setup.exe

  • File Path: C:\Program Files\Google\Chrome\Application\85.0.4183.121\Installer\setup.exe
  • Description: Google Chrome Installer

Screenshot

setup.exe setup.exe setup.exe

Hashes

Type Hash
MD5 AEA2671A54A5A19A449CA1F268F1D7BD
SHA1 14F565D448948BD23C563C27368BD08ACFD17B66
SHA256 62ECBB932E0211217F62BD0D3D5744A54104E2431E27FF7A7822A25D04A8581B
SHA384 58904E6397FB0EE788E1631CDBDA807B429ACC8955B22D17CB87D25DDA1003FAFE8A789C37B9B89C60E89826792D4A19
SHA512 73D8BF7C0BDF08502B8557176BDF192E9F1554CCF07C0540973F52071BE2E3C47F6C2B95444088EEBF7DFB29BFD8DE2E54A5BE2DB0BA74698EAA2287EED9E7E6
SSDEEP 49152:rk1nc3R1lRf+yAHLvThf0we+9fPF0RkBOETd4re:BbbAHPFDp4C
IMP 81EE900A026224A1AA3F301BA1D6C063
PESHA1 B414823271439836526B15CAF9AB0A6E932D421A
PE256 4A8173B295F589C18D4594257AA8082626F4F977F3718A43CFD0A9917A291662

Runtime Data

Usage (stderr):

[0924/171436.389:ERROR:setup_main.cc(519)] Already installed version 85.0.4183.121 at system-level conflicts with this one at user-level.
[0924/171436.404:ERROR:persistent_histogram_storage.cc(121)] Could not write "SetupMetrics" persistent histograms to file as the storage directory does not exist.

Child Processes:

chrome.exe

Loaded Modules:

Path
C:\Program Files\Google\Chrome\Application\85.0.4183.121\Installer\setup.exe
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\NETAPI32.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\ole32.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\SYSTEM32\PROPSYS.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\SHLWAPI.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\SYSTEM32\urlmon.dll
C:\Windows\System32\USER32.dll
C:\Windows\SYSTEM32\VERSION.dll
C:\Windows\System32\win32u.dll
C:\Windows\System32\WS2_32.dll
C:\Windows\SYSTEM32\WTSAPI32.dll

Signature

  • Status: Signature verified.
  • Serial: 0C15BE4A15BB0903C901B1D6C265302F
  • Thumbprint: CB7E84887F3C6015FE7EDFB4F8F36DF7DC10590E
  • Issuer: CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
  • Subject: CN=Google LLC, O=Google LLC, L=Mountain View, S=ca, C=US

File Metadata

  • Original Filename:
  • Product Name: Google Chrome Installer
  • Company Name: Google LLC
  • File Version: 85.0.4183.121
  • Product Version: 85.0.4183.121
  • Language: English (United States)
  • Legal Copyright: Copyright 2020 Google LLC. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/62ecbb932e0211217f62bd0d3d5744a54104e2431e27ff7a7822a25d04a8581b/detection/

File Similarity (ssdeep match)

File Score
C:\Program Files\Google\Chrome\Application\85.0.4183.121\Installer\chrmstp.exe 100
C:\program files\Google\Chrome\Application\85.0.4183.83\Installer\chrmstp.exe 88
C:\program files\Google\Chrome\Application\85.0.4183.83\Installer\setup.exe 88

