wininit.exe

  • File Path: C:\Windows\system32\wininit.exe
  • Description: Windows Start-Up Application

Hashes

Type Hash
MD5 F3828D75795D5AE4B2D8B828026A4EAA
SHA1 96B04445102445682879C8F21E38A93A30E8F3FD
SHA256 24A0E0ACE66AEB97D101DF232A571368C4068D9B46B9D3E9C22F8C10D0BE7DC4
SHA384 93CA7B00E80D663DB9D2CA9D559107677B955FD926D553F3200F7EABCBAC12515AC3720851BED94B0B8DE549B8EE8AA6
SHA512 EF8DBBD5DD81FBB8E407E73110F84333DC8EA917EF8CA65DA3C7E4020EE4D8A2E501DB41477706310D0024D020AADC0FB84A3C8D09892EC9D9D9A575A01DE949
SSDEEP 6144:K6Mbpa/pB4cYaJJnelWUCDb9D85yo5s2lGz4xsJOKPbr6+72fkkUpX15+JTFx:K6KpgBwaJJnu6Db9D8cMli43KHwlTX
IMP 29BF951CEE3DF4431931570B2CCFF41D
PESHA1 30EA6FDD235B9EC7D51DDF835D2654D8AE3A9995
PE256 156EAD108A5BD3533B713A388FA66B2FA45B4D439FE75206C2227F29C4A7CADD

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WinInit.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/24a0e0ace66aeb97d101df232a571368c4068d9b46b9d3e9c22f8c10d0be7dc4/detection

Possible Misuse

The following table contains possible examples of wininit.exe being misused. While wininit.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_lsass_dump_generic.yml - '\wininit.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\wininit.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml SourceImage: 'C:\Windows\system32\wininit.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml # - '\wininit.exe' DRL 1.0
sigma proc_creation_win_abusing_debug_privilege.yml - '\wininit.exe' DRL 1.0
sigma proc_creation_win_proc_wrong_parent.yml - '\wininit.exe' DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\wininit.exe' DRL 1.0
malware-ioc misp-xdspy-event.json "value": "%APPDATA%\\WINinit\\WINlogon.exe", © ESET 2014-2018
malware-ioc xdspy * ++%APPDATA%\WINinit\WINlogon.exe++``{:.highlight .language-cmhg} © ESET 2014-2018
signature-base generic_anomalies.yar description = “Detects uncommon file size of wininit.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “wininit.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file wininit.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “wininit.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.