InfDefaultInstall.exe
- File Path:
C:\Windows\system32\InfDefaultInstall.exe - Description: INF Default Install
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | A18B52BBC5C39DAD58703CF92ACAA37C |
| SHA1 | 01D14AE4CDC53F0B163AFE3ECAEE5D73DA78D09F |
| SHA256 | B9407FDE5938ED7E2F467F85A465790D4BB9DF4210678067C43D44D1C0BC7CD1 |
| SHA384 | 9BF9A2EFF24588113F5B91742B35B9B118FD32034F64EC46FB09B6FB2858B921C4EFAE0F9266BDED6C9AD475B214C718 |
| SHA512 | 02E26C4C319139F4E85BE6CE83F51B43F1A0EE1AF2DA17500E95606463080AA4CA3D39ED9D832E1948078E4E5674C43E70D277EDD88249F13FFBF2B8CD7F4A59 |
| SSDEEP | 192:GsHUBEUUsyJYnfiDdHes4sDBeR4OI6iCIys9aW/GW:GhBzcYfih+QWIGcaW/GW |
| IMP | F43AA5D6A80539D248D371D78F9F66BF |
| PESHA1 | D5DE6A9D3FDEDC556293F3ECEBD713984C1EA31E |
| PE256 | 8CA7973309F67650291371CDF214A58BE3ACDF189A264938EEF319CBE767AD15 |
Runtime Data
Window Title:
Install Error
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (R-D) C:\Windows\System32\en-US\duser.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\imageres.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\InfDefaultInstall.exe.mui | File |
| (R-D) C:\Windows\System32\en-US\KernelBase.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\newdev.dll.mui | File |
| (R-D) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_f47974b57ff45754\comctl32.dll.mui | File |
| (RW-) C:\Users\user | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_f47974b57ff45754 | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567 | File |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \Sessions\2\Windows\Theme2131664586 | Section |
| \Windows\Theme966197582 | Section |
Loaded Modules:
| Path |
|---|
| C:\Windows\System32\advapi32.dll |
| C:\Windows\System32\bcrypt.dll |
| C:\Windows\System32\bcryptPrimitives.dll |
| C:\Windows\System32\cfgmgr32.dll |
| C:\Windows\System32\combase.dll |
| C:\Windows\System32\cryptsp.dll |
| C:\Windows\system32\DEVRTL.dll |
| C:\Windows\System32\GDI32.dll |
| C:\Windows\System32\gdi32full.dll |
| C:\Windows\system32\InfDefaultInstall.exe |
| C:\Windows\System32\kernel.appcore.dll |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\System32\msvcp_win.dll |
| C:\Windows\System32\msvcrt.dll |
| C:\Windows\system32\newdev.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\powrprof.dll |
| C:\Windows\System32\profapi.dll |
| C:\Windows\System32\RPCRT4.dll |
| C:\Windows\System32\sechost.dll |
| C:\Windows\System32\SETUPAPI.dll |
| C:\Windows\System32\shcore.dll |
| C:\Windows\System32\SHELL32.dll |
| C:\Windows\System32\shlwapi.dll |
| C:\Windows\System32\ucrtbase.dll |
| C:\Windows\System32\USER32.dll |
| C:\Windows\System32\win32u.dll |
| C:\Windows\System32\windows.storage.dll |
| C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567\COMCTL32.dll |
Signature
- Status: Signature verified.
- Serial:
33000001C422B2F79B793DACB20000000001C4 - Thumbprint:
AE9C1AE54763822EEC42474983D8B635116C8452 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: InfDefaultInstall.EXE.MUI
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 5.2.3668.0
- Product Version: 5.2.3668.0
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/72
- VirusTotal Link: https://www.virustotal.com/gui/file/b9407fde5938ed7e2f467f85a465790d4bb9df4210678067c43d44d1c0bc7cd1/detection/
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\WINDOWS\system32\InfDefaultInstall.exe | 30 |
| C:\Windows\system32\InfDefaultInstall.exe | 30 |
| C:\WINDOWS\system32\InfDefaultInstall.exe | 33 |
| C:\Windows\system32\InfDefaultInstall.exe | 33 |
Possible Misuse
The following table contains possible examples of InfDefaultInstall.exe being misused. While InfDefaultInstall.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_infdefaultinstall.yml | title: InfDefaultInstall.exe .inf Execution |
DRL 1.0 |
| sigma | proc_creation_win_infdefaultinstall.yml | - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml |
DRL 1.0 |
| sigma | proc_creation_win_infdefaultinstall.yml | - 'InfDefaultInstall.exe ' |
DRL 1.0 |
| LOLBAS | Infdefaultinstall.yml | Name: Infdefaultinstall.exe |
|
| LOLBAS | Infdefaultinstall.yml | - Command: InfDefaultInstall.exe Infdefaultinstall.inf |
|
| LOLBAS | Infdefaultinstall.yml | - Path: C:\Windows\System32\Infdefaultinstall.exe |
|
| LOLBAS | Infdefaultinstall.yml | - Path: C:\Windows\SysWOW64\Infdefaultinstall.exe |
|
| atomic-red-team | index.md | - Atomic Test #4: InfDefaultInstall.exe .inf Execution [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #4: InfDefaultInstall.exe .inf Execution [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | - Atomic Test #4 - InfDefaultInstall.exe .inf Execution | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | ## Atomic Test #4 - InfDefaultInstall.exe .inf Execution | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | Test execution of a .inf using InfDefaultInstall.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | | inf_to_execute | Local location of inf file | String | PathToAtomicsFolder\T1218\src\Infdefaultinstall.inf| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | InfDefaultInstall.exe #{inf_to_execute} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | Invoke-WebRequest “https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf” -OutFile “#{inf_to_execute}” | MIT License. © 2018 Red Canary |
MIT License. Copyright (c) 2020-2021 Strontic.