vidar | 4bb964855888aa340c675533ded2b0d524c0817378f05d47f627c6756aa017a2

Analysis

max time kernel
208s
max time network
308s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

npp.8.4.7.Installer.x64/npp.8.4.7.Installer.x64.exe
Size

555.0MB
MD5

4d556911a3a2c22dbd35f381ed7d9dbb
SHA1

9439c5dc5dab13d38c279454d5a16e580599700a
SHA256

7f9202f5ee95364f2df5bbc6563548667f314678f0561eb052524d5103ec4b00
SHA512

f8c275a1839ec498eeaaa8f59ad394ba860474bf4a3e7cc581713e6be4bf13c69acfef921a4b878bad1d49eee22f5cac89aeab3341fdb28349dee2508544f612
SSDEEP

3072:DJ6pgZGjXpoGoByXPQs2UTXQ8yb7aFcqiSIvF68KJ9oEZqc:DJOgZGbpYByPT7lyvIcTSIvF68KIc

Score

10^/10

vidar 1340 discovery persistence spyware stealer

Malware Config

Extracted

Family

vidar

Version

55.8

Botnet

1340

https://t.me/headshotsonly

https://steamcommunity.com/profiles/76561199436777531

Attributes

profile_id
1340

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Executes dropped EXE 4 IoCs

Processes:

Obzuaolnpp.8.4.7.installer.x64.exenotepad++.exenotepad++.exegup.exe

pid process

1208 Obzuaolnpp.8.4.7.installer.x64.exe
740 notepad++.exe
1852 notepad++.exe
240 gup.exe

pid	process
1208	Obzuaolnpp.8.4.7.installer.x64.exe
740	notepad++.exe
1852	notepad++.exe
240	gup.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\InprocServer32\ = "C:\\Program Files\\Notepad++\\NppShell_06.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\InprocServer32	regsvr32.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

856 cmd.exe

pid	process
856	cmd.exe

Loads dropped DLL 32 IoCs

Processes:

npp.8.4.7.Installer.x64.exeObzuaolnpp.8.4.7.installer.x64.exenpp.8.4.7.Installer.x64.exenpp.8.4.7.Installer.x64.exeregsvr32.exeregsvr32.exeexplorer.exenotepad++.exegup.exe

pid	process
1916	npp.8.4.7.Installer.x64.exe
1208	Obzuaolnpp.8.4.7.installer.x64.exe
1208	Obzuaolnpp.8.4.7.installer.x64.exe
1964	npp.8.4.7.Installer.x64.exe
1964	npp.8.4.7.Installer.x64.exe
1504	npp.8.4.7.Installer.x64.exe
1504	npp.8.4.7.Installer.x64.exe
1208	Obzuaolnpp.8.4.7.installer.x64.exe
1208	Obzuaolnpp.8.4.7.installer.x64.exe
1208	Obzuaolnpp.8.4.7.installer.x64.exe
1208	Obzuaolnpp.8.4.7.installer.x64.exe
1208	Obzuaolnpp.8.4.7.installer.x64.exe
892	regsvr32.exe
1016	regsvr32.exe
1528	explorer.exe
740	notepad++.exe
240	gup.exe
740	notepad++.exe
740	notepad++.exe
740	notepad++.exe
740	notepad++.exe
740	notepad++.exe
740	notepad++.exe
740	notepad++.exe
740	notepad++.exe
740	notepad++.exe
740	notepad++.exe
740	notepad++.exe
740	notepad++.exe
1188
1188
1188

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

npp.8.4.7.Installer.x64.exenpp.8.4.7.Installer.x64.exe

description	pid	process	target process
PID 1916 set thread context of 1964	1916	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1576 set thread context of 1504	1576	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe

Drops file in Program Files directory 64 IoCs

Processes:

Obzuaolnpp.8.4.7.installer.x64.exe

description	ioc	process
File created	C:\Program Files\Notepad++\autoCompletion\cmake.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\asm.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\perl.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\inno.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\LICENSE	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\readme.txt	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\themes\vim Dark Blue.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\themes\HotFudgeSundae.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\sql.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\cobol.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\fortran.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\updater\README.md	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\themes\DansLeRuSH-Dark.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\c.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\bash.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\plugins\NppExport\NppExport.dll	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\themes\Choco.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\themes\Mono Industrial.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\themes\Twilight.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\css.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\batch.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\ini.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\krl.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\sinumerik.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\localization\english.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\html.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\python.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\coffee.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\cpp.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\haskell.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\vhdl.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\updater\updater.ico	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\themes\Solarized.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\php.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\actionscript.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\themes\Plastic Code Wrap.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\javascript.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\BaanC.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\ada.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\overrideMap.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\themes\khaki.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\perl.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\themes\Solarized-light.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\rust.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\autoit.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\updater\GUP.exe	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\uninstall.exe	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\cs.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\cs.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\stylers.model.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\lisp.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\updater\libcurl.dll	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\vhdl.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\java.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\sql.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\shortcuts.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\themes\Zenburn.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\cpp.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\typescript.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\lua.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\functionList\baanc.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\themes\Bespin.xml	Obzuaolnpp.8.4.7.installer.x64.exe
File created	C:\Program Files\Notepad++\autoCompletion\tex.xml	Obzuaolnpp.8.4.7.installer.x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

npp.8.4.7.Installer.x64.exenpp.8.4.7.Installer.x64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	npp.8.4.7.Installer.x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	npp.8.4.7.Installer.x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	npp.8.4.7.Installer.x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	npp.8.4.7.Installer.x64.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