Possible Misuse

The following table contains possible examples of setup.exe being misused. While setup.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sigma-test.yml uses: actions/setup-python@v1 DRL 1.0
sigma aws_update_login_profile.yml An attacker with the iam:UpdateLoginProfile permission on other users can change the password used to login to the AWS console on any user that already has a login profile setup. DRL 1.0
sigma cisco_cli_net_sniff.yml description: Show when a monitor or a span/rspan is setup or modified DRL 1.0
sigma cisco_cli_net_sniff.yml - Admins may setup new or modify old spans, or use a monitor for troubleshooting DRL 1.0
sigma win_iso_mount.yml ObjectName: '\Device\CdRom0\setup.exe' DRL 1.0
sigma win_susp_eventlog_cleared.yml - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) DRL 1.0
sigma win_system_susp_eventlog_cleared.yml - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) DRL 1.0
sigma file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml - 'C:\Windows\system32\config\cy-GB\Setup\SKB\InputMethod\TupTask.dat' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml SourceImage\|endswith: \Installer\setup.exe DRL 1.0
sigma proc_creation_win_apt_winnti_pipemon.yml - 'setup.exe' DRL 1.0
sigma proc_creation_win_exploit_cve_2019_1378.yml - 'C:\Windows\Setup\Scripts\' DRL 1.0
sigma proc_creation_win_exploit_cve_2019_1378.yml - 'C:\Windows\Setup\' DRL 1.0
sigma proc_creation_win_powershell_cmdline_special_characters.yml - Amazon SSM Document Worker # fp example: powershell " [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 $keyExists = Test-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $jsonObj = @() if ($keyExists) { $key = Get-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $valueNames = $key.GetValueNames(); foreach ($valueName in $valueNames) { $value = $key.GetValue($valueName); if ($value -gt 0) { $installed = "True" } else { $installed = "False" } $jsonObj += @" {"Name": "$valueName", "Installed": "$installed"} "@ } } $result = $jsonObj -join "," $result = "[" + $result + "]" [Console]::WriteLine($result) DRL 1.0
sigma proc_creation_win_susp_run_folder.yml - 'C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\BackgroundDownload.exe' DRL 1.0
sigma proc_creation_win_vmtoolsd_susp_child_process.yml description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components' DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\SYSTEM\Setup\CmdLine' DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - '\SOFTWARE\Microsoft\Active Setup\Installed Components' DRL 1.0
sigma registry_event_asep_reg_keys_modification_common.yml - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components' DRL 1.0
sigma registry_event_asep_reg_keys_modification_common.yml - '\SYSTEM\Setup\CmdLine' DRL 1.0
sigma registry_event_asep_reg_keys_modification_common.yml - '\SOFTWARE\Microsoft\Active Setup\Installed Components' DRL 1.0
sigma registry_event_asep_reg_keys_modification_common.yml TargetObject\|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\' DRL 1.0
sigma registry_event_asep_reg_keys_modification_wow6432node.yml - '\setup.exe' DRL 1.0
sigma registry_event_mal_flowcloud.yml - 'HKLM\SYSTEM\Setup\PrintResponsor\' DRL 1.0
sigma registry_event_new_application_appcompat.yml - Newly setup system. DRL 1.0
sigma registry_event_runonce_persistence.yml TargetObject\|startswith: 'HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components' DRL 1.0
LOLBAS Setup.yml Name: Setup.exe  
LOLBAS Setup.yml - Command: Run Setup.exe  
LOLBAS Setup.yml Description: Hijack hpbcsiServiceMarshaller.exe and run Setup.exe to launch a payload.  
LOLBAS OneDriveStandaloneUpdater.yml - IOC: Reports of downloading from suspicious URLs in %localappdata%\OneDrive\setup\logs\StandaloneUpdate_*.log files  
LOLBAS Runonce.yml - IOC: Registy key add - HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\YOURKEY  
LOLBAS Setupapi.yml Description: Windows Setup Application Programming Interface  
LOLBAS Syssetup.yml Description: Windows NT System Setup  
malware-ioc attor %COMMONAPPDATA%\Adobe\Setup\Replicate\US-sf © ESET 2014-2018
malware-ioc attor %COMMONAPPDATA%\Adobe\Setup\Replicate\US-nh © ESET 2014-2018
malware-ioc attor %COMMONAPPDATA%\Adobe\Setup\Replicate\US-zn © ESET 2014-2018
malware-ioc attor %COMMONAPPDATA%\Adobe\Setup\Replicate\US-pq © ESET 2014-2018
malware-ioc evilnum \|C8458A1568639EA2270E1845B0A386FF75C23421\|nvstviews.exe \|ALPS Setup \|B1C248AD370D1ACE6FA03572CE1AE6297E14A3F8``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc glupteba.misp-event.json "value": "setup.exe\|f7230b2cab4e4910bca473b39ee8fd4df394ce0d", © ESET 2014-2018
malware-ioc glupteba \|F7230B2CAB4E4910BCA473B39EE8FD4DF394CE0D\|setup.exe \|MSIL/Adware.CsdiMonetize.AG © ESET 2014-2018
malware-ioc win_apt_invisimole_wdigest_chain.yml - Legitimate use of the Wireless Network Setup Wizard © ESET 2014-2018
malware-ioc win_lolbin_setupSNK.yml title: Wireless Network Setup Settings Changed © ESET 2014-2018
malware-ioc win_lolbin_setupSNK.yml - Legitimate use of the Wireless Network Setup Wizard © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\Setup.dll", © ESET 2014-2018
malware-ioc misp-kryptocibule.json "value": "%ProgramFiles(X86)%\\Adobe\\Acrobat Reader DC\\Reader\\Update\\setup-version.json", © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\Setup.dll © ESET 2014-2018
