setup.exe
- File Path:
C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.125\Installer\setup.exe - Description: Google Chrome Installer
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | 8C9FE6FF801A1B6061F089FC517806EA |
| SHA1 | 6B2FACF01EC9349BD286AA0451621773BD554653 |
| SHA256 | B3A9BBFD7AAEC835B51AF73BD8848EB62B54FC2E4DB4101D07D196F358D49F18 |
| SHA384 | 91F273C1635A7C2CEED8D114C7054ED99C597CF9FA835D3FE4E3474085A7608BE50C28DAC68BAF548B397801686965F2 |
| SHA512 | B2F434205C8B76336A05D24EA025F47DD235585D2F6CE3D7F8A1CDB28C333D856C1A63EBB2D29C03CF71CBA5F9672DC040CA656A3A2541F82BA317CCD675B84A |
| SSDEEP | 49152:ZleWvsxXgsirVYXwiAP/P9TZ7krsuBhT1:AZakLBH |
Runtime Data
Usage (stderr):
[0815/134252.394:ERROR:setup_main.cc(523)] Already installed version 84.0.4147.125 at system-level conflicts with this one at user-level.
[0815/134252.394:ERROR:persistent_histogram_storage.cc(121)] Could not write "SetupMetrics" persistent histograms to file as the storage directory does not exist.
Child Processes:
chrome.exe
Signature
- Status: Signature verified.
- Serial:
0C15BE4A15BB0903C901B1D6C265302F - Thumbprint:
CB7E84887F3C6015FE7EDFB4F8F36DF7DC10590E - Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
- Subject: CN=Google LLC, O=Google LLC, L=Mountain View, S=ca, C=US
File Metadata
- Original Filename:
- Product Name: Google Chrome Installer
- Company Name: Google LLC
- File Version: 84.0.4147.125
- Product Version: 84.0.4147.125
- Language: English (United States)
- Legal Copyright: Copyright 2020 Google LLC. All rights reserved.
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Program Files (x86)\Google\Chrome\Application\84.0.4147.125\Installer\chrmstp.exe | 100 |
Possible Misuse
The following table contains possible examples of setup.exe being misused. While setup.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | sigma-test.yml | uses: actions/setup-python@v1 |
DRL 1.0 |
| sigma | aws_update_login_profile.yml | An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. |
DRL 1.0 |
| sigma | cisco_cli_net_sniff.yml | description: Show when a monitor or a span/rspan is setup or modified |
DRL 1.0 |
| sigma | cisco_cli_net_sniff.yml | - Admins may setup new or modify old spans, or use a monitor for troubleshooting |
DRL 1.0 |
| sigma | win_iso_mount.yml | ObjectName: '\Device\CdRom0\setup.exe' |
DRL 1.0 |
| sigma | win_susp_eventlog_cleared.yml | - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) |
DRL 1.0 |
| sigma | win_system_susp_eventlog_cleared.yml | - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) |
DRL 1.0 |
| sigma | file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml | - 'C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat' |
DRL 1.0 |
| sigma | proc_access_win_cred_dump_lsass_access.yml | SourceImage\|endswith: \Installer\setup.exe |
DRL 1.0 |
| sigma | proc_creation_win_apt_winnti_pipemon.yml | - 'setup.exe' |
DRL 1.0 |
| sigma | proc_creation_win_exploit_cve_2019_1378.yml | - 'C:\Windows\Setup\Scripts\' |
DRL 1.0 |
| sigma | proc_creation_win_exploit_cve_2019_1378.yml | - 'C:\Windows\Setup\' |
DRL 1.0 |
| sigma | proc_creation_win_powershell_cmdline_special_characters.yml | - Amazon SSM Document Worker # fp example: powershell " [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 $keyExists = Test-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $jsonObj = @() if ($keyExists) { $key = Get-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $valueNames = $key.GetValueNames(); foreach ($valueName in $valueNames) { $value = $key.GetValue($valueName); if ($value -gt 0) { $installed = "True" } else { $installed = "False" } $jsonObj += @" {"Name": "$valueName", "Installed": "$installed"} "@ } } $result = $jsonObj -join "," $result = "[" + $result + "]" [Console]::WriteLine($result) |
DRL 1.0 |
| sigma | proc_creation_win_susp_run_folder.yml | - 'C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe' |
DRL 1.0 |