360 timeout.exe
2020 timeout.exe

pid	process
360	timeout.exe
2020	timeout.exe

Modifies registry class 14 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\InprocServer32\ = "C:\\Program Files\\Notepad++\\NppShell_06.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\Settings\Path = "C:\\Program Files\\Notepad++\\notepad++.exe"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\Settings	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\Settings\Title = "Edit with &Notepad++"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\Settings\Dynamic = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ANotepad++64	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\Settings\Maxtext = "25"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ANotepad++64\ = "{B298D29A-A6ED-11DE-BA8C-A68E55D89593}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\ = "ANotepad++64"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\Settings\Custom	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B298D29A-A6ED-11DE-BA8C-A68E55D89593}\Settings\ShowIcon = "1"	regsvr32.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

npp.8.4.7.Installer.x64.exenpp.8.4.7.Installer.x64.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	npp.8.4.7.Installer.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	npp.8.4.7.Installer.x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	npp.8.4.7.Installer.x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	npp.8.4.7.Installer.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	npp.8.4.7.Installer.x64.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exenpp.8.4.7.Installer.x64.exenpp.8.4.7.Installer.x64.exe

pid process

1492 powershell.exe
884 powershell.exe
1964 npp.8.4.7.Installer.x64.exe
1504 npp.8.4.7.Installer.x64.exe

pid	process
1492	powershell.exe
884	powershell.exe
1964	npp.8.4.7.Installer.x64.exe
1504	npp.8.4.7.Installer.x64.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

npp.8.4.7.Installer.x64.exepowershell.exenpp.8.4.7.Installer.x64.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1916	npp.8.4.7.Installer.x64.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	1576	npp.8.4.7.Installer.x64.exe
Token: SeDebugPrivilege	884	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

gup.exenotepad++.exe

pid process

240 gup.exe
740 notepad++.exe

pid	process
240	gup.exe
740	notepad++.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

npp.8.4.7.Installer.x64.exenpp.8.4.7.Installer.x64.exenpp.8.4.7.Installer.x64.execmd.exenpp.8.4.7.Installer.x64.execmd.exeObzuaolnpp.8.4.7.installer.x64.exe

