mspaint.exe

  • File Path: C:\Windows\system32\mspaint.exe
  • Description: Paint

Screenshot

mspaint.exe

Hashes

Type Hash
MD5 F221A4CCAFEC690101C59F726C95B646
SHA1 2098E4B62EAAB213CBEE73BA40FE4F1B8901A782
SHA256 94AA32A2C9C1D2DB78318D9C68262C2F834ABE26B6E9A661700324B55FDD5709
SHA384 6FD2D77003BE67C28A04BEDD9AFC3AE87A5467E9EA654B4BCE1C6A6A10FEDF2A87BD02A4227540EA87327D2CBC771A5A
SHA512 8E3F4E4F68565EF09F5E762D6BB41B160711BBACAC9DFCBE33EDEA9885FD042E6CE9A248BFCC62F9CFFDB8E6BBE1B04C89BD41FCD9A373A5C8BC7BBFF96DCEAF
SSDEEP 12288:+iwNLXXh3V1mkVYCsOfxBmMQsriL+iOLr5EFUSWJs0kApWWFO3T+pVol0A64lG6i:bwNzn7Z9QCiyiOZE6eGp0+pml/lN9
IMP D90E4D192F94E7240C400DA8FC2154D7
PESHA1 5225877E5903E7A67A35BAF63706F9F5045FF21C
PE256 D7187B27C55A04C6026E3B7BD815A83514C9437382A9EFF51E9CCED563948D2E

Runtime Data

Window Title:

Paint

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\MFC42u.dll.mui File
(R-D) C:\Windows\System32\en-US\mspaint.exe.mui File
(R-D) C:\Windows\System32\en-US\UIRibbon.dll.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(R-D) C:\Windows\SystemResources\mspaint.exe.mun File
(RW-) C:\Users\user File
(RW-) C:\Windows\debug\WIA\wiatrace.log File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.1320_none_91a11828cc8ae445 File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\BaseNamedObjects\RotHintTable Section
\Sessions\1\Windows\Theme449731986 Section
\Windows\Theme1396518710 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\apphelp.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\system32\mspaint.exe
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: MSPAINT.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709/detection

Possible Misuse

The following table contains possible examples of mspaint.exe being misused. While mspaint.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\mspaint.exe' DRL 1.0
malware-ioc nukesped_lazarus .mspaint.exe (a 2009 file)``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc nukesped_lazarus .mspaint.exe``{:.highlight .language-cmhg} © ESET 2014-2018
signature-base apt_codoso.yar $s4 = “mspaint.exe” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.