wininit.exe

  • File Path: C:\Windows\system32\wininit.exe
  • Description: Windows Start-Up Application

Hashes

Type Hash
MD5 DB516676B9D40004985E6D25A74943D7
SHA1 6038C6B6788F98832506B788A3D55F30941D1FBB
SHA256 69EEC502A5423F3E947465D3EAF8D1DF9CCB8477A27C361BE314E21671D71205
SHA384 FE489D42FBC10C1A3E1658F89E818639800D7F650F7DBB1B1FFFDAC7539A96B699012458108CFE2CBC81C508334D52C5
SHA512 F6EDB903529250A913D33DC409D4257A7E80982DA74CEDDB935451EA8B0E0DAEB1BF369974BA368CB8CBFF715B7F0B0F4B944FA2038AEFF51FCC9EA74F5C0576
SSDEEP 6144:GM7PELSPbmhw6ZRxTtkNHWriIE/Fc89lzZkc2i2ZubIpsgeoAXLnwJDu:GM7Eomhw67zKHWriH/Fc8rzXHULDu
IMP 5DD14AFAB46B0C83EA7A6093D7355FA9
PESHA1 3C985E7372C97D97C6998B983C02699607132AC0
PE256 2063A415E532F2BA5BD3D59B474FB0D5F614B887DA5B08637DF3B3DCB19E541D

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WinInit.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/69eec502a5423f3e947465d3eaf8d1df9ccb8477a27c361be314e21671d71205/detection

Possible Misuse

The following table contains possible examples of wininit.exe being misused. While wininit.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\wininit.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\wininit.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml SourceImage: 'C:\Windows\system32\wininit.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml # - '\wininit.exe' DRL 1.0
sigma proc_creation_win_abusing_debug_privilege.yml - '\wininit.exe' DRL 1.0
sigma proc_creation_win_proc_wrong_parent.yml - '\wininit.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\wininit.exe' DRL 1.0
malware-ioc misp-xdspy-event.json "value": "%APPDATA%\\WINinit\\WINlogon.exe", © ESET 2014-2018
malware-ioc xdspy * ++%APPDATA%\WINinit\WINlogon.exe++``{:.highlight .language-cmhg} © ESET 2014-2018
signature-base generic_anomalies.yar description = “Detects uncommon file size of wininit.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “wininit.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file wininit.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “wininit.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.