description	pid	process	target process
PID 1916 wrote to memory of 1492	1916	npp.8.4.7.Installer.x64.exe	powershell.exe
PID 1916 wrote to memory of 1492	1916	npp.8.4.7.Installer.x64.exe	powershell.exe
PID 1916 wrote to memory of 1492	1916	npp.8.4.7.Installer.x64.exe	powershell.exe
PID 1916 wrote to memory of 1492	1916	npp.8.4.7.Installer.x64.exe	powershell.exe
PID 1916 wrote to memory of 1208	1916	npp.8.4.7.Installer.x64.exe	Obzuaolnpp.8.4.7.installer.x64.exe
PID 1916 wrote to memory of 1208	1916	npp.8.4.7.Installer.x64.exe	Obzuaolnpp.8.4.7.installer.x64.exe
PID 1916 wrote to memory of 1208	1916	npp.8.4.7.Installer.x64.exe	Obzuaolnpp.8.4.7.installer.x64.exe
PID 1916 wrote to memory of 1208	1916	npp.8.4.7.Installer.x64.exe	Obzuaolnpp.8.4.7.installer.x64.exe
PID 1916 wrote to memory of 1208	1916	npp.8.4.7.Installer.x64.exe	Obzuaolnpp.8.4.7.installer.x64.exe
PID 1916 wrote to memory of 1208	1916	npp.8.4.7.Installer.x64.exe	Obzuaolnpp.8.4.7.installer.x64.exe
PID 1916 wrote to memory of 1208	1916	npp.8.4.7.Installer.x64.exe	Obzuaolnpp.8.4.7.installer.x64.exe
PID 1916 wrote to memory of 1964	1916	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1916 wrote to memory of 1964	1916	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1916 wrote to memory of 1964	1916	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1916 wrote to memory of 1964	1916	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1916 wrote to memory of 1964	1916	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1916 wrote to memory of 1964	1916	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1916 wrote to memory of 1964	1916	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1916 wrote to memory of 1964	1916	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1916 wrote to memory of 1964	1916	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1916 wrote to memory of 1964	1916	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1916 wrote to memory of 1964	1916	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1916 wrote to memory of 1964	1916	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1916 wrote to memory of 1964	1916	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1576 wrote to memory of 884	1576	npp.8.4.7.Installer.x64.exe	powershell.exe
PID 1576 wrote to memory of 884	1576	npp.8.4.7.Installer.x64.exe	powershell.exe
PID 1576 wrote to memory of 884	1576	npp.8.4.7.Installer.x64.exe	powershell.exe
PID 1576 wrote to memory of 884	1576	npp.8.4.7.Installer.x64.exe	powershell.exe
PID 1576 wrote to memory of 1504	1576	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1576 wrote to memory of 1504	1576	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1576 wrote to memory of 1504	1576	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1576 wrote to memory of 1504	1576	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1576 wrote to memory of 1504	1576	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1576 wrote to memory of 1504	1576	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1576 wrote to memory of 1504	1576	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1576 wrote to memory of 1504	1576	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1576 wrote to memory of 1504	1576	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1576 wrote to memory of 1504	1576	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1576 wrote to memory of 1504	1576	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1576 wrote to memory of 1504	1576	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1576 wrote to memory of 1504	1576	npp.8.4.7.Installer.x64.exe	npp.8.4.7.Installer.x64.exe
PID 1964 wrote to memory of 856	1964	npp.8.4.7.Installer.x64.exe	cmd.exe
PID 1964 wrote to memory of 856	1964	npp.8.4.7.Installer.x64.exe	cmd.exe
PID 1964 wrote to memory of 856	1964	npp.8.4.7.Installer.x64.exe	cmd.exe
PID 1964 wrote to memory of 856	1964	npp.8.4.7.Installer.x64.exe	cmd.exe
PID 856 wrote to memory of 360	856	cmd.exe	timeout.exe
PID 856 wrote to memory of 360	856	cmd.exe	timeout.exe
PID 856 wrote to memory of 360	856	cmd.exe	timeout.exe
PID 856 wrote to memory of 360	856	cmd.exe	timeout.exe
PID 1504 wrote to memory of 1576	1504	npp.8.4.7.Installer.x64.exe	cmd.exe
PID 1504 wrote to memory of 1576	1504	npp.8.4.7.Installer.x64.exe	cmd.exe
PID 1504 wrote to memory of 1576	1504	npp.8.4.7.Installer.x64.exe	cmd.exe
PID 1504 wrote to memory of 1576	1504	npp.8.4.7.Installer.x64.exe	cmd.exe
PID 1576 wrote to memory of 2020	1576	cmd.exe	timeout.exe
PID 1576 wrote to memory of 2020	1576	cmd.exe	timeout.exe
PID 1576 wrote to memory of 2020	1576	cmd.exe	timeout.exe
PID 1576 wrote to memory of 2020	1576	cmd.exe	timeout.exe
PID 1208 wrote to memory of 892	1208	Obzuaolnpp.8.4.7.installer.x64.exe	regsvr32.exe
PID 1208 wrote to memory of 892	1208	Obzuaolnpp.8.4.7.installer.x64.exe	regsvr32.exe
PID 1208 wrote to memory of 892	1208	Obzuaolnpp.8.4.7.installer.x64.exe	regsvr32.exe
PID 1208 wrote to memory of 892	1208	Obzuaolnpp.8.4.7.installer.x64.exe	regsvr32.exe
PID 1208 wrote to memory of 892	1208	Obzuaolnpp.8.4.7.installer.x64.exe	regsvr32.exe
PID 1208 wrote to memory of 892	1208	Obzuaolnpp.8.4.7.installer.x64.exe	regsvr32.exe
PID 1208 wrote to memory of 892	1208	Obzuaolnpp.8.4.7.installer.x64.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64\npp.8.4.7.Installer.x64.exe
"C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64\npp.8.4.7.Installer.x64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Users\Admin\AppData\Local\Temp\Obzuaolnpp.8.4.7.installer.x64.exe
"C:\Users\Admin\AppData\Local\Temp\Obzuaolnpp.8.4.7.installer.x64.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files\Notepad++\NppShell_06.dll"
3⤵
- Loads dropped DLL
PID:892

C:\Windows\system32\regsvr32.exe
/s "C:\Program Files\Notepad++\NppShell_06.dll"
4⤵
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:1016

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" "C:\Program Files\Notepad++\notepad++.exe"
3⤵
PID:680

C:\Program Files\Notepad++\notepad++.exe
"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\Notepad++\change.log"
3⤵
- Executes dropped EXE
PID:1852

C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64\npp.8.4.7.Installer.x64.exe
C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64\npp.8.4.7.Installer.x64.exe
2⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64\npp.8.4.7.Installer.x64.exe" & exit
3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:360

C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64\npp.8.4.7.Installer.x64.exe
"C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64\npp.8.4.7.Installer.x64.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64\npp.8.4.7.Installer.x64.exe
C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64\npp.8.4.7.Installer.x64.exe
2⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64\npp.8.4.7.Installer.x64.exe" & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
4⤵
- Delays execution with timeout.exe
PID:2020

