wininit.exe

  • File Path: C:\WINDOWS\system32\wininit.exe
  • Description: Windows Start-Up Application

Hashes

Type Hash
MD5 663AADD311AB334B5715D16731A4BB93
SHA1 B69660ACD078CA6E3D0980BC5F2C1AE2BF7384CC
SHA256 F118A260B679960D7FD27EB3F3B718AC5482912EA43D16AC06F52F563C386830
SHA384 74C74F9E0E5943B352762E6B404FF53328021AEEAE24AA831164D92BF6A66F06F6E4CD11913CED996F41FF1324D6CB10
SHA512 E4145772DA95D794EFA150119E7FD05058DB1119E1F36D7205D3E82D1FC89CEA839B38B9892AFC0D467EA30F626E93C818C503B043B187B1DBA694C54C304B66
SSDEEP 12288:CDxyAp6pLvbc1x22rhwsXpdZSUjg9ontQWDPPjBadlrU5eKCf6U2M9Pj67GhkdAR:Aytvbc1x22VbZSUjg9onOUPPjgVKSvNX
IMP 0462EF3C39B80F3B31D7423866ED65EB
PESHA1 0DEFDDACD207FE1CCD6A5D28225BC6DBC16304C7
PE256 CFDC4533804491A63C0730217C386F4C6DD9E8C527AAF8DDDE03833E2E1EB703

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WinInit.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/f118a260b679960d7fd27eb3f3b718ac5482912ea43d16ac06f52f563c386830/detection

Possible Misuse

The following table contains possible examples of wininit.exe being misused. While wininit.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\wininit.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\wininit.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml SourceImage: 'C:\Windows\system32\wininit.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml # - '\wininit.exe' DRL 1.0
sigma proc_creation_win_abusing_debug_privilege.yml - '\wininit.exe' DRL 1.0
sigma proc_creation_win_proc_wrong_parent.yml - '\wininit.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\wininit.exe' DRL 1.0
malware-ioc misp-xdspy-event.json "value": "%APPDATA%\\WINinit\\WINlogon.exe", © ESET 2014-2018
malware-ioc xdspy * ++%APPDATA%\WINinit\WINlogon.exe++``{:.highlight .language-cmhg} © ESET 2014-2018
signature-base generic_anomalies.yar description = “Detects uncommon file size of wininit.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “wininit.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file wininit.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “wininit.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.