mspaint.exe
- File Path:
C:\Windows\system32\mspaint.exe - Description: Paint
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | F221A4CCAFEC690101C59F726C95B646 |
| SHA1 | 2098E4B62EAAB213CBEE73BA40FE4F1B8901A782 |
| SHA256 | 94AA32A2C9C1D2DB78318D9C68262C2F834ABE26B6E9A661700324B55FDD5709 |
| SHA384 | 6FD2D77003BE67C28A04BEDD9AFC3AE87A5467E9EA654B4BCE1C6A6A10FEDF2A87BD02A4227540EA87327D2CBC771A5A |
| SHA512 | 8E3F4E4F68565EF09F5E762D6BB41B160711BBACAC9DFCBE33EDEA9885FD042E6CE9A248BFCC62F9CFFDB8E6BBE1B04C89BD41FCD9A373A5C8BC7BBFF96DCEAF |
| SSDEEP | 12288:+iwNLXXh3V1mkVYCsOfxBmMQsriL+iOLr5EFUSWJs0kApWWFO3T+pVol0A64lG6i:bwNzn7Z9QCiyiOZE6eGp0+pml/lN9 |
| IMP | D90E4D192F94E7240C400DA8FC2154D7 |
| PESHA1 | 5225877E5903E7A67A35BAF63706F9F5045FF21C |
| PE256 | D7187B27C55A04C6026E3B7BD815A83514C9437382A9EFF51E9CCED563948D2E |
Runtime Data
Window Title:
Paint
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (R-D) C:\Windows\System32\en-US\MFC42u.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\mspaint.exe.mui | File |
| (R-D) C:\Windows\System32\en-US\UIRibbon.dll.mui | File |
| (R-D) C:\Windows\SystemResources\imageres.dll.mun | File |
| (R-D) C:\Windows\SystemResources\mspaint.exe.mun | File |
| (RW-) C:\Users\user | File |
| (RW-) C:\Windows\debug\WIA\wiatrace.log | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.1320_none_91a11828cc8ae445 | File |
| \BaseNamedObjects__ComCatalogCache__ | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \BaseNamedObjects\RotHintTable | Section |
| \Sessions\1\Windows\Theme449731986 | Section |
| \Windows\Theme1396518710 | Section |
Loaded Modules:
| Path |
|---|
| C:\Windows\SYSTEM32\apphelp.dll |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\system32\mspaint.exe |
| C:\Windows\SYSTEM32\ntdll.dll |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: MSPAINT.EXE.MUI
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709/detection
Possible Misuse
The following table contains possible examples of mspaint.exe being misused. While mspaint.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | sysmon_suspicious_remote_thread.yml | - '\mspaint.exe' |
DRL 1.0 |
| malware-ioc | nukesped_lazarus | .mspaint.exe (a 2009 file)``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc | nukesped_lazarus | .mspaint.exe``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| signature-base | apt_codoso.yar | $s4 = “mspaint.exe” fullword ascii | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.