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Loads dropped DLL
PID:1528

C:\Program Files\Notepad++\notepad++.exe
"C:\Program Files\Notepad++\notepad++.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:740

C:\Program Files\Notepad++\updater\gup.exe
"C:\Program Files\Notepad++\updater\gup.exe" -v8.47 -px64
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Notepad++\NppShell_06.dll
Filesize
227KB

MD5
141243d6f3972705b1dfe1bdc1530a0b

SHA1
9f8789e29ac08dbc71f28e570e276d57405e0bb8

SHA256
d7c9325808d55aff774dfc6ea46669b59517905d37e0f6506cb6c94354cfe92b

SHA512
d35dcb9f17eb0d4cb4557809782195932cfb1f94d29bccbdaf49f7dd2b37919b0d49008d83a15d4c6015639b0487e989fd2d47408d4bbb63a8fbf54211b5c9c4

Download Submit
C:\Program Files\Notepad++\langs.model.xml
Filesize
342KB

MD5
d4b0036fac21d5b9a032225a6ed009f8

SHA1
1563576664c4642a1de17972cfc53a0cb37d7971

SHA256
1da37af2523f81c1b501d5c99b32029ad0b8a233de99ffd10858f27dc66f095c

SHA512
8b7e1991e37ce49d6483950a06f6091f76ad2836d11c0f3ecd8c1059dca0838ce270eff4dcaa1c1ef106f87bd13dc9f4830fd57a709628702dcf5961fc1f9160

Download Submit
C:\Program Files\Notepad++\notepad++.exe
Filesize
6.1MB

MD5
5586be3901ee3468ef5a7d0421c57e05

SHA1
1ab215b6288f5038600f35da3dfb6cb7af862d68

SHA256
06eb891aaf62499719416b53f2cc9428d0ade77c80a664a7f3a177f596e06ba7

SHA512
39eb00e73e33e3bc19f3c825878edefb5652c52ef7c6fa1a54cac732f976cb32a2f33f434877d9539b9ab5383f4d7301ccd1eb2afcee731389951504f6204f86

Download Submit
C:\Program Files\Notepad++\notepad++.exe
Filesize
6.1MB

MD5
5586be3901ee3468ef5a7d0421c57e05

SHA1
1ab215b6288f5038600f35da3dfb6cb7af862d68

SHA256
06eb891aaf62499719416b53f2cc9428d0ade77c80a664a7f3a177f596e06ba7

SHA512
39eb00e73e33e3bc19f3c825878edefb5652c52ef7c6fa1a54cac732f976cb32a2f33f434877d9539b9ab5383f4d7301ccd1eb2afcee731389951504f6204f86

Download Submit
C:\Program Files\Notepad++\notepad++.exe
Filesize
6.1MB

MD5
5586be3901ee3468ef5a7d0421c57e05

SHA1
1ab215b6288f5038600f35da3dfb6cb7af862d68

SHA256
06eb891aaf62499719416b53f2cc9428d0ade77c80a664a7f3a177f596e06ba7

SHA512
39eb00e73e33e3bc19f3c825878edefb5652c52ef7c6fa1a54cac732f976cb32a2f33f434877d9539b9ab5383f4d7301ccd1eb2afcee731389951504f6204f86

Download Submit
C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
Filesize
182KB

MD5
b298b73d2e6ba58ca0ed6ef5913543d1

SHA1
86233e5f76a40a2bba2e1f654106a815f9e68172

SHA256
74fb3e9b6b180807bd6ff55e0b5a5777057ef2319179600040ac0bfc16919dd5

SHA512
cb9a8d5b5947181ac5e67458df71482613b741a9a709a8fe2965e0abf45e54bb3a1a755bce5c5f2e87e168e156a491e1995d74153d33cc2115241b641cb1aebe

Download Submit
C:\Program Files\Notepad++\plugins\NppConverter\NppConverter.dll
Filesize
181KB

MD5
6fce45f8bbff7681d9639bac99d3a737

SHA1
d516663d2ae53eba2f6012180a8c6e8527f9c724

SHA256
545b746d388e28b81b4a7c8ec500daab3685eb9ad8accc6722bad16f210ba30c

SHA512
06aa4ae918db76567ffc6996ccc8f0712875cf63b639c9a36e29a57413ceb550f08ebc7abf6fe30b1acb5c98081e18f80de9a39e522c92b029d54fc08149f410

Download Submit
C:\Program Files\Notepad++\plugins\NppExport\NppExport.dll
Filesize
153KB

MD5
d374a3bdc4e430e15bc39dcfa41dfbaa

SHA1
55043aed6f74b580c17d94634de369cd2124c57c

SHA256
5d17a81dbeaacd4f25fc183de86257011d4a33dce4c67e7e3ccef2f6270ef9fe

SHA512
2ecb25f6d164c818719573f132e01b7ceaa7ff8aae2f34e5b21a6d712c7577b6ca1040139bd4b25707a2ee1dbcdfe11826ff00943eb83fbd1b605fadf00bd30d

