setup.exe

  • File Path: C:\ProgramData\Adobe\Setup\{00000000-0000-0000-0000-000000000000}\setup.exe
  • Description: Adobe Bootstrapper for Single Installation

Screenshot

setup.exe setup.exe setup.exe

Hashes

Type Hash
MD5 4E15703D4E9AAC4852A34CBB55CA3BAF
SHA1 056F3B7ECCE7108A7F0D2D6BE8FA84B8DDDEC5A3
SHA256 2CC96093D90228AB6F74AD1737E5B5AF92AD60F934EFC4A0D9B665EF8A7B40EA
SHA384 F44F59B6295CAA528B4179451C11659B76C424B8E6E64400A0EC6896C8098BD8ADA419294AE21C801B84B286F9906E87
SHA512 1EE19FC5F90722173F6CB42C81AB680257B398684F0F8F3E343B6132D583E7C7DF0E58C2B8C0509467F1B9C3DE205604C50CE992A739FA533D570BE5F4239D09
SSDEEP 6144:o+fHmTywXJ76XX9fbkAP4sV1qHXX3V/AFyp:oMs7C9fbkAP4sVIHXd7p

Signature

  • Status: Signature verified.
  • Serial: 10FB713319027F3F1F1C0667B3C38CA9
  • Thumbprint: 45548B92B80CB79A7C628B83D9DBA37B9C86971D
  • Issuer: CN=Symantec Class 3 Extended Validation Code Signing CA - G2, OU=Symantec Trust Network, O=Symantec Corporation, C=US
  • Subject: CN=”Adobe Systems, Incorporated”, OU=Acrobat DC, O=”Adobe Systems, Incorporated”, L=San Jose, S=California, C=US, SERIALNUMBER=2748129, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US

File Metadata

  • Original Filename: Setup.exe
  • Product Name: Bootstrapper Small
  • Company Name: Adobe Systems Incorporated
  • File Version: 15.9.20069.159242
  • Product Version: 15.9.20069.159242
  • Language: English (United States)
  • Legal Copyright: Copyright 2015 Adobe Systems Incorporated. All rights reserved.

