wininit.exe

  • File Path: C:\Windows\system32\wininit.exe
  • Description: Windows Start-Up Application

Hashes

Type Hash
MD5 5A998F811D7805B79B8E769027F62FD2
SHA1 46BBE99E579E9CAE86A249B556243C5CBBCD00B4
SHA256 8694C5732D26921EEA29589A9FA4182139EF3D9EA6B6D0ACCA8994B4AA5DEFE5
SHA384 848F78692AD67D76AF875D3317303BA50E3919E1BECB2693EC6CB9B9EADA0FD2A41163EF5AE5D29E3AED7F08B15D0047
SHA512 D25E505C48A417B639311CC7A8AF1E8360F3E9AC3189EF7B1C02D44258CA8E668E00337BE11993B1DA71F21FE5FB11A2C1D430B9B874CA62DEEA026C17029881
SSDEEP 6144:NbuwYWApz2Q7BypXPZBxJT+ywlA7finB+6lwzQ+boT:NbHApKQ7ByhZHV+fLEzQT

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WinInit.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of wininit.exe being misused. While wininit.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\wininit.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\wininit.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml SourceImage: 'C:\Windows\system32\wininit.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml # - '\wininit.exe' DRL 1.0
sigma proc_creation_win_abusing_debug_privilege.yml - '\wininit.exe' DRL 1.0
sigma proc_creation_win_proc_wrong_parent.yml - '\wininit.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\wininit.exe' DRL 1.0
malware-ioc misp-xdspy-event.json "value": "%APPDATA%\\WINinit\\WINlogon.exe", © ESET 2014-2018
malware-ioc xdspy * ++%APPDATA%\WINinit\WINlogon.exe++``{:.highlight .language-cmhg} © ESET 2014-2018
signature-base generic_anomalies.yar description = “Detects uncommon file size of wininit.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “wininit.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file wininit.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “wininit.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.