Download Submit
C:\Program Files\Notepad++\plugins\mimeTools\mimeTools.dll
Filesize
132KB

MD5
62bb2a4415848be188c74fa4632799a2

SHA1
6684549064f7f37ab9d8b3ba9b6c70f9e7faae61

SHA256
3ee185f6db8a4bdd4bb3431f09205c318d4a1fb98126cc020b26a4c63e9004f5

SHA512
59e62252db23520c62ff82fc43d4c979760abb6dbfdf06162bfb5456855c6eae12a4e08d3c9e0ba2253f31c9795f1de6f2b7b325af891b4868989112a16363cf

Download Submit
C:\Program Files\Notepad++\shortcuts.xml
Filesize
965B

MD5
96c510e0fa8b730ce0fe3dfb1a52aa51

SHA1
0654a46879eccb4062480c98ff3e00b0f8565ba0

SHA256
9b0e941dc478fc68d046727f5f8e426cd7e8af91b4fa45882ee9e36b4bb11ee1

SHA512
51a80d18ec723fc3ff2a37317254ef4d5a4e04371362751891d3bd4b7c85f820ecbee72275fc20926d1294fb6a1ac507376054a823e18547648978fe005d3b84

Download Submit
C:\Program Files\Notepad++\stylers.model.xml
Filesize
171KB

MD5
bdfb4656027f0cf737ea17084987dccd

SHA1
17a4a2e147c9ebf89869aa4d5ffe7bd01c269904

SHA256
5924a07dd398050a7da30c31460e96bbe3aaa3a1b3e789a1d0beb52b54d1f62e

SHA512
0421be513721f7c0d5bfe53d7f7db3893d90221beb4a6147cf6498ab45ed67c85789e7cab521dcb8453c853253dfd42489eee0642afccdfbbe05bf7f9bc2c992

Download Submit
C:\Program Files\Notepad++\updater\GUP.exe
Filesize
954KB

MD5
36dbe4aa3b503e721cf41b33cc251aaa

SHA1
6387ccb02deab7e071103b02b1d8ba8af2474352

SHA256
08df2b33b24662749173044f110e6ba21dbeb58939fd64e5c31dfdb405b3afa3

SHA512
8c15a91283678f3c4a863a26f798208aded8fb25cc451256e756698c497d577977586c3785a495fe6b455f675d21925e07e2eccc435eb866f0b3fab7a3ad04de

Download Submit
C:\Program Files\Notepad++\updater\gup.exe
Filesize
954KB

MD5
36dbe4aa3b503e721cf41b33cc251aaa

SHA1
6387ccb02deab7e071103b02b1d8ba8af2474352

SHA256
08df2b33b24662749173044f110e6ba21dbeb58939fd64e5c31dfdb405b3afa3

SHA512
8c15a91283678f3c4a863a26f798208aded8fb25cc451256e756698c497d577977586c3785a495fe6b455f675d21925e07e2eccc435eb866f0b3fab7a3ad04de

Download Submit
C:\Program Files\Notepad++\updater\gup.xml
Filesize
4KB

MD5
abde55a0b1cb4a904e622c02f559dcd1

SHA1
1662f8445a000bbf7c61c40e39266658f169bf13

SHA256
92717951aae89e960b142cef3d273f104051896a3d527a78ca4a88c22b5216a5

SHA512
8fe75fb468f87be1153a6a0d70c0583a355f355bfe988027c88d154b500e97f2c5241d9557ebb981067205e2f23ad07b6a49c669cd3e94eaa728201173b235a0

Download Submit
C:\Program Files\Notepad++\updater\libcurl.dll
Filesize
666KB

MD5
65c88bf57f832db2cb79695c54fd9fb6

SHA1
d0983b51d5ca1012b403b4c6b317579d8a726d9d

SHA256
cf9712dcec5b054ba8490b7eb1b2dc099ae88c9a61f94be7f3079f528d3a458c

SHA512
86f656bce6604ef144bdfce4a07cdbc2b15a723e88fa39e4d4602a016d874304e5698f1a73ddb9c9e8f4800f258f76eb833cb5b20f59eb359f35e502be6f9774

Download Submit
C:\ProgramData\freebl3.dll
Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll
Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll
Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll
Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
Filesize
471B

MD5
48ac0dcd1f6f88596ef87738e0f9cf9e

SHA1
3502377c8099350206754a6c30df0ffe336fbcdb

SHA256
aaa789eaae8f94a42f937038badfbb07fcc46386a5d38bdb63de83084212f17a

SHA512
2614f899529079da2fe7723fe83cb0141022384160a29075e84bd638a4e1c445a8fcb6bdd10d8e44cadce6f19b6cf91607b7a8e3ebbd3647831c33893f524570