| sigma | proc_creation_win_vmtoolsd_susp_child_process.yml | description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification.yml | - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components' |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification.yml | - '\SYSTEM\Setup\CmdLine' |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification.yml | - '\SOFTWARE\Microsoft\Active Setup\Installed Components' |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification_common.yml | - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components' |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification_common.yml | - '\SYSTEM\Setup\CmdLine' |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification_common.yml | - '\SOFTWARE\Microsoft\Active Setup\Installed Components' |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification_common.yml | TargetObject\|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\' |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification_wow6432node.yml | - '\setup.exe' |
DRL 1.0 |
| sigma | registry_event_mal_flowcloud.yml | - 'HKLM\SYSTEM\Setup\PrintResponsor\' |
DRL 1.0 |
| sigma | registry_event_new_application_appcompat.yml | - Newly setup system. |
DRL 1.0 |
| sigma | registry_event_runonce_persistence.yml | TargetObject\|startswith: 'HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components' |
DRL 1.0 |
| LOLBAS | Setup.yml | Name: Setup.exe |
|
| LOLBAS | Setup.yml | - Command: Run Setup.exe |
|
| LOLBAS | Setup.yml | Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload. |
|
| LOLBAS | OneDriveStandaloneUpdater.yml | - IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files |
|
| LOLBAS | Runonce.yml | - IOC: Registy key add - HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY |
|
| LOLBAS | Setupapi.yml | Description: Windows Setup Application Programming Interface |
|
| LOLBAS | Syssetup.yml | Description: Windows NT System Setup |
|
| malware-ioc | attor | %COMMONAPPDATA%\Adobe\Setup\Replicate\US-sf |
© ESET 2014-2018 |
| malware-ioc | attor | %COMMONAPPDATA%\Adobe\Setup\Replicate\US-nh |
© ESET 2014-2018 |
| malware-ioc | attor | %COMMONAPPDATA%\Adobe\Setup\Replicate\US-zn |
© ESET 2014-2018 |
| malware-ioc | attor | %COMMONAPPDATA%\Adobe\Setup\Replicate\US-pq |
© ESET 2014-2018 |
| malware-ioc | evilnum | \|C8458A1568639EA2270E1845B0A386FF75C23421\|nvstviews.exe \|ALPS Setup \|B1C248AD370D1ACE6FA03572CE1AE6297E14A3F8``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc | glupteba.misp-event.json | "value": "setup.exe\|f7230b2cab4e4910bca473b39ee8fd4df394ce0d", |
© ESET 2014-2018 |
| malware-ioc | glupteba | \|F7230B2CAB4E4910BCA473B39EE8FD4DF394CE0D\|setup.exe \|MSIL/Adware.CsdiMonetize.AG |
© ESET 2014-2018 |
| malware-ioc | win_apt_invisimole_wdigest_chain.yml | - Legitimate use of the Wireless Network Setup Wizard |
© ESET 2014-2018 |
| malware-ioc | win_lolbin_setupSNK.yml | title: Wireless Network Setup Settings Changed |
© ESET 2014-2018 |
| malware-ioc | win_lolbin_setupSNK.yml | - Legitimate use of the Wireless Network Setup Wizard |
© ESET 2014-2018 |
| malware-ioc | misp-kryptocibule.json | "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\Setup.dll", |
© ESET 2014-2018 |
| malware-ioc | misp-kryptocibule.json | "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\setup-version.json", |
© ESET 2014-2018 |
| malware-ioc | kryptocibule | %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\Setup.dll |
© ESET 2014-2018 |
| malware-ioc | kryptocibule | %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\setup-version.json |
© ESET 2014-2018 |
| malware-ioc | potao | Fake TrueCrypt Setup: |
© ESET 2014-2018 |
| malware-ioc | 2021_T2 | Setup |
© ESET 2014-2018 |
| malware-ioc | windigo | depending on your setup. For example we know that suPHP uses shared memory. |
© ESET 2014-2018 |
| malware-ioc | winnti_group | setup.exe |
© ESET 2014-2018 |
| atomic-red-team | index.md | - T1547.014 Active Setup CONTRIBUTE A TEST | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - T1547.014 Active Setup CONTRIBUTE A TEST | MIT License. © 2018 Red Canary |
| atomic-red-team | matrix.md | | Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST | At (Windows) | Active Setup CONTRIBUTE A TEST | Accessibility Features | Application Access Token CONTRIBUTE A TEST | AS-REP Roasting | Browser Bookmark Discovery | Distributed Component Object Model | Archive via Custom Method CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol | Bidirectional Communication CONTRIBUTE A TEST | Application or System Exploitation CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary |
