InfDefaultInstall.exe

  • File Path: C:\WINDOWS\system32\InfDefaultInstall.exe
  • Description: INF Default Install

Screenshot

InfDefaultInstall.exe InfDefaultInstall.exe InfDefaultInstall.exe

Hashes

Type Hash
MD5 68D873F4D2C51EA4D0C02E77D7A5159C
SHA1 96CB6B29C3E337B1EFE805233C9A1A9498DF3964
SHA256 E6283D2406C9B31C9A1F98CFEA2C9B9DAF44EB3D9B86B52BD253D5F83D7FC14E
SHA384 B848CB1CC6B93E231816A4695635B37443052C701F3FE9645B873D5918D74AA43629DC552313718F07E5CEFBDB23D69C
SHA512 349B54F5BAA78B27A67DD3E8C80D572641FE13DAA722977F335F1D8D9703C1A237891184360B1E5CC66C9F96392D602EFCA26E8BCC608E79F4B7BD08C7DD742E
SSDEEP 192:y9qvExuDZMiPxMLDL0Zef6RDahWNsu5WEI3ZZUpYas9aW/GW:7vExKZdxMLgHWyWOpYacaW/GW
IMP 85E247AC00016C5D35435F22FC7AB82E
PESHA1 1F6153C29AD77293BD6701848598B25A8997FA84
PE256 117E6A97A9C746A2A2DCB2345418BEC569CA993AC7315A1E5E54519416F70EB0

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\system32\InfDefaultInstall.exe
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\System32\msvcp_win.dll
C:\WINDOWS\System32\msvcrt.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\shell32.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: InfDefaultInstall.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 5.2.3668.0
  • Product Version: 5.2.3668.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/e6283d2406c9b31c9a1f98cfea2c9b9daf44eb3d9b86b52bd253d5f83d7fc14e/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\InfDefaultInstall.exe 30
C:\WINDOWS\system32\InfDefaultInstall.exe 29
C:\Windows\system32\InfDefaultInstall.exe 30
C:\Windows\system32\InfDefaultInstall.exe 33

Possible Misuse

The following table contains possible examples of InfDefaultInstall.exe being misused. While InfDefaultInstall.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma process_creation_infdefaultinstall.yml title: InfDefaultInstall.exe .inf Execution DRL 1.0
sigma process_creation_infdefaultinstall.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml DRL 1.0
sigma process_creation_infdefaultinstall.yml - 'InfDefaultInstall.exe ' DRL 1.0
LOLBAS Infdefaultinstall.yml Name: Infdefaultinstall.exe  
LOLBAS Infdefaultinstall.yml - Command: InfDefaultInstall.exe Infdefaultinstall.inf  
LOLBAS Infdefaultinstall.yml - Path: C:\Windows\System32\Infdefaultinstall.exe  
LOLBAS Infdefaultinstall.yml - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe  
atomic-red-team index.md - Atomic Test #4: InfDefaultInstall.exe .inf Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: InfDefaultInstall.exe .inf Execution [windows] MIT License. © 2018 Red Canary
atomic-red-team T1218.md - Atomic Test #4 - InfDefaultInstall.exe .inf Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.md ## Atomic Test #4 - InfDefaultInstall.exe .inf Execution MIT License. © 2018 Red Canary
atomic-red-team T1218.md Test execution of a .inf using InfDefaultInstall.exe MIT License. © 2018 Red Canary
atomic-red-team T1218.md Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml MIT License. © 2018 Red Canary
atomic-red-team T1218.md | inf_to_execute | Local location of inf file | String | PathToAtomicsFolder\T1218\src\Infdefaultinstall.inf| MIT License. © 2018 Red Canary
atomic-red-team T1218.md InfDefaultInstall.exe #{inf_to_execute} MIT License. © 2018 Red Canary
atomic-red-team T1218.md Invoke-WebRequest “https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf” -OutFile “#{inf_to_execute}” MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.