setup.exe
- File Path:
C:\Program Files\Google\Chrome\Application\95.0.4638.69\Installer\setup.exe - Description: Google Chrome Installer
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | 5EB7D6AA57A71781710485717702A57A |
| SHA1 | 69AA3FA8DFA326DA38A2E0E9B2A8AC464B16C8F0 |
| SHA256 | 7CBE211A4A539659D66B471FC43FA66DE772A877494A0BB877515A3589E9DA2C |
| SHA384 | 124791CEDCD63BEE1C1DD3D0EA56F0123CFE46155AD6D901E95532D98CDC5237D03AE940A559F46F7BC3BDB7658E662F |
| SHA512 | DA06DCA5515D1CE5D82A44A7EB7BA49806EB41DC6B9BD05FE3A47AED30793A5BC72719C3CB4529D1A78666B5CF19B868EE8F62EB41984E847D384D31ECE3D6BB |
| SSDEEP | 49152:YdEzORq0lX00QRotp+h47SpLd2IKE8pkvT+oTqK4YRZpao3VNoC1hyKPnTTVaY:eEqHvAh4RqaouAAkNoKP |
| IMP | 126845BE5896326DCD19EE3EFF19BE41 |
| PESHA1 | 68CC375B311054FA092B2878EE461FC425F4BB91 |
| PE256 | F48C1172DD1E65F7474CDCCD585342B3104C2021BD80F4C7D19317FB74578F2E |
Runtime Data
Usage (stderr):
[1106/200309.145:ERROR:setup_main.cc(642)] Already installed version 95.0.4638.69 at system-level conflicts with this one at user-level.
[1106/200309.146:ERROR:persistent_histogram_storage.cc(121)] Could not write "SetupMetrics" persistent histograms to file as the storage directory does not exist.
Child Processes:
chrome.exe
Loaded Modules:
| Path |
|---|
| C:\Program Files\Google\Chrome\Application\95.0.4638.69\Installer\setup.exe |
| C:\Windows\System32\ADVAPI32.dll |
| C:\Windows\System32\combase.dll |
| C:\Windows\SYSTEM32\dbghelp.dll |
| C:\Windows\System32\GDI32.dll |
| C:\Windows\System32\gdi32full.dll |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\System32\msvcp_win.dll |
| C:\Windows\System32\msvcrt.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\ole32.dll |
| C:\Windows\System32\RPCRT4.dll |
| C:\Windows\System32\sechost.dll |
| C:\Windows\System32\SHELL32.dll |
| C:\Windows\System32\SHLWAPI.dll |
| C:\Windows\System32\ucrtbase.dll |
| C:\Windows\System32\USER32.dll |
| C:\Windows\System32\win32u.dll |
| C:\Windows\System32\WS2_32.dll |
Signature
- Status: Signature verified.
- Serial:
0E4418E2DEDE36DD2974C3443AFB5CE5 - Thumbprint:
2673EA6CC23BEFFDA49AC715B121544098A1284C - Issuer: CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O=”DigiCert, Inc.”, C=US
- Subject: CN=Google LLC, O=Google LLC, L=Mountain View, S=California, C=US
File Metadata
- Original Filename:
- Product Name: Google Chrome Installer
- Company Name: Google LLC
- File Version: 95.0.4638.69
- Product Version: 95.0.4638.69
- Language: English (United States)
- Legal Copyright: Copyright 2021 Google LLC. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/72
- VirusTotal Link: https://www.virustotal.com/gui/file/7cbe211a4a539659d66b471fc43fa66de772a877494a0bb877515a3589e9da2c/detection
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Program Files\Google\Chrome\Application\95.0.4638.69\Installer\chrmstp.exe | 100 |
Possible Misuse
The following table contains possible examples of setup.exe being misused. While setup.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | sigma-test.yml | uses: actions/setup-python@v1 |
DRL 1.0 |
| sigma | aws_update_login_profile.yml | An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. |
DRL 1.0 |
| sigma | cisco_cli_net_sniff.yml | description: Show when a monitor or a span/rspan is setup or modified |
DRL 1.0 |
| sigma | cisco_cli_net_sniff.yml | - Admins may setup new or modify old spans, or use a monitor for troubleshooting |
DRL 1.0 |
| sigma | win_iso_mount.yml | ObjectName: '\Device\CdRom0\setup.exe' |
DRL 1.0 |
| sigma | win_susp_eventlog_cleared.yml | - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) |
DRL 1.0 |
| sigma | win_system_susp_eventlog_cleared.yml | - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) |
DRL 1.0 |
| sigma | file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml | - 'C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat' |
DRL 1.0 |
| sigma | proc_access_win_cred_dump_lsass_access.yml | SourceImage\|endswith: \Installer\setup.exe |
DRL 1.0 |
| sigma | proc_creation_win_apt_winnti_pipemon.yml | - 'setup.exe' |
DRL 1.0 |
| sigma | proc_creation_win_exploit_cve_2019_1378.yml | - 'C:\Windows\Setup\Scripts\' |
DRL 1.0 |
| sigma | proc_creation_win_exploit_cve_2019_1378.yml | - 'C:\Windows\Setup\' |
DRL 1.0 |
| sigma | proc_creation_win_powershell_cmdline_special_characters.yml | - Amazon SSM Document Worker # fp example: powershell " [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 $keyExists = Test-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $jsonObj = @() if ($keyExists) { $key = Get-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $valueNames = $key.GetValueNames(); foreach ($valueName in $valueNames) { $value = $key.GetValue($valueName); if ($value -gt 0) { $installed = "True" } else { $installed = "False" } $jsonObj += @" {"Name": "$valueName", "Installed": "$installed"} "@ } } $result = $jsonObj -join "," $result = "[" + $result + "]" [Console]::WriteLine($result) |
