wininit.exe

  • File Path: C:\windows\system32\wininit.exe
  • Description: Windows Start-Up Application

Hashes

Type Hash
MD5 D9516405E05F24EDCD90B1988FAF3948
SHA1 83D158A31A41C3FC37DB569F187108C754C629C8
SHA256 A283A3000E631E281EC3B9F2A029FAAF76AAF267BB8B1921FB2B9B0B51C87D19
SHA384 D51C6393B0E37B1DDDD4F83C1A2C1C79F248D8E44AA46F66D8FF98A6463C2CFD6A7DA1086A89DCBEFFBE8763A8680C54
SHA512 18F3EF2117FAB18B07560E1476CFB2D54485169376A72CCEF4684A57C2FAD4224872F2C8DA3014478FF382B59F2180BECFAE3A0144E6989A49E2B71AAC92CE3B
SSDEEP 3072:HWkZzyTGQQOLlDuoxY2AIhGqbGCwnulDopN7x1QiWhIDlAFBqs:HfMTBQOJpAIhPbGCwulDoplxK3SWF

Signature

  • Status: The file C:\windows\system32\wininit.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: WinInit.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of wininit.exe being misused. While wininit.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\wininit.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\wininit.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml SourceImage: 'C:\Windows\system32\wininit.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml # - '\wininit.exe' DRL 1.0
sigma proc_creation_win_abusing_debug_privilege.yml - '\wininit.exe' DRL 1.0
sigma proc_creation_win_proc_wrong_parent.yml - '\wininit.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\wininit.exe' DRL 1.0
malware-ioc misp-xdspy-event.json "value": "%APPDATA%\\WINinit\\WINlogon.exe", © ESET 2014-2018
malware-ioc xdspy * ++%APPDATA%\WINinit\WINlogon.exe++``{:.highlight .language-cmhg} © ESET 2014-2018
signature-base generic_anomalies.yar description = “Detects uncommon file size of wininit.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “wininit.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file wininit.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “wininit.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.