Possible Misuse

The following table contains possible examples of setup.exe being misused. While setup.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sigma-test.yml uses: actions/setup-python@v1 DRL 1.0
sigma aws_update_login_profile.yml An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. DRL 1.0
sigma cisco_cli_net_sniff.yml description: Show when a monitor or a span/rspan is setup or modified DRL 1.0
sigma cisco_cli_net_sniff.yml - Admins may setup new or modify old spans, or use a monitor for troubleshooting DRL 1.0
sigma win_iso_mount.yml ObjectName: '\Device\CdRom0\setup.exe' DRL 1.0
sigma win_susp_eventlog_cleared.yml - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) DRL 1.0
sigma win_system_susp_eventlog_cleared.yml - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) DRL 1.0
sigma file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml - 'C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml SourceImage\|endswith: \Installer\setup.exe DRL 1.0
sigma proc_creation_win_apt_winnti_pipemon.yml - 'setup.exe' DRL 1.0
sigma proc_creation_win_exploit_cve_2019_1378.yml - 'C:\Windows\Setup\Scripts\' DRL 1.0
sigma proc_creation_win_exploit_cve_2019_1378.yml - 'C:\Windows\Setup\' DRL 1.0
sigma proc_creation_win_powershell_cmdline_special_characters.yml - Amazon SSM Document Worker # fp example: powershell " [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 $keyExists = Test-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $jsonObj = @() if ($keyExists) { $key = Get-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $valueNames = $key.GetValueNames(); foreach ($valueName in $valueNames) { $value = $key.GetValue($valueName); if ($value -gt 0) { $installed = "True" } else { $installed = "False" } $jsonObj += @" {"Name": "$valueName", "Installed": "$installed"} "@ } } $result = $jsonObj -join "," $result = "[" + $result + "]" [Console]::WriteLine($result) DRL 1.0
sigma proc_creation_win_susp_run_folder.yml - 'C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe' DRL 1.0
sigma proc_creation_win_vmtoolsd_susp_child_process.yml description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components' DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\SYSTEM\Setup\CmdLine' DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\SOFTWARE\Microsoft\Active Setup\Installed Components' DRL 1.0
sigma registry_event_asep_reg_keys_modification_common.yml - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components' DRL 1.0
sigma registry_event_asep_reg_keys_modification_common.yml - '\SYSTEM\Setup\CmdLine' DRL 1.0
sigma registry_event_asep_reg_keys_modification_common.yml - '\SOFTWARE\Microsoft\Active Setup\Installed Components' DRL 1.0
sigma registry_event_asep_reg_keys_modification_common.yml TargetObject\|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\' DRL 1.0
sigma registry_event_asep_reg_keys_modification_wow6432node.yml - '\setup.exe' DRL 1.0
sigma registry_event_mal_flowcloud.yml - 'HKLM\SYSTEM\Setup\PrintResponsor\' DRL 1.0
sigma registry_event_new_application_appcompat.yml - Newly setup system. DRL 1.0
sigma registry_event_runonce_persistence.yml TargetObject\|startswith: 'HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components' DRL 1.0
LOLBAS Setup.yml Name: Setup.exe  
LOLBAS Setup.yml - Command: Run Setup.exe  
LOLBAS Setup.yml Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.  
LOLBAS OneDriveStandaloneUpdater.yml - IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files  
LOLBAS Runonce.yml - IOC: Registy key add - HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY  
LOLBAS Setupapi.yml Description: Windows Setup Application Programming Interface  
LOLBAS Syssetup.yml Description: Windows NT System Setup  
malware-ioc attor %COMMONAPPDATA%\Adobe\Setup\Replicate\US-sf © ESET 2014-2018
malware-ioc attor %COMMONAPPDATA%\Adobe\Setup\Replicate\US-nh © ESET 2014-2018
malware-ioc attor %COMMONAPPDATA%\Adobe\Setup\Replicate\US-zn © ESET 2014-2018
malware-ioc attor %COMMONAPPDATA%\Adobe\Setup\Replicate\US-pq © ESET 2014-2018
malware-ioc evilnum \|C8458A1568639EA2270E1845B0A386FF75C23421\|nvstviews.exe \|ALPS Setup \|B1C248AD370D1ACE6FA03572CE1AE6297E14A3F8``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc glupteba.misp-event.json "value": "setup.exe\|f7230b2cab4e4910bca473b39ee8fd4df394ce0d", © ESET 2014-2018
malware-ioc glupteba \|F7230B2CAB4E4910BCA473B39EE8FD4DF394CE0D\|setup.exe \|MSIL/Adware.CsdiMonetize.AG © ESET 2014-2018
malware-ioc win_apt_invisimole_wdigest_chain.yml - Legitimate use of the Wireless Network Setup Wizard © ESET 2014-2018
malware-ioc win_lolbin_setupSNK.yml title: Wireless Network Setup Settings Changed © ESET 2014-2018
malware-ioc win_lolbin_setupSNK.yml - Legitimate use of the Wireless Network Setup Wizard © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\Setup.dll", © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\setup-version.json", © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\Setup.dll © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\setup-version.json © ESET 2014-2018
malware-ioc potao Fake TrueCrypt Setup: © ESET 2014-2018
malware-ioc 2021_T2 Setup © ESET 2014-2018