DRL 1.0 |
| sigma | proc_creation_win_susp_run_folder.yml | - 'C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe' |
DRL 1.0 |
| sigma | proc_creation_win_vmtoolsd_susp_child_process.yml | description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification.yml | - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components' |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification.yml | - '\SYSTEM\Setup\CmdLine' |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification.yml | - '\SOFTWARE\Microsoft\Active Setup\Installed Components' |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification_common.yml | - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components' |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification_common.yml | - '\SYSTEM\Setup\CmdLine' |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification_common.yml | - '\SOFTWARE\Microsoft\Active Setup\Installed Components' |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification_common.yml | TargetObject\|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\' |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification_wow6432node.yml | - '\setup.exe' |
DRL 1.0 |
| sigma | registry_event_mal_flowcloud.yml | - 'HKLM\SYSTEM\Setup\PrintResponsor\' |
DRL 1.0 |
| sigma | registry_event_new_application_appcompat.yml | - Newly setup system. |
DRL 1.0 |
| sigma | registry_event_runonce_persistence.yml | TargetObject\|startswith: 'HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components' |
DRL 1.0 |
| LOLBAS | Setup.yml | Name: Setup.exe |
|
| LOLBAS | Setup.yml | - Command: Run Setup.exe |
|
| LOLBAS | Setup.yml | Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload. |
|
| LOLBAS | OneDriveStandaloneUpdater.yml | - IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files |
|
| LOLBAS | Runonce.yml | - IOC: Registy key add - HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY |
|
| LOLBAS | Setupapi.yml | Description: Windows Setup Application Programming Interface |
|
| LOLBAS | Syssetup.yml | Description: Windows NT System Setup |
|
| malware-ioc | attor | %COMMONAPPDATA%\Adobe\Setup\Replicate\US-sf |
© ESET 2014-2018 |
| malware-ioc | attor | %COMMONAPPDATA%\Adobe\Setup\Replicate\US-nh |
© ESET 2014-2018 |
| malware-ioc | attor | %COMMONAPPDATA%\Adobe\Setup\Replicate\US-zn |
© ESET 2014-2018 |
| malware-ioc | attor | %COMMONAPPDATA%\Adobe\Setup\Replicate\US-pq |
© ESET 2014-2018 |
| malware-ioc | evilnum | \|C8458A1568639EA2270E1845B0A386FF75C23421\|nvstviews.exe \|ALPS Setup \|B1C248AD370D1ACE6FA03572CE1AE6297E14A3F8``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc | glupteba.misp-event.json | "value": "setup.exe\|f7230b2cab4e4910bca473b39ee8fd4df394ce0d", |
© ESET 2014-2018 |
| malware-ioc | glupteba | \|F7230B2CAB4E4910BCA473B39EE8FD4DF394CE0D\|setup.exe \|MSIL/Adware.CsdiMonetize.AG |
© ESET 2014-2018 |
| malware-ioc | win_apt_invisimole_wdigest_chain.yml | - Legitimate use of the Wireless Network Setup Wizard |
© ESET 2014-2018 |
| malware-ioc | win_lolbin_setupSNK.yml | title: Wireless Network Setup Settings Changed |
© ESET 2014-2018 |
| malware-ioc | win_lolbin_setupSNK.yml | - Legitimate use of the Wireless Network Setup Wizard |
© ESET 2014-2018 |
| malware-ioc | misp-kryptocibule.json | "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\Setup.dll", |
© ESET 2014-2018 |
| malware-ioc | misp-kryptocibule.json | "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\setup-version.json", |
© ESET 2014-2018 |
| malware-ioc | kryptocibule | %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\Setup.dll |
© ESET 2014-2018 |
| malware-ioc | kryptocibule | %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\setup-version.json |
© ESET 2014-2018 |
| malware-ioc | potao | Fake TrueCrypt Setup: |
© ESET 2014-2018 |
| malware-ioc | 2021_T2 | Setup |
© ESET 2014-2018 |
| malware-ioc | windigo | depending on your setup. For example we know that suPHP uses shared memory. |
© ESET 2014-2018 |
| malware-ioc | winnti_group | setup.exe |
© ESET 2014-2018 |
| atomic-red-team | index.md | - T1547.014 Active Setup CONTRIBUTE A TEST | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - T1547.014 Active Setup CONTRIBUTE A TEST | MIT License. © 2018 Red Canary |
| atomic-red-team | matrix.md | | Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST | At (Windows) | Active Setup CONTRIBUTE A TEST | Accessibility Features | Application Access Token CONTRIBUTE A TEST | AS-REP Roasting | Browser Bookmark Discovery | Distributed Component Object Model | Archive via Custom Method CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol | Bidirectional Communication CONTRIBUTE A TEST | Application or System Exploitation CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary |