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
0a6248a8edf9fdf76b5999d44f6b6b71

SHA1
92630d0466ef0f0ed7b9b21e42aa9f4a51714ba2

SHA256
71c30f2405a0b0ed1c415748df44fe7e18dcd419989d00d68855c263a3d31fbe

SHA512
9fe81044531e99dac0230cbb140b84f9e85737b0ad2b7e67aa9082bb2fa8dcc2b3011c9ebff3ef824c9055d8369759dbf165d7bc229e670541320218d9ee4e25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
Filesize
430B

MD5
3c102d5f1c7ea9b2fc339aae41edcf7e

SHA1
bdbdabf31c4ea84aac617b7043a52349682090ab

SHA256
cd537a73dbdb36a8aff7dec8b492e141c86385d11f448e3200a428a3a0181a5d

SHA512
a3af71db82ab29fe0cd8109da1f6562f927aa11bb6658507b12cd755dd22029e0169156d53a3dbfb62048b4a0a04c4f0d48b6c2a9864b7d312b717ae81caa4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Obzuaolnpp.8.4.7.installer.x64.exe
Filesize
4.4MB

MD5
feaa91429fb314271bb2cd3db61bcb8a

SHA1
50758c9bea853caceddaf49dfbed82db8a72d994

SHA256
515d2c71ece7c4c7432794b9e1bb6fcf60fdaa2e499744c09af113c65d6dbb68

SHA512
fa0a891be025fc207a02018d82d85360f4653c10b414bcc7f175550d992bfefe39dbdbe23b1a848720ee595ae2745e9b9fb171ad2da1eef526ae3ada0fff3ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Obzuaolnpp.8.4.7.installer.x64.exe
Filesize
4.4MB

MD5
feaa91429fb314271bb2cd3db61bcb8a

SHA1
50758c9bea853caceddaf49dfbed82db8a72d994

SHA256
515d2c71ece7c4c7432794b9e1bb6fcf60fdaa2e499744c09af113c65d6dbb68

SHA512
fa0a891be025fc207a02018d82d85360f4653c10b414bcc7f175550d992bfefe39dbdbe23b1a848720ee595ae2745e9b9fb171ad2da1eef526ae3ada0fff3ef8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
d828a5255e0f97a1c0da068893cf1b2a

SHA1
effe643458036cea4a14a285ae1ca9cfbe53f92d

SHA256
3d8ba65ad8c3477ad5f2b9a0ccf46af0b2aaad32dbc19323e0708bb3742bb8d8

SHA512
2c51066a91cbf1bc2300aa3af38b924b25c0a20ba00bb42c69185c72344b6e46b2fe3e7b62fb6eb7dee7c4e1a7678aedbd7c04e6d4e2d9f3c7309c913dfbc97b

Download Submit
C:\Users\Admin\AppData\Roaming\Notepad++\contextMenu.xml
Filesize
4KB

MD5
a27cbd2fc47815ef8dac7c86bbec7ac7

SHA1
c78f4cebd679e335c3f829e9904f40d7261ad214

SHA256
7fbff0b764605a533b72c77a4b803e8455f748ae6317e24f293aab619d59e005

SHA512
a5c52831e70435b587114ff72da23faf3d135c1a1f859d4fed45f8ff5e81839e2c39ab0b61d4631acab0de360b301f3aa1232ecc788575823159af2afa02e332

Download Submit
C:\Users\Admin\AppData\Roaming\Notepad++\langs.xml
Filesize
342KB

MD5
d4b0036fac21d5b9a032225a6ed009f8

SHA1
1563576664c4642a1de17972cfc53a0cb37d7971

SHA256
1da37af2523f81c1b501d5c99b32029ad0b8a233de99ffd10858f27dc66f095c

SHA512
8b7e1991e37ce49d6483950a06f6091f76ad2836d11c0f3ecd8c1059dca0838ce270eff4dcaa1c1ef106f87bd13dc9f4830fd57a709628702dcf5961fc1f9160

Download Submit
C:\Users\Admin\AppData\Roaming\Notepad++\shortcuts.xml
Filesize
965B

MD5
96c510e0fa8b730ce0fe3dfb1a52aa51

SHA1
0654a46879eccb4062480c98ff3e00b0f8565ba0

SHA256
9b0e941dc478fc68d046727f5f8e426cd7e8af91b4fa45882ee9e36b4bb11ee1

SHA512
51a80d18ec723fc3ff2a37317254ef4d5a4e04371362751891d3bd4b7c85f820ecbee72275fc20926d1294fb6a1ac507376054a823e18547648978fe005d3b84

Download Submit
C:\Users\Admin\AppData\Roaming\Notepad++\stylers.xml
Filesize
171KB

