mspaint.exe

  • File Path: C:\windows\SysWOW64\mspaint.exe
  • Description: Paint

Screenshot

mspaint.exe

Hashes

Type Hash
MD5 1B84FBA247447BBF80A0883495823263
SHA1 4D09036662186692F40C47536D6BABAE93B018B2
SHA256 7E1DC886AF729071FC931C631815EC6CE25BEE7E58E775055D60F728F9B62AED
SHA384 6EA0C461DFA5EEC96442AD8FD7D91F336B7CA14B667BFBD96D583A5CD1DB7597C74A4B65B92753D3A262EAF8038A3098
SHA512 AFC5C1044422D0F95C71109A66B230A8D9A37877ECE5DA76FBEC5E6545D069D2C3619BCC86EC870BB88C05C82CA324317F7B1CBBB6C1FBB018A2749F1E8A132A
SSDEEP 98304:1MzALu9+2u7InCEE+wysPM4mlaw0LI60GBGrGrGWAuU7jPLQ:1gALu9+6nTE+wBMHlaw0/U7jPL

Signature

  • Status: The file C:\windows\SysWOW64\mspaint.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: MSPAINT.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\windows\system32\mspaint.exe 86
C:\Windows\system32\mspaint.exe 68
C:\Windows\system32\mspaint.exe 90
C:\Windows\SysWOW64\mspaint.exe 66
C:\Windows\SysWOW64\mspaint.exe 88

Possible Misuse

The following table contains possible examples of mspaint.exe being misused. While mspaint.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\mspaint.exe' DRL 1.0
malware-ioc nukesped_lazarus .mspaint.exe (a 2009 file)``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc nukesped_lazarus .mspaint.exe``{:.highlight .language-cmhg} © ESET 2014-2018
signature-base apt_codoso.yar $s4 = “mspaint.exe” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.