malware-ioc windigo depending on your setup. For example we know that suPHP uses shared memory. © ESET 2014-2018
malware-ioc winnti_group setup.exe © ESET 2014-2018
atomic-red-team index.md - T1547.014 Active Setup CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1547.014 Active Setup CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team matrix.md | Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST | At (Windows) | Active Setup CONTRIBUTE A TEST | Accessibility Features | Application Access Token CONTRIBUTE A TEST | AS-REP Roasting | Browser Bookmark Discovery | Distributed Component Object Model | Archive via Custom Method CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol | Bidirectional Communication CONTRIBUTE A TEST | Application or System Exploitation CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | Compromise Software Supply Chain CONTRIBUTE A TEST | Command and Scripting Interpreter CONTRIBUTE A TEST | Add Office 365 Global Administrator Role CONTRIBUTE A TEST | Active Setup CONTRIBUTE A TEST | Asynchronous Procedure Call | Bash History | Cloud Account CONTRIBUTE A TEST | Exploitation of Remote Services CONTRIBUTE A TEST | Archive via Library | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Commonly Used Port CONTRIBUTE A TEST | Data Destruction | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | Compromise Software Supply Chain CONTRIBUTE A TEST | Component Object Model CONTRIBUTE A TEST | Active Setup CONTRIBUTE A TEST | Accessibility Features | Asynchronous Procedure Call | Brute Force CONTRIBUTE A TEST | Browser Bookmark Discovery | Exploitation of Remote Services CONTRIBUTE A TEST | Archive via Custom Method CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol | Bidirectional Communication CONTRIBUTE A TEST | Application or System Exploitation CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | Default Accounts | Component Object Model and Distributed COM CONTRIBUTE A TEST | Add-ins | Active Setup CONTRIBUTE A TEST | BITS Jobs | Cached Domain Credentials CONTRIBUTE A TEST | Domain Account | Internal Spearphishing CONTRIBUTE A TEST | Archive via Library CONTRIBUTE A TEST | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Commonly Used Port CONTRIBUTE A TEST | Data Destruction | MIT License. © 2018 Red Canary
atomic-red-team T1046.md | nmap_url | NMap installer download URL | Url | https://nmap.org/dist/nmap-7.80-setup.exe| MIT License. © 2018 Red Canary
atomic-red-team T1046.md Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url} MIT License. © 2018 Red Canary
atomic-red-team T1046.md Start-Process $env:temp\nmap-7.80-setup.exe /S MIT License. © 2018 Red Canary
atomic-red-team T1047.md Invoke-WebRequest ‘https://www.tightvnc.com/download/2.8.63/tightvnc-2.8.63-gpl-setup-64bit.msi’ -OutFile PathToAtomicsFolder\T1047\bin\tightvncinstaller.msi MIT License. © 2018 Red Canary
atomic-red-team T1484.002.md if ($new) { Write-Host “nFederation successfully added to Azure AD" } else { Write-Host "nThe federation setup failed” } MIT License. © 2018 Red Canary
signature-base airbnb_binaryalert.yar $a1 = “https://setup.icloud.com/setup/authenticate/” wide ascii CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $s8 = “Setup a communication socket with the process by injecting” fullword ascii wide CC BY-NC 4.0
signature-base apt_bluetermite_emdivi.yar $x1 = “Setup=unsecess.exe” fullword ascii CC BY-NC 4.0
signature-base apt_bluetermite_emdivi.yar $x2 = “Setup=leassnp.exe” fullword ascii CC BY-NC 4.0
signature-base apt_irontiger.yar $s0 = “\setup.exe” fullword ascii CC BY-NC 4.0
signature-base apt_irontiger.yar $s3 = “setup.exeUT” fullword ascii CC BY-NC 4.0
signature-base apt_miniasp.yar $x2 = “run http://%s/logo.png setup.exe” fullword ascii /* PEStudio Blacklist: strings / / score: ‘37.02’ */ CC BY-NC 4.0
signature-base apt_op_honeybee.yar $x1 = “cmd /c expand %TEMP%\setup.cab -F:* %SystemRoot%\System32” CC BY-NC 4.0
signature-base apt_op_honeybee.yar $x2 = “del /f /q %TEMP%\setup.cab && cliconfg.exe” CC BY-NC 4.0
signature-base apt_op_honeybee.yar $s6 = “\setup.cab” fullword ascii CC BY-NC 4.0
signature-base apt_promethium_neodymium.yar $s2 = “c:\windows\temp\TrueCrypt-Setup-7.1a-tamindir.exe” fullword wide CC BY-NC 4.0
signature-base apt_sakula.yar description = “Sakula shellcode - taken from decoded setup.msi but may not be unique enough to identify Sakula” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s7 = “setup.exeUT” fullword ascii CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s6 = “\setup.exe” fullword ascii CC BY-NC 4.0
signature-base apt_winnti_burning_umbrella.yar $s1 = “c:\windows\ime\setup.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file setup.exe” CC BY-NC 4.0
signature-base crime_fireball.yar $s3 = “\SETUP.dll” fullword wide CC BY-NC 4.0
signature-base crime_nopetya_jun17.yar $x6 = “wevtutil cl Setup & wevtutil cl System” ascii CC BY-NC 4.0
signature-base gen_anomalies_keyword_combos.yar $fp6 = “Paint.NET Setup” wide fullword CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s2 = “SwitchSniffer Setup” fullword wide CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.