MD5
bdfb4656027f0cf737ea17084987dccd

SHA1
17a4a2e147c9ebf89869aa4d5ffe7bd01c269904

SHA256
5924a07dd398050a7da30c31460e96bbe3aaa3a1b3e789a1d0beb52b54d1f62e

SHA512
0421be513721f7c0d5bfe53d7f7db3893d90221beb4a6147cf6498ab45ed67c85789e7cab521dcb8453c853253dfd42489eee0642afccdfbbe05bf7f9bc2c992

Download Submit
C:\Users\Admin\AppData\Roaming\Notepad++\userDefineLangs\markdown._preinstalled.udl.xml
Filesize
6KB

MD5
672e6d5f89887666ec94711e442644e0

SHA1
8d069ae93347316eff0dcf7aff4d22da18a62af2

SHA256
b34fe6811dacfe49d77d434123867e866daf6e0e27387a0446887dabe8943f04

SHA512
8fc5e9bbe027826304fa6f329fb16e4c9e4e7a597d87e9c691ed6a9f505b7bc1967339b43c6426105432a030260b0654468ab8fcbb4312b2fb6ed6c6aa537edc

Download Submit
C:\Users\Admin\AppData\Roaming\Notepad++\userDefineLangs\markdown._preinstalled_DM.udl.xml
Filesize
6KB

MD5
3690cef1865e32fe6be1b2ec7656539a

SHA1
bc043bec63c310a60d9e242810036460c467945d

SHA256
e45e49f0895249d951df2c07e0f06ca1242e05c961dd921e5aa2781ae2e7ff25

SHA512
c2be869d96baec2018e13dcf5934dd9cf74146541e852cc2eedb4d83a8af23e2577cde7a0158fefaa11056416ff039df3a7725e320620193e9bfe72c8067c051

Download Submit
\Program Files\Notepad++\NppShell_06.dll
Filesize
227KB

MD5
141243d6f3972705b1dfe1bdc1530a0b

SHA1
9f8789e29ac08dbc71f28e570e276d57405e0bb8

SHA256
d7c9325808d55aff774dfc6ea46669b59517905d37e0f6506cb6c94354cfe92b

SHA512
d35dcb9f17eb0d4cb4557809782195932cfb1f94d29bccbdaf49f7dd2b37919b0d49008d83a15d4c6015639b0487e989fd2d47408d4bbb63a8fbf54211b5c9c4

Download Submit
\Program Files\Notepad++\NppShell_06.dll
Filesize
227KB

MD5
141243d6f3972705b1dfe1bdc1530a0b

SHA1
9f8789e29ac08dbc71f28e570e276d57405e0bb8

SHA256
d7c9325808d55aff774dfc6ea46669b59517905d37e0f6506cb6c94354cfe92b

SHA512
d35dcb9f17eb0d4cb4557809782195932cfb1f94d29bccbdaf49f7dd2b37919b0d49008d83a15d4c6015639b0487e989fd2d47408d4bbb63a8fbf54211b5c9c4

Download Submit
\Program Files\Notepad++\notepad++.exe
Filesize
6.1MB

MD5
5586be3901ee3468ef5a7d0421c57e05

SHA1
1ab215b6288f5038600f35da3dfb6cb7af862d68

SHA256
06eb891aaf62499719416b53f2cc9428d0ade77c80a664a7f3a177f596e06ba7

SHA512
39eb00e73e33e3bc19f3c825878edefb5652c52ef7c6fa1a54cac732f976cb32a2f33f434877d9539b9ab5383f4d7301ccd1eb2afcee731389951504f6204f86

Download Submit
\Program Files\Notepad++\notepad++.exe
Filesize
6.1MB

MD5
5586be3901ee3468ef5a7d0421c57e05

SHA1
1ab215b6288f5038600f35da3dfb6cb7af862d68

SHA256
06eb891aaf62499719416b53f2cc9428d0ade77c80a664a7f3a177f596e06ba7

SHA512
39eb00e73e33e3bc19f3c825878edefb5652c52ef7c6fa1a54cac732f976cb32a2f33f434877d9539b9ab5383f4d7301ccd1eb2afcee731389951504f6204f86

Download Submit
\Program Files\Notepad++\notepad++.exe
Filesize
6.1MB

MD5
5586be3901ee3468ef5a7d0421c57e05

SHA1
1ab215b6288f5038600f35da3dfb6cb7af862d68

SHA256
06eb891aaf62499719416b53f2cc9428d0ade77c80a664a7f3a177f596e06ba7

SHA512
39eb00e73e33e3bc19f3c825878edefb5652c52ef7c6fa1a54cac732f976cb32a2f33f434877d9539b9ab5383f4d7301ccd1eb2afcee731389951504f6204f86

Download Submit
\Program Files\Notepad++\plugins\NppConverter\NppConverter.dll
Filesize
181KB

