Write.exe is a wrapper binary for launching wordpad. Historically it was used to launch Microsoft Write, a very basic word processor from pre-2000 era. It has been left as a compatibility stub from Windows 95 onwards.

This binary checks HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\wordpad.exe registry key for the location of wordpad's executable, which can be created by regular user. This might be utilized to confuse detection/application control solutions that rely on parent-child relationships. Resulting process will be spawned as a child to the Windows-signed (Signing Level 12) write.exe.

If one controls a domain, it is possible to utilize UNC paths to run remote binaries without dropping them to the disk. This requires additional steps to bypass security prompt.