mspaint.exe
- File Path:
C:\Windows\SysWOW64\mspaint.exe - Description: Paint
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | 986A191E95952C9E3FE6BE112FB92026 |
| SHA1 | 1E2A48F1088CA5AB78617A7EEB8AA5F62ABD4846 |
| SHA256 | 8BD3C3D2A3E6285D004AFD50262D80939FA588B39C5ECB404D12D364216E73B2 |
| SHA384 | 05DCA8E9021857F4AC731191D0DDEE1972DB016DFDAE6914FF91F783D211ABAB02287C883C054ADFC76E5F88DBE8ADBF |
| SHA512 | 044294049FED0C5165D2C204D4DFEF8DDC65CBC872D499531A2D4F179E3AE2345142510FFC9C12C32E0C316EAC3250D60B0B316A74A3D7D31B0A9699DC8529F7 |
| SSDEEP | 12288:fk4MXNLmDguv3NU+5cqI648Hd+qKoN26/XtqG/OqNj+mJ5Fw9qF6fDKog0+QLkR:6XNLmDguF7/4899KoN2OqG/5j15Fw9qb |
| IMP | 056D9B704775F8E465E0485902904B4E |
| PESHA1 | 85074F0F9492693754DD9882E6B6D4F7C36AB048 |
| PE256 | 7D7F56CFA17592E07016FA0FD7A6568BB5F3E45709A711C29D910087B56889A9 |
Runtime Data
Window Title:
Paint
Open Handles:
| Path | Type |
|---|---|
| (R–) C:\Users\user--help | File |
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (R-D) C:\Windows\System32\en-US\MFC42u.dll.mui | File |
| (R-D) C:\Windows\SystemResources\imageres.dll.mun | File |
| (R-D) C:\Windows\SystemResources\mspaint.exe.mun | File |
| (R-D) C:\Windows\SysWOW64\en-US\mspaint.exe.mui | File |
| (R-D) C:\Windows\SysWOW64\en-US\UIRibbon.dll.mui | File |
| (RW-) C:\Users\user | File |
| (RW-) C:\Windows | File |
| (RW-) C:\Windows\debug\WIA\wiatrace.log | File |
| (RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 | File |
| (RW-) C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.685_none_4299dbb28a92ae3e | File |
| \BaseNamedObjects__ComCatalogCache__ | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \BaseNamedObjects\RotHintTable | Section |
| \Sessions\1\Windows\Theme1175649999 | Section |
| \Windows\Theme601709542 | Section |
Loaded Modules:
| Path |
|---|
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
| C:\Windows\SysWOW64\mspaint.exe |
Signature
- Status: Signature verified.
- Serial:
330000023241FB59996DCC4DFF000000000232 - Thumbprint:
FF82BC38E1DA5E596DF374C53E3617F7EDA36B06 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: MSPAINT.EXE.MUI
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/76
- VirusTotal Link: https://www.virustotal.com/gui/file/8bd3c3d2a3e6285d004afd50262d80939fa588b39c5ecb404d12d364216e73b2/detection
Possible Misuse
The following table contains possible examples of mspaint.exe being misused. While mspaint.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | sysmon_suspicious_remote_thread.yml | - '\mspaint.exe' |
DRL 1.0 |
| malware-ioc | nukesped_lazarus | .mspaint.exe (a 2009 file)``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc | nukesped_lazarus | .mspaint.exe``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| signature-base | apt_codoso.yar | $s4 = “mspaint.exe” fullword ascii | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.