× Cookies are disabled! This site requires cookies to be enabled to work properly
SHA256: 538fe1012fedc72727a8de0c2c01944b3d35c29812ecef88e95aac07235e0b0b
File name: userinit.exe
Detection ratio: 0 / 54
Analysis date: 2015-06-24 08:27:21 UTC ( 2 years, 4 months ago ) View latest
Trusted source! This file belongs to the Microsoft Corporation software catalogue.
Antivirus Result Update
ALYac 20150623
AVG 20150623
AVware 20150623
Ad-Aware 20150623
AegisLab 20150623
Yandex 20150623
AhnLab-V3 20150623
Alibaba 20150623
Antiy-AVL 20150623
Arcabit 20150623
Avast 20150623
Avira (no cloud) 20150623
Baidu-International 20150623
BitDefender 20150623
Bkav 20150623
ByteHero 20150624
CAT-QuickHeal 20150623
ClamAV 20150623
Comodo 20150623
Cyren 20150623
DrWeb 20150623
ESET-NOD32 20150623
Emsisoft 20150623
F-Prot 20150622
Fortinet 20150624
GData 20150623
Ikarus 20150623
Jiangmin 20150620
K7AntiVirus 20150624
K7GW 20150623
Kaspersky 20150623
Kingsoft 20150624
Malwarebytes 20150624
McAfee 20150623
McAfee-GW-Edition 20150623
eScan 20150623
Microsoft 20150623
NANO-Antivirus 20150623
Panda 20150623
Qihoo-360 20150624
Rising 20150623
SUPERAntiSpyware 20150623
Sophos AV 20150624
Symantec 20150623
Tencent 20150624
TheHacker 20150622
TrendMicro 20150623
TrendMicro-HouseCall 20150623
VBA32 20150622
VIPRE 20150623
ViRobot 20150623
Zillya 20150624
Zoner 20150624
nProtect 20150623
The file being studied is a Portable Executable file! More specifically, it is a Win32 EXE file for the Windows GUI subsystem.
Authenticode signature block and FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.

Product Microsoft® Windows® Operating System
Original name USERINIT.EXE
Internal name userinit
File version 6.1.7601.17514 (win7sp1_rtm.101119-1850)
Description Userinit Logon Application
Signature verification Signed file, verified signature
Signing date 8:37 PM 11/20/2010
Signers
[+] Microsoft Windows
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Windows Verification PCA
Valid from 10:57 PM 12/7/2009
Valid to 10:57 PM 3/7/2011
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 02ECEEA9D5E0A9F3E39B6F4EC3F7131ED4E352C4
Serial number 61 15 23 0F 00 00 00 00 00 0A
[+] Microsoft Windows Verification PCA
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Root Certificate Authority
Valid from 10:55 PM 9/15/2005
Valid to 11:05 PM 3/15/2016
Valid usage Code Signing, NT5 Crypto
Algorithm sha1RSA
Thumbprint 5DF0D7571B0780783960C68B78571FFD7EDAF021
Serial number 61 07 02 DC 00 00 00 00 00 0B
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm sha1RSA
Thumbprint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
Counter signers
[+] Microsoft Time-Stamp Service
Status This certificate or one of the certificates in the certificate chain is not time valid.
Issuer Microsoft Time-Stamp PCA
Valid from 8:12 PM 7/25/2008
Valid to 8:22 PM 7/25/2011
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 56E832A33DDC8CF2C916DA7CBB1175CBACABAE2C
Serial number 61 03 DC F6 00 00 00 00 00 0C
[+] Microsoft Time-Stamp PCA
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 1:53 PM 4/3/2007
Valid to 2:03 PM 4/3/2021
Valid usage Timestamp Signing
Algorithm sha1RSA
Thumbrint 375FCB825C3DC3752A02E34EB70993B4997191EF
Serial number 61 16 68 34 00 00 00 00 00 1C
[+] Microsoft Root Certificate Authority
Status Valid
Issuer Microsoft Root Certificate Authority
Valid from 12:19 AM 5/10/2001
Valid to 12:28 AM 5/10/2021
Valid usage All
Algorithm sha1RSA
Thumbrint CDD4EEAE6000AC7F40C3802C171E30148030C072
Serial number 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65
PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2010-11-20 09:26:16
Entry Point 0x00002BE9
Number of sections 4
PE sections
PE imports
RegCreateKeyExW
RegCloseKey
RegSetValueExW
RegQueryInfoKeyW
RegDeleteTreeW
RegOpenKeyExW
RegQueryValueExW
GetCurrentProcess
OpenProcessToken
CreateThread
SetThreadPriority
CreateProcessW
GetCurrentThread
GetLastError
GetUserDefaultLangID
RegQueryValueExA
LoadLibraryW
WaitForSingleObject
GetVersionExW
SetEvent
QueryPerformanceCounter
LocalAlloc
GetTickCount
LoadLibraryA
lstrlenW
FreeLibrary
HeapSetInformation
GetStartupInfoA
LoadLibraryExA
CompareFileTime
GetCurrentProcessId
DelayLoadFailureHook
UnhandledExceptionFilter
RegOpenKeyExA
GetProcAddress
InterlockedCompareExchange
ExpandEnvironmentStringsW
SetEnvironmentVariableW
GetModuleHandleA
GetSystemDirectoryW
InterlockedExchange
SetUnhandledExceptionFilter
CloseHandle
GetSystemTimeAsFileTime
ExpandEnvironmentStringsA
GetFileAttributesExW
LocalFree
FormatMessageW
TerminateProcess
SearchPathW
SetCurrentDirectoryW
OpenEventW
Sleep
GetCurrentThreadId
GetEnvironmentVariableW
SetLastError
GetSystemMetrics
MessageBoxW
LoadRemoteFonts
GetKeyboardLayout
RegisterClassExW
DefWindowProcW
LoadStringW
CreateWindowExW
SystemParametersInfoW
CharNextW
ExitWindowsEx
DestroyWindow
Ord(175)
_cexit
_acmdln
_wcsicmp
_ismbblead
memmove
__p__commode
memset
__setusermatherr
__p__fmode
?terminate@@YAXXZ
_except_handler4_common
_amsg_exit
exit
_XcptFilter
__getmainargs
_initterm
_exit
_controlfp
_vsnwprintf
__set_app_type
NtOpenKey
DbgPrint
RtlInitUnicodeString
NtClose
Number of PE resources by type
RT_MANIFEST 1
MUI 1
RT_VERSION 1
Number of PE resources by language
ENGLISH US 3
PE resources
Debug information
ExifTool file metadata
SubsystemVersion
6.1