| atomic-red-team | matrix.md | | Compromise Software Supply Chain CONTRIBUTE A TEST | Command and Scripting Interpreter CONTRIBUTE A TEST | Add Office 365 Global Administrator Role CONTRIBUTE A TEST | Active Setup CONTRIBUTE A TEST | Asynchronous Procedure Call | Bash History | Cloud Account CONTRIBUTE A TEST | Exploitation of Remote Services CONTRIBUTE A TEST | Archive via Library | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Commonly Used Port CONTRIBUTE A TEST | Data Destruction | | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-matrix.md | | Compromise Software Supply Chain CONTRIBUTE A TEST | Component Object Model CONTRIBUTE A TEST | Active Setup CONTRIBUTE A TEST | Accessibility Features | Asynchronous Procedure Call | Brute Force CONTRIBUTE A TEST | Browser Bookmark Discovery | Exploitation of Remote Services CONTRIBUTE A TEST | Archive via Custom Method CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol | Bidirectional Communication CONTRIBUTE A TEST | Application or System Exploitation CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-matrix.md | | Default Accounts | Component Object Model and Distributed COM CONTRIBUTE A TEST | Add-ins | Active Setup CONTRIBUTE A TEST | BITS Jobs | Cached Domain Credentials CONTRIBUTE A TEST | Domain Account | Internal Spearphishing CONTRIBUTE A TEST | Archive via Library CONTRIBUTE A TEST | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Commonly Used Port CONTRIBUTE A TEST | Data Destruction | | MIT License. © 2018 Red Canary |
| atomic-red-team | T1046.md | | nmap_url | NMap installer download URL | Url | https://nmap.org/dist/nmap-7.80-setup.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1046.md | Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1046.md | Start-Process $env:temp\nmap-7.80-setup.exe /S | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | Invoke-WebRequest ‘https://www.tightvnc.com/download/2.8.63/tightvnc-2.8.63-gpl-setup-64bit.msi’ -OutFile PathToAtomicsFolder\T1047\bin\tightvncinstaller.msi | MIT License. © 2018 Red Canary |
| atomic-red-team | T1484.002.md | if ($new) { Write-Host “nFederation successfully added to Azure AD" } else { Write-Host "nThe federation setup failed” } |
MIT License. © 2018 Red Canary |
| signature-base | airbnb_binaryalert.yar | $a1 = “https://setup.icloud.com/setup/authenticate/” wide ascii | CC BY-NC 4.0 |
| signature-base | airbnb_binaryalert.yar | $s8 = “Setup a communication socket with the process by injecting” fullword ascii wide | CC BY-NC 4.0 |
| signature-base | apt_bluetermite_emdivi.yar | $x1 = “Setup=unsecess.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_bluetermite_emdivi.yar | $x2 = “Setup=leassnp.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_irontiger.yar | $s0 = “\setup.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_irontiger.yar | $s3 = “setup.exeUT” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_miniasp.yar | $x2 = “run http://%s/logo.png setup.exe” fullword ascii /* PEStudio Blacklist: strings / / score: ‘37.02’ */ | CC BY-NC 4.0 |
| signature-base | apt_op_honeybee.yar | $x1 = “cmd /c expand %TEMP%\setup.cab -F:* %SystemRoot%\System32” | CC BY-NC 4.0 |
| signature-base | apt_op_honeybee.yar | $x2 = “del /f /q %TEMP%\setup.cab && cliconfg.exe” | CC BY-NC 4.0 |
| signature-base | apt_op_honeybee.yar | $s6 = “\setup.cab” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_promethium_neodymium.yar | $s2 = “c:\windows\temp\TrueCrypt-Setup-7.1a-tamindir.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_sakula.yar | description = “Sakula shellcode - taken from decoded setup.msi but may not be unique enough to identify Sakula” | CC BY-NC 4.0 |
| signature-base | apt_threatgroup_3390.yar | $s7 = “setup.exeUT” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_threatgroup_3390.yar | $s6 = “\setup.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_winnti_burning_umbrella.yar | $s1 = “c:\windows\ime\setup.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | cn_pentestset_tools.yar | description = “Sample from CN Honker Pentest Toolset - file setup.exe” | CC BY-NC 4.0 |
| signature-base | crime_fireball.yar | $s3 = “\SETUP.dll” fullword wide | CC BY-NC 4.0 |
| signature-base | crime_nopetya_jun17.yar | $x6 = “wevtutil cl Setup & wevtutil cl System” ascii | CC BY-NC 4.0 |
| signature-base | gen_anomalies_keyword_combos.yar | $fp6 = “Paint.NET Setup” wide fullword | CC BY-NC 4.0 |
| signature-base | gen_cn_hacktools.yar | $s2 = “SwitchSniffer Setup” fullword wide | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.