ie4uinit.exe

  • File Path: C:\Windows\system32\ie4uinit.exe
  • Description: IE Per-User Initialization Utility

Hashes

Type Hash
MD5 D9A6E4AF6CE27EF8A14BA04E06C3A31C
SHA1 79E0906C0575876A297DDAFCFD1F6BCE32766531
SHA256 9E4365B2E2BEDCAF66A12E11665962A617691643DFADAEA53AC9732247F0E2B1
SHA384 5589161F8633B2F774A162953AC82C7A3A36DE570FC5656181D05D997F6EC86028CF0142D36966D99657FB327B3529B9
SHA512 3637A890D2678E55A314CC24E5025130E51FDAB5332F863AB826255ABABB42ED04F026EE8CAD21D2C6097C68D9F0DE1536EB226E5EC4E6DF1108CE04DC2D6745
SSDEEP 6144:KgCW/eznNRDvuA6VBMah2DzQHdFDADz5l9ItK:KXWgTClhndF
IMP AE9B039EFA096B7A0B1FD63D51F43863
PESHA1 4448571BEF08AAD7340495C826E3B0F383D34F69
PE256 D2E23B855C14E85F3897991458729AFC36F69E7F9C731DE8056DFCC8726A7E6E

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\System32\en-US\ie4uinit.exe.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\system32\ie4uinit.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\SHLWAPI.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: IE4UINIT.EXE.MUI
  • Product Name: Internet Explorer
  • Company Name: Microsoft Corporation
  • File Version: 11.00.19041.1 (WinBuild.160101.0800)
  • Product Version: 11.00.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/9e4365b2e2bedcaf66a12e11665962a617691643dfadaea53ac9732247f0e2b1/detection

Possible Misuse

The following table contains possible examples of ie4uinit.exe being misused. While ie4uinit.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Ie4uinit.yml Name: Ie4uinit.exe  
LOLBAS Ie4uinit.yml - Command: ie4uinit.exe -BaseSettings  
LOLBAS Ie4uinit.yml Description: Executes commands from a specially prepared ie4uinit.inf file.  
LOLBAS Ie4uinit.yml - Path: c:\windows\system32\ie4uinit.exe  
LOLBAS Ie4uinit.yml - Path: c:\windows\sysWOW64\ie4uinit.exe  
LOLBAS Ie4uinit.yml - IOC: ie4uinit.exe copied outside of %windir%  
LOLBAS Ie4uinit.yml - IOC: ie4uinit.exe loading an inf file (ieuinit.inf) from outside %windir%  
malware-ioc nukesped_lazarus .IE4UINIT.exe``{:.highlight .language-cmhg} © ESET 2014-2018

MIT License. Copyright (c) 2020-2021 Strontic.