malware-ioc kryptocibule %ProgramFiles(X86)%\Adobe\Acrobat Reader DC\Reader\Update\setup-version.json © ESET 2014-2018
malware-ioc potao Fake TrueCrypt Setup: © ESET 2014-2018
malware-ioc 2021_T2 Setup © ESET 2014-2018
malware-ioc windigo depending on your setup. For example we know that suPHP uses shared memory. © ESET 2014-2018
malware-ioc winnti_group setup.exe © ESET 2014-2018
atomic-red-team index.md - T1547.014 Active Setup CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1547.014 Active Setup CONTRIBUTE A TEST MIT License. © 2018 Red Canary
atomic-red-team matrix.md | Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST | At (Windows) | Active Setup CONTRIBUTE A TEST | Accessibility Features | Application Access Token CONTRIBUTE A TEST | AS-REP Roasting | Browser Bookmark Discovery | Distributed Component Object Model | Archive via Custom Method CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol | Bidirectional Communication CONTRIBUTE A TEST | Application or System Exploitation CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | Compromise Software Supply Chain CONTRIBUTE A TEST | Command and Scripting Interpreter CONTRIBUTE A TEST | Add Office 365 Global Administrator Role CONTRIBUTE A TEST | Active Setup CONTRIBUTE A TEST | Asynchronous Procedure Call | Bash History | Cloud Account CONTRIBUTE A TEST | Exploitation of Remote Services CONTRIBUTE A TEST | Archive via Library | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Commonly Used Port CONTRIBUTE A TEST | Data Destruction | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | Compromise Software Supply Chain CONTRIBUTE A TEST | Component Object Model CONTRIBUTE A TEST | Active Setup CONTRIBUTE A TEST | Accessibility Features | Asynchronous Procedure Call | Brute Force CONTRIBUTE A TEST | Browser Bookmark Discovery | Exploitation of Remote Services CONTRIBUTE A TEST | Archive via Custom Method CONTRIBUTE A TEST | Exfiltration Over Alternative Protocol | Bidirectional Communication CONTRIBUTE A TEST | Application or System Exploitation CONTRIBUTE A TEST | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | Default Accounts | Component Object Model and Distributed COM CONTRIBUTE A TEST | Add-ins | Active Setup CONTRIBUTE A TEST | BITS Jobs | Cached Domain Credentials CONTRIBUTE A TEST | Domain Account | Internal Spearphishing CONTRIBUTE A TEST | Archive via Library CONTRIBUTE A TEST | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Commonly Used Port CONTRIBUTE A TEST | Data Destruction | MIT License. © 2018 Red Canary
atomic-red-team T1046.md | nmap_url | NMap installer download URL | Url | https://nmap.org/dist/nmap-7.80-setup.exe| MIT License. © 2018 Red Canary
atomic-red-team T1046.md Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url} MIT License. © 2018 Red Canary
atomic-red-team T1046.md Start-Process $env:temp\nmap-7.80-setup.exe /S MIT License. © 2018 Red Canary
atomic-red-team T1047.md Invoke-WebRequest ‘https://www.tightvnc.com/download/2.8.63/tightvnc-2.8.63-gpl-setup-64bit.msi’ -OutFile PathToAtomicsFolder\T1047\bin\tightvncinstaller.msi MIT License. © 2018 Red Canary
atomic-red-team T1484.002.md if ($new) { Write-Host “nFederation successfully added to Azure AD" } else { Write-Host "nThe federation setup failed” } MIT License. © 2018 Red Canary
signature-base airbnb_binaryalert.yar $a1 = “https://setup.icloud.com/setup/authenticate/” wide ascii CC BY-NC 4.0
signature-base airbnb_binaryalert.yar $s8 = “Setup a communication socket with the process by injecting” fullword ascii wide CC BY-NC 4.0
signature-base apt_bluetermite_emdivi.yar $x1 = “Setup=unsecess.exe” fullword ascii CC BY-NC 4.0
signature-base apt_bluetermite_emdivi.yar $x2 = “Setup=leassnp.exe” fullword ascii CC BY-NC 4.0
signature-base apt_irontiger.yar $s0 = “\setup.exe” fullword ascii CC BY-NC 4.0
signature-base apt_irontiger.yar $s3 = “setup.exeUT” fullword ascii CC BY-NC 4.0
signature-base apt_miniasp.yar $x2 = “run http://%s/logo.png setup.exe” fullword ascii /* PEStudio Blacklist: strings / / score: ‘37.02’ */ CC BY-NC 4.0
signature-base apt_op_honeybee.yar $x1 = “cmd /c expand %TEMP%\setup.cab -F:* %SystemRoot%\System32” CC BY-NC 4.0
signature-base apt_op_honeybee.yar $x2 = “del /f /q %TEMP%\setup.cab && cliconfg.exe” CC BY-NC 4.0
signature-base apt_op_honeybee.yar $s6 = “\setup.cab” fullword ascii CC BY-NC 4.0
signature-base apt_promethium_neodymium.yar $s2 = “c:\windows\temp\TrueCrypt-Setup-7.1a-tamindir.exe” fullword wide CC BY-NC 4.0
signature-base apt_sakula.yar description = “Sakula shellcode - taken from decoded setup.msi but may not be unique enough to identify Sakula” CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s7 = “setup.exeUT” fullword ascii CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s6 = “\setup.exe” fullword ascii CC BY-NC 4.0
signature-base apt_winnti_burning_umbrella.yar $s1 = “c:\windows\ime\setup.exe” fullword ascii CC BY-NC 4.0
signature-base cn_pentestset_tools.yar description = “Sample from CN Honker Pentest Toolset - file setup.exe” CC BY-NC 4.0
signature-base crime_fireball.yar $s3 = “\SETUP.dll” fullword wide CC BY-NC 4.0
signature-base crime_nopetya_jun17.yar $x6 = “wevtutil cl Setup & wevtutil cl System” ascii CC BY-NC 4.0
signature-base gen_anomalies_keyword_combos.yar $fp6 = “Paint.NET Setup” wide fullword CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s2 = “SwitchSniffer Setup” fullword wide CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.