LinkerVersion
9.0

ImageVersion
6.1

FileSubtype
0

FileVersionNumber
6.1.7601.17514

UninitializedDataSize
0

LanguageCode
English (U.S.)

FileFlagsMask
0x003f

CharacterSet
Unicode

InitializedDataSize
5120

EntryPoint
0x2be9

OriginalFileName
USERINIT.EXE

MIMEType
application/octet-stream

LegalCopyright
Microsoft Corporation. All rights reserved.

FileVersion
6.1.7601.17514 (win7sp1_rtm.101119-1850)

TimeStamp
2010:11:20 10:26:16+01:00

FileType
Win32 EXE

PEType
PE32

InternalName
userinit

ProductVersion
6.1.7601.17514

FileDescription
Userinit Logon Application

OSVersion
6.1

FileOS
Windows NT 32-bit

Subsystem
Windows GUI

MachineType
Intel 386 or later, and compatibles

CompanyName
Microsoft Corporation

CodeSize
20480

ProductName
Microsoft Windows Operating System

ProductVersionNumber
6.1.7601.17514

FileTypeExtension
exe

ObjectFileType
Executable application

CarbonBlack CarbonBlack acts as a surveillance camera for computers
While monitoring an end-user machine in-the-wild, CarbonBlack noticed the following files in execution wrote this sample to disk.
While monitoring an end-user machine in-the-wild, CarbonBlack noticed this sample wrote the following files to disk.
Overlay parents
Compressed bundles
File identification
MD5 61ac3efdfacfdd3f0f11dd4fd4044223
SHA1 211295ccda6cf6409189279bf66a212bd53fc650
SHA256 538fe1012fedc72727a8de0c2c01944b3d35c29812ecef88e95aac07235e0b0b
ssdeep
384:dxAeSOCguz8sfE4XslZzN5hbFJ5K6gUf6mgKWjwtdeKpuZPFa3mWVPymW49TU:LCJD8lZZ5hbFJILcve34Ep

authentihash 4f7d90371787731adf4780ce4841be09d592d8a193570c6f15b28160c27fc2aa
imphash da2666d3347f129193ab91a0eab85c0c
File size 26.0 KB ( 26624 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit

TrID Win32 Executable MS Visual C++ (generic) (67.4%)
Win32 Dynamic Link Library (generic) (14.2%)
Win32 Executable (generic) (9.7%)
Generic Win/DOS Executable (4.3%)
DOS Executable Generic (4.3%)
Tags
peexe signed trusted via-tor

Trusted verdicts
This file belongs to the Microsoft Corporation software catalogue. The file is often found with userinit.exe as its name.
VirusTotal metadata
First submission 2011-02-20 17:55:12 UTC ( 6 years, 8 months ago )
Last submission 2017-10-23 18:08:27 UTC ( 6 hours, 31 minutes ago )
File names tmpe41ddfb53b37deb6
tmp3c280abe517a7505
userinit[162500].exe
0efa5815889942ec22e9cef122fc6e9bea5bb66f.exe
tmpce154e86847c4971
tmpf1bf42233506e314
tmpa2c52d80d8fe5a92
tmpf5c4caa5d9fff428
tmpc1a9c8cef986accb
a945ca7b256497439d103f3292ca4878.tmp
b6d2fab279b3fd459bff46ed62af7a03.tmp
tmpfe719454c56bea27
538fe1012fedc727_userinit.exe
4b84531988742f478ae76de4a6c6308b.tmp
tmp3796b64cf0ccbaa4
tmpd4a9472d4946ff9b
tmp829b2b876b984b51
userinit.exe.vir
tmp4b63f17e91d91cfd
tmp6c7a84b74709da42
tmp700358e37c1f963b
userinit
255823e101818f4e93baffa66c8d9150.tmp
tmp288d228348e9b244
ab80a0b89ca932f999485533122c47e9106556c3.exe
Advanced heuristic and reputation engines
Symantec reputation Suspicious.Insight
No comments. No VirusTotal Community member has commented on this item yet, be the first one to do so!

Leave your comment...

?
Post comment

You have not signed in. Only registered users can leave comments, sign in and have a voice!

No votes. No one has voted on this item yet, be the first one to do so!