wininit.exe

  • File Path: C:\Windows\system32\wininit.exe
  • Description: Windows Start-Up Application

Hashes

Type Hash
MD5 4E20895E641F2C3E68AB3DB91A1A16F1
SHA1 389E257A924EA521E830C31712494D33B38841A8
SHA256 13AD43EE6D19DFC9709C3106D796BC3F21791A564E443D042A5AA117F2680649
SHA384 C71640EA1868CC86442CDDAD20B78050CEBC621CD40A683CA24372129DC1369268BA68CEFDB1A51F15645D9363BF766F
SHA512 A07B7A2E15DF539EB30191EA299647DB76094FD6E82DD64C5B3BB95D3580E0B2B0626F820D1173FE1BB2101C6218F1BA0F9935A0E97A5096E4D9854D96CBFC1D
SSDEEP 6144:AVLkQEn9bUD8CMLCwauZ16ST3wZCGe3kVzW7V7aDVkOTeeBRIrfjBpH:AWN9ID3C37Z16ST45eHaR5gfjj
IMP C2F90ACB28AF147D0D0C3408B9EE38C5
PESHA1 691F52A416F67F16FD77EA3C833D07FBEA2887A7
PE256 41D8B8DFDF9EFE46FA36847129BC544F65CC7F22E98C6D0B051162871115A0D6

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WinInit.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/13ad43ee6d19dfc9709c3106d796bc3f21791a564e443d042a5aa117f2680649/detection/

Possible Misuse

The following table contains possible examples of wininit.exe being misused. While wininit.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\wininit.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\wininit.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml SourceImage: 'C:\Windows\system32\wininit.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml # - '\wininit.exe' DRL 1.0
sigma proc_creation_win_abusing_debug_privilege.yml - '\wininit.exe' DRL 1.0
sigma proc_creation_win_proc_wrong_parent.yml - '\wininit.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\wininit.exe' DRL 1.0
malware-ioc misp-xdspy-event.json "value": "%APPDATA%\\WINinit\\WINlogon.exe", © ESET 2014-2018
malware-ioc xdspy * ++%APPDATA%\WINinit\WINlogon.exe++``{:.highlight .language-cmhg} © ESET 2014-2018
signature-base generic_anomalies.yar description = “Detects uncommon file size of wininit.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “wininit.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file wininit.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “wininit.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.