation_win_susp_wmic_security_product_uninstall.yml	`- 'call uninstall'`	DRL 1.0
sigma	proc_creation_win_uninstall_crowdstrike_falcon.yml	`title: Uninstall Crowdstrike Falcon`	DRL 1.0
sigma	proc_creation_win_uninstall_crowdstrike_falcon.yml	`- ' /uninstall'`	DRL 1.0
sigma	proc_creation_win_uninstall_crowdstrike_falcon.yml	`- Uninstall by admin`	DRL 1.0
sigma	proc_creation_win_uninstall_sysmon.yml	`title: Uninstall Sysinternals Sysmon`	DRL 1.0
sigma	proc_creation_win_uninstall_sysmon.yml	`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon`	DRL 1.0
sigma	proc_creation_win_wmic_remove_application.yml	`title: WMI Uninstall An Application`	DRL 1.0
sigma	proc_creation_win_wmic_remove_application.yml	`description: Uninstall an application with wmic`	DRL 1.0
sigma	proc_creation_win_wmic_remove_application.yml	`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic`	DRL 1.0
sigma	proc_creation_win_wmic_remove_application.yml	`CommandLine\\|contains: call uninstall`	DRL 1.0
LOLBAS	Installutil.yml	`Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies`
malware-ioc	rtm	`uninstall`	© ESET 2014-2018
malware-ioc	rtm	`uninstall-lock`	© ESET 2014-2018
atomic-red-team	index.md	- Atomic Test #11: Uninstall Sysmon [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #1: Regasm Uninstall Method Call Test [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #2: Regsvcs Uninstall Method Call Test [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #10: Application uninstall using WMIC [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #11: Uninstall Sysmon [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #1: Regasm Uninstall Method Call Test [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #2: Regsvcs Uninstall Method Call Test [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #10: Application uninstall using WMIC [windows]	MIT License. © 2018 Red Canary
atomic-red-team	T1047.md	- Atomic Test #10 - Application uninstall using WMIC	MIT License. © 2018 Red Canary
atomic-red-team	T1047.md	## Atomic Test #10 - Application uninstall using WMIC	MIT License. © 2018 Red Canary
atomic-red-team	T1047.md	Emulates uninstalling applications using WMIC. This method only works if the product was installed with an msi file. APTs have been seen using this to uninstall security products.	MIT License. © 2018 Red Canary
atomic-red-team	T1047.md	wmic /node:”#{node}” product where “name like ‘#{product}%%’” call uninstall	MIT License. © 2018 Red Canary
atomic-red-team	T1095.md	if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall* \| ?{$_.DisplayName -like “Microsoft Visual C++*”}) ) {	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	- Atomic Test #5 - InstallUtil Uninstall method call - /U variant	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	- Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	## Atomic Test #5 - InstallUtil Uninstall method call - /U variant	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility.	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output.	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	## Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	$CommandLine = “/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall `"$InstallerAssemblyFullPath`””	MIT License. © 2018 Red Canary
atomic-red-team	T1218.004.md	Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil.	MIT License. © 2018 Red Canary
atomic-red-team	T1218.009.md	- Atomic Test #1 - Regasm Uninstall Method Call Test	MIT License. © 2018 Red Canary
atomic-red-team	T1218.009.md	- Atomic Test #2 - Regsvcs Uninstall Method Call Test	MIT License. © 2018 Red Canary
atomic-red-team	T1218.009.md	## Atomic Test #1 - Regasm Uninstall Method Call Test	MIT License. © 2018 Red Canary
atomic-red-team	T1218.009.md	Executes the Uninstall Method, No Admin Rights Required. Upon execution, “I shouldn’t really execute either.” will be displayed.	MIT License. © 2018 Red Canary
atomic-red-team	T1218.009.md	## Atomic Test #2 - Regsvcs Uninstall Method Call Test	MIT License. © 2018 Red Canary
atomic-red-team	T1218.009.md	Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, “I shouldn’t really execute” will be displayed	MIT License. © 2018 Red Canary
atomic-red-team	T1219.md	$file = ‘C:\Program Files (x86)\TeamViewer\uninstall.exe’	MIT License. © 2018 Red Canary
atomic-red-team	T1219.md	get-package ‘LogMeIn Client’ -ErrorAction Ignore \| uninstall-package	MIT License. © 2018 Red Canary
atomic-red-team	T1505.002.md	Uninstall-TransportAgent #{transport_agent_identity}	MIT License. © 2018 Red Canary
atomic-red-team	T1518.md	Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall* \| Select-Object DisplayName, DisplayVersion, Publisher, InstallDate \| Format-Table -Autosize	MIT License. © 2018 Red Canary
atomic-red-team	T1518.md	Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall* \| Select-Object DisplayName, DisplayVersion, Publisher, InstallDate \| Format-Table -Autosize	MIT License. © 2018 Red Canary
atomic-red-team	T1562.001.md	- Atomic Test #11 - Uninstall Sysmon	MIT License. © 2018 Red Canary
atomic-red-team	T1562.001.md	- Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows	MIT License. © 2018 Red Canary
atomic-red-team	T1562.001.md	## Atomic Test #11 - Uninstall Sysmon	MIT License. © 2018 Red Canary
atomic-red-team	T1562.001.md	Uninstall Sysinternals Sysmon for Defense Evasion	MIT License. © 2018 Red Canary
atomic-red-team	T1562.001.md	## Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows	MIT License. © 2018 Red Canary
atomic-red-team	T1562.001.md	Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller.	MIT License. © 2018 Red Canary
atomic-red-team	T1562.001.md	if (Test-Path “#{falcond_path}”) {. “#{falcond_path}” /repair /uninstall /quiet } else { Get-ChildItem -Path “C:\ProgramData\Package Cache” -Include “WindowsSensor.exe” -Recurse \| % { $sig=$(Get-AuthenticodeSignature -FilePath $.FullName); if ($sig.Status -eq “Valid” -and $sig.SignerCertificate.DnsNameList -eq “CrowdStrike, Inc.”) { . “$” /repair /uninstall /quiet; break;} }}	MIT License. © 2018 Red Canary
atomic-red-team	T1562.001.md	DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images.	MIT License. © 2018 Red Canary
signature-base	apt_eqgrp.yar	$x4 = “%s version %s already has persistence installed. If you want to uninstall,” fullword ascii	CC BY-NC 4.0
signature-base	apt_op_cloudhopper.yar	$s2 = “rundll32.exe "%s", UnInstall /update %s” fullword wide	CC BY-NC 4.0
signature-base	crime_buzus_softpulse.yar	$s4 = “CurrentVersion\Uninstall\avast” fullword wide	CC BY-NC 4.0
signature-base	gen_rats_malwareconfig.yar	$a7 = “Uninstall.jarPK”	CC BY-NC 4.0
signature-base	thor-hacktools.yar	$a = “Unable to uninstall the fgexec service”	CC BY-NC 4.0
signature-base	thor-webshells.yar	$s3 = “%s -Uninstall –>To Uninstall The Service”	CC BY-NC 4.0
signature-base	thor-webshells.yar	$s6 = “Can’t uninstall,maybe the backdoor is not installed or,the Password you INPUT is”	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	and not filename matches /uninstall/	CC BY-NC 4.0