| atomic-red-team | matrix.md | | Compromise Software Supply Chain CONTRIBUTE A TEST | Command and Scripting Interpreter CONTRIBUTE A TEST | Add Office 365 Global Administrator Role CONTRIBUTE A TEST | Active Setup CONTRIBUTE A TEST | Asynchronous Procedure Call | Bash History | Cloud Account CONTRIBUTE A TEST | Exploitation of Remote Services CONTRIBUTE A TEST | Archive via Library | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Commonly Used Port CONTRIBUTE A TEST | Data Destruction | | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-matrix.md | | Compromise Software Supply Chain CONTRIBUTE A TEST | Component Object Model CONTRIBUTE A TEST | Active Setup CONTRIBUTE A TEST | Accessibility Features | Asynchronous Procedure Call | Brute Force CONTRIBUTE A TEST | Browser Bookmark Discovery | Exploitation of Remote Services CONTRIBUTE A TEST | Archive via Custom Method CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol | Bidirectional Communication CONTRIBUTE A TEST | Application or System Exploitation CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-matrix.md | | Default Accounts | Component Object Model and Distributed COM CONTRIBUTE A TEST | Add-ins | Active Setup CONTRIBUTE A TEST | BITS Jobs | Cached Domain Credentials CONTRIBUTE A TEST | Domain Account | Internal Spearphishing CONTRIBUTE A TEST | Archive via Library CONTRIBUTE A TEST | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Commonly Used Port CONTRIBUTE A TEST | Data Destruction | | MIT License. © 2018 Red Canary |
| atomic-red-team | T1046.md | | nmap_url | NMap installer download URL | Url | https://nmap.org/dist/nmap-7.80-setup.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1046.md | Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1046.md | Start-Process $env:temp\nmap-7.80-setup.exe /S | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | Invoke-WebRequest ‘https://www.tightvnc.com/download/2.8.63/tightvnc-2.8.63-gpl-setup-64bit.msi’ -OutFile PathToAtomicsFolder\T1047\bin\tightvncinstaller.msi | MIT License. © 2018 Red Canary |
| atomic-red-team | T1484.002.md | if ($new) { Write-Host “nFederation successfully added to Azure AD" } else { Write-Host "nThe federation setup failed” } |
MIT License. © 2018 Red Canary |
| signature-base | airbnb_binaryalert.yar | $a1 = “https://setup.icloud.com/setup/authenticate/” wide ascii | CC BY-NC 4.0 |
| signature-base | airbnb_binaryalert.yar | $s8 = “Setup a communication socket with the process by injecting” fullword ascii wide | CC BY-NC 4.0 |
| signature-base | apt_bluetermite_emdivi.yar | $x1 = “Setup=unsecess.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_bluetermite_emdivi.yar | $x2 = “Setup=leassnp.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_irontiger.yar | $s0 = “\setup.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_irontiger.yar | $s3 = “setup.exeUT” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_miniasp.yar | $x2 = “run http://%s/logo.png setup.exe” fullword ascii /* PEStudio Blacklist: strings / / score: ‘37.02’ */ | CC BY-NC 4.0 |
| signature-base | apt_op_honeybee.yar | $x1 = “cmd /c expand %TEMP%\setup.cab -F:* %SystemRoot%\System32” | CC BY-NC 4.0 |
| signature-base | apt_op_honeybee.yar | $x2 = “del /f /q %TEMP%\setup.cab && cliconfg.exe” | CC BY-NC 4.0 |
| signature-base | apt_op_honeybee.yar | $s6 = “\setup.cab” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_promethium_neodymium.yar | $s2 = “c:\windows\temp\TrueCrypt-Setup-7.1a-tamindir.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_sakula.yar | description = “Sakula shellcode - taken from decoded setup.msi but may not be unique enough to identify Sakula” | CC BY-NC 4.0 |
| signature-base | apt_threatgroup_3390.yar | $s7 = “setup.exeUT” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_threatgroup_3390.yar | $s6 = “\setup.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_winnti_burning_umbrella.yar | $s1 = “c:\windows\ime\setup.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | cn_pentestset_tools.yar | description = “Sample from CN Honker Pentest Toolset - file setup.exe” | CC BY-NC 4.0 |
| signature-base | crime_fireball.yar | $s3 = “\SETUP.dll” fullword wide | CC BY-NC 4.0 |
| signature-base | crime_nopetya_jun17.yar | $x6 = “wevtutil cl Setup & wevtutil cl System” ascii | CC BY-NC 4.0 |
| signature-base | gen_anomalies_keyword_combos.yar | $fp6 = “Paint.NET Setup” wide fullword | CC BY-NC 4.0 |
| signature-base | gen_cn_hacktools.yar | $s2 = “SwitchSniffer Setup” fullword wide | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.