wininit.exe

  • File Path: C:\WINDOWS\system32\wininit.exe
  • Description: Windows Start-Up Application

Hashes

Type Hash
MD5 E83650F70459A027AA596E1A73C961A1
SHA1 E2FCAA6D84CD8F46ECEB25447836DE426EEC3330
SHA256 D5E122606054FA0B03DB3EE8CF9EA7701E523875E2BDB87581AD7232FFC9308E
SHA384 EB9DB6C6A1D53C6A071CEE438F2E190128F4426FDDE53B73FCE2256CBA2B1F057C845F6C544605E6669E57C14018E1CC
SHA512 101DF5FE27DC424342074A8AEC0D687A870FF851F4BF3C836742969D0D78D993C9F33E6EFF29DC36BEDE76C8C13C50A99F15116D436CE0520E4BC43336654642
SSDEEP 6144:yoGY/31o1XZpn3kJ0gc4FJiyA1ymp/uuDEKEZJBm5uvDXko3iJMzDru2k:yo3/31o1XZRyosxAwmp/cTZcUCMz22k

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WinInit.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of wininit.exe being misused. While wininit.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\wininit.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\wininit.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml SourceImage: 'C:\Windows\system32\wininit.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml # - '\wininit.exe' DRL 1.0
sigma proc_creation_win_abusing_debug_privilege.yml - '\wininit.exe' DRL 1.0
sigma proc_creation_win_proc_wrong_parent.yml - '\wininit.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\wininit.exe' DRL 1.0
malware-ioc misp-xdspy-event.json "value": "%APPDATA%\\WINinit\\WINlogon.exe", © ESET 2014-2018
malware-ioc xdspy * ++%APPDATA%\WINinit\WINlogon.exe++``{:.highlight .language-cmhg} © ESET 2014-2018
signature-base generic_anomalies.yar description = “Detects uncommon file size of wininit.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “wininit.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file wininit.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “wininit.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.