wininit.exe

  • File Path: C:\Windows\system32\wininit.exe
  • Description: Windows Start-Up Application

Hashes

Type Hash
MD5 4BD4AFF6FD90E92043818B79FDE27F09
SHA1 9BAB4B46AD34A361009DE8F7690B75A696C3F5DA
SHA256 D2B87EA160882698CA6AC6FCF3D5739B41C14794428F6C00639417BC76AF5610
SHA384 9961FF06F64F2754F91232F915333B5F965B75CF4F484D7CF51BBC99E4CDF2E5CEE25DD3AD47608EAA677EF997BC04B6
SHA512 3DAA48F70BAD5DE3F07719633A85DE6E85C0E270DB518C287E33FF5B63F647DE87A32DE14F6E6AE97FDE75116AB974CF4F27E1A233CF04652FAB8BD0822B5FF7
SSDEEP 6144:WmSLEbAt4fhL1LN3Ur7YZ/w5v1ORjGlZ9vKrphFowvGvkBxWXU04wJDv:WmiZ6fhL/3KcZ/mv1UoZMrpjIDv
IMP 85FBE914B8417B5F0760060AB1D1104B
PESHA1 458A7F586EE8B27875F01D719A21970C2DC7C6F9
PE256 1D20331C1C5C77520B4F2B80E077904BCF2B54DDE4E3BA95159DCA5B7A4D4557

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WinInit.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/66
  • VirusTotal Link: https://www.virustotal.com/gui/file/d2b87ea160882698ca6ac6fcf3d5739b41c14794428f6c00639417bc76af5610/detection/

Possible Misuse

The following table contains possible examples of wininit.exe being misused. While wininit.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\wininit.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\wininit.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml SourceImage: 'C:\Windows\system32\wininit.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml # - '\wininit.exe' DRL 1.0
sigma proc_creation_win_abusing_debug_privilege.yml - '\wininit.exe' DRL 1.0
sigma proc_creation_win_proc_wrong_parent.yml - '\wininit.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\wininit.exe' DRL 1.0
malware-ioc misp-xdspy-event.json "value": "%APPDATA%\\WINinit\\WINlogon.exe", © ESET 2014-2018
malware-ioc xdspy * ++%APPDATA%\WINinit\WINlogon.exe++``{:.highlight .language-cmhg} © ESET 2014-2018
signature-base generic_anomalies.yar description = “Detects uncommon file size of wininit.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “wininit.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file wininit.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “wininit.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.