wordpad.exe

  • File Path: C:\Program Files\Windows NT\Accessories\wordpad.exe
  • Description: Windows Wordpad Application

Screenshot

wordpad.exe wordpad.exe wordpad.exe

Hashes

Type Hash
MD5 DF75D2712714593DA00E662055A46EF1
SHA1 C4B266E8A7B25411A611B1B3D3EF5FBDABED1BCD
SHA256 59B86C305D6AB3867B4F7099438DBFD2EF9F9662323628E2473AF153E503F8F0
SHA384 961148C3E435DB2EAFF76E95FAD38CCD415798510A2159F472C9EF50B9831CB704DA8283787E5A93EEEE84370CC160EA
SHA512 C98E1DCC72FBF03B7A4BCD62249690FD20BE40421825CC61A87D89D46D59B6A0513C6BCC4ACAA219BAA29FCA7003B6E90EC7E454E5B44B50EA1497F4704CD82D
SSDEEP 24576:wYDp09QRTnY06ytJZuQPqJdnv+92FxvNEYr8oSUGeP9PDkjjqXv:wYDLTn8QPMdn3xvWCXSZeP9PDk3Y
IMP 4B18F11C110D1DD2C4E466B8EDBCEEB7
PESHA1 DE7F518700F5349126EEA244002A22A1E7233D1D
PE256 AA1FF5045535B65C8AC1296E6D4D14D5EE211E65C846822F08594F6212DE7EF1

Runtime Data

Window Title:

Document - WordPad

Open Handles:

Path Type
(R–) C:\Windows\System32\spool\V4Dirs\25449FF2-CC50-42EB-8319-2CF5834CA6EA\94766af2.BUD File
(R-D) C:\Program Files\Windows NT\Accessories\en-US\wordpad.exe.mui File
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\MFC42u.dll.mui File
(R-D) C:\Windows\System32\en-US\UIRibbon.dll.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(RW-) C:\Users\user\Documents File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.508_none_faefa4f37613d18e File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\BaseNamedObjects\b2cHWNDInterface:2c043a Section
\Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\Windows\Theme64749523 Section
\Windows\Theme1120315852 Section

Loaded Modules:

Path
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Windows\SYSTEM32\AcGenral.dll
C:\Windows\System32\ADVAPI32.dll
C:\Windows\SYSTEM32\apphelp.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\COMDLG32.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\MFC42u.dll
C:\Windows\SYSTEM32\MPR.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\ole32.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\SHLWAPI.dll
C:\Windows\SYSTEM32\SspiCli.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\SYSTEM32\USERENV.dll
C:\Windows\System32\win32u.dll
C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21\COMCTL32.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WORDPAD.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/68
  • VirusTotal Link: https://www.virustotal.com/gui/file/59b86c305d6ab3867b4f7099438dbfd2ef9f9662323628e2473af153e503f8f0/detection/

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe 61
C:\Program Files\Windows NT\Accessories\wordpad.exe 57
C:\program files\Windows NT\Accessories\wordpad.exe 77

Possible Misuse

The following table contains possible examples of wordpad.exe being misused. While wordpad.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_ransom_blackbyte.yml - ' do start wordpad.exe /p ' DRL 1.0
atomic-red-team T1059.003.md This test attempts to open a file a specified number of times in Wordpad, then prints the contents. MIT License. © 2018 Red Canary
atomic-red-team T1059.003.md It is designed to mimic BlackByte ransomware’s print bombing technique, where tree.dll, which contains the ransom note, is opened in Wordpad 75 times and then printed. MIT License. © 2018 Red Canary
atomic-red-team T1059.003.md | file_to_print | File to be opened/printed by Wordpad. | String | $env:temp\T1059_003note.txt| MIT License. © 2018 Red Canary
atomic-red-team T1059.003.md | max_to_print | The maximum number of Wordpad windows the test will open/print. | String | 75| MIT License. © 2018 Red Canary
atomic-red-team T1059.003.md cmd /c “for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p #{file_to_print}” | out-null MIT License. © 2018 Red Canary
atomic-red-team T1059.003.md stop-process -name wordpad -force -erroraction silentlycontinue MIT License. © 2018 Red Canary
signature-base apt_winnti_burning_umbrella.yar $s1 = “Wordpad.Document.1\shell\open\command\” fullword wide CC BY-NC 4.0
signature-base thor-hacktools.yar $s3 = “Accessories\wordpad.exe” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.