TpmInit.exe

File Path: C:\Windows\SysWOW64\TpmInit.exe
Description: TPM Initialization Wizard

Screenshot

TpmInit.exe

Hashes

Type	Hash
MD5	`23E73EAD4C5304744E76E8ECE21273BC`
SHA1	`6C1B56CB711D28DFC04929041E51D5F1BA6792E7`
SHA256	`2A7081195ACF53B272040BD4F232691B626B522123D3FE402FCA91B3FD64F158`
SHA384	`9A585D718B2150B9CC2EA5E613B397A8729567FAF8341AEEF757CCD0E2B55AD2F2483124586789B2E469EF4CC220C922`
SHA512	`7410638DB8B2D46B4E0520B53F3BED53F10B5A7EF1E246356D5D9B5570B020F434DF9463FB3D10DE08FE8F8845A8E280DE8718BA6ECA72F8C4E6569F19DFB761`
SSDEEP	`1536:OUeKzb+/P25nDmXSHuGiceY0lA3CJHkxUM:Le2b+/P25R+PYfSFkx1`
IMP	`80D512028EB708EE52E1A6F4BAB6259F`
PESHA1	`5E0A6F2AE28E92CC78CE737ED527B3AAB50DF7F4`
PE256	`C1F8446BF067457EF6328118675A9ADC92E8101C9E96460471F02957AC49392C`

Runtime Data

Window Title:

Manage the TPM security hardware

Open Handles:

Path	Type
(R-D) C:\Windows\Fonts\StaticCache.dat	File
(R-D) C:\Windows\System32\en-US\duser.dll.mui	File
(R-D) C:\Windows\System32\en-US\imageres.dll.mui	File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui	File
(R-D) C:\Windows\System32\en-US\TpmInit.exe.mui	File
(R-D) C:\Windows\System32\netmsg.dll	File
(R-D) C:\Windows\SysWOW64\en-US\netmsg.dll.mui	File
(R-D) C:\Windows\SysWOW64\en-US\oleaccrc.dll.mui	File
(R-D) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_3c26ab8c9470805a\comctl32.dll.mui	File
(RW-) C:\Users\user	File
(RW-) C:\Windows	File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_3c26ab8c9470805a	File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_261b62a767ca4e6d	File
\BaseNamedObjects__ComCatalogCache__	Section
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db	Section
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db	Section
\BaseNamedObjects\C:ProgramDataMicrosoftWindowsCaches*cversions.2.ro	Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0	Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0	Section
\RPC Control\DSECFAC	Section
\Sessions\2\Windows\Theme2131664586	Section
\Windows\Theme966197582	Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\TpmInit.exe

Signature

Status: Signature verified.
Serial: 33000001C422B2F79B793DACB20000000001C4
Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: TpmInit.EXE
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 10.0.17763.1 (WinBuild.160101.0800)
Product Version: 10.0.17763.1
Language: English (United States)
Machine Type: 32-bit

File Scan

VirusTotal Detections: 0/71
VirusTotal Link: https://www.virustotal.com/gui/file/2a7081195acf53b272040bd4f232691b626b522123d3fe402fca91b3fd64f158/detection/

File Similarity (ssdeep match)

File	Score
C:\Windows\system32\tpmcompc.dll	66
C:\WINDOWS\system32\TpmInit.exe	50
C:\Windows\system32\TpmInit.exe	52
C:\Windows\system32\TpmInit.exe	60
C:\Windows\system32\TpmInit.exe	52
C:\WINDOWS\system32\TpmInit.exe	54
C:\windows\system32\TpmInit.exe	38
C:\Windows\SysWOW64\tpmcompc.dll	60
C:\WINDOWS\SysWOW64\TpmInit.exe	54
C:\Windows\SysWOW64\TpmInit.exe	60
C:\WINDOWS\SysWOW64\TpmInit.exe	65
C:\windows\SysWOW64\TpmInit.exe	49
C:\Windows\SysWOW64\TpmInit.exe	50

Possible Misuse

The following table contains possible examples of TpmInit.exe being misused. While TpmInit.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
malware-ioc	nukesped_lazarus	`.`TpmInit.EXE``{:.highlight .language-cmhg}	© ESET 2014-2018