MD5
6fce45f8bbff7681d9639bac99d3a737

SHA1
d516663d2ae53eba2f6012180a8c6e8527f9c724

SHA256
545b746d388e28b81b4a7c8ec500daab3685eb9ad8accc6722bad16f210ba30c

SHA512
06aa4ae918db76567ffc6996ccc8f0712875cf63b639c9a36e29a57413ceb550f08ebc7abf6fe30b1acb5c98081e18f80de9a39e522c92b029d54fc08149f410

Download Submit
\Program Files\Notepad++\plugins\NppConverter\NppConverter.dll
Filesize
181KB

MD5
6fce45f8bbff7681d9639bac99d3a737

SHA1
d516663d2ae53eba2f6012180a8c6e8527f9c724

SHA256
545b746d388e28b81b4a7c8ec500daab3685eb9ad8accc6722bad16f210ba30c

SHA512
06aa4ae918db76567ffc6996ccc8f0712875cf63b639c9a36e29a57413ceb550f08ebc7abf6fe30b1acb5c98081e18f80de9a39e522c92b029d54fc08149f410

Download Submit
\Program Files\Notepad++\plugins\NppConverter\NppConverter.dll
Filesize
181KB

MD5
6fce45f8bbff7681d9639bac99d3a737

SHA1
d516663d2ae53eba2f6012180a8c6e8527f9c724

SHA256
545b746d388e28b81b4a7c8ec500daab3685eb9ad8accc6722bad16f210ba30c

SHA512
06aa4ae918db76567ffc6996ccc8f0712875cf63b639c9a36e29a57413ceb550f08ebc7abf6fe30b1acb5c98081e18f80de9a39e522c92b029d54fc08149f410

Download Submit
\Program Files\Notepad++\plugins\NppConverter\NppConverter.dll
Filesize
181KB

MD5
6fce45f8bbff7681d9639bac99d3a737

SHA1
d516663d2ae53eba2f6012180a8c6e8527f9c724

SHA256
545b746d388e28b81b4a7c8ec500daab3685eb9ad8accc6722bad16f210ba30c

SHA512
06aa4ae918db76567ffc6996ccc8f0712875cf63b639c9a36e29a57413ceb550f08ebc7abf6fe30b1acb5c98081e18f80de9a39e522c92b029d54fc08149f410

Download Submit
\Program Files\Notepad++\plugins\NppExport\NppExport.dll
Filesize
153KB

MD5
d374a3bdc4e430e15bc39dcfa41dfbaa

SHA1
55043aed6f74b580c17d94634de369cd2124c57c

SHA256
5d17a81dbeaacd4f25fc183de86257011d4a33dce4c67e7e3ccef2f6270ef9fe

SHA512
2ecb25f6d164c818719573f132e01b7ceaa7ff8aae2f34e5b21a6d712c7577b6ca1040139bd4b25707a2ee1dbcdfe11826ff00943eb83fbd1b605fadf00bd30d

Download Submit
\Program Files\Notepad++\plugins\NppExport\NppExport.dll
Filesize
153KB

MD5
d374a3bdc4e430e15bc39dcfa41dfbaa

SHA1
55043aed6f74b580c17d94634de369cd2124c57c

SHA256
5d17a81dbeaacd4f25fc183de86257011d4a33dce4c67e7e3ccef2f6270ef9fe

SHA512
2ecb25f6d164c818719573f132e01b7ceaa7ff8aae2f34e5b21a6d712c7577b6ca1040139bd4b25707a2ee1dbcdfe11826ff00943eb83fbd1b605fadf00bd30d

Download Submit
\Program Files\Notepad++\plugins\NppExport\NppExport.dll
Filesize
153KB

MD5
d374a3bdc4e430e15bc39dcfa41dfbaa

SHA1
55043aed6f74b580c17d94634de369cd2124c57c

SHA256
5d17a81dbeaacd4f25fc183de86257011d4a33dce4c67e7e3ccef2f6270ef9fe

SHA512
2ecb25f6d164c818719573f132e01b7ceaa7ff8aae2f34e5b21a6d712c7577b6ca1040139bd4b25707a2ee1dbcdfe11826ff00943eb83fbd1b605fadf00bd30d

Download Submit
\Program Files\Notepad++\plugins\NppExport\NppExport.dll
Filesize
153KB

MD5
d374a3bdc4e430e15bc39dcfa41dfbaa

SHA1
55043aed6f74b580c17d94634de369cd2124c57c

SHA256
5d17a81dbeaacd4f25fc183de86257011d4a33dce4c67e7e3ccef2f6270ef9fe

SHA512
2ecb25f6d164c818719573f132e01b7ceaa7ff8aae2f34e5b21a6d712c7577b6ca1040139bd4b25707a2ee1dbcdfe11826ff00943eb83fbd1b605fadf00bd30d

Download Submit
\Program Files\Notepad++\plugins\mimeTools\mimeTools.dll
Filesize
132KB

MD5
62bb2a4415848be188c74fa4632799a2

SHA1
6684549064f7f37ab9d8b3ba9b6c70f9e7faae61

SHA256
3ee185f6db8a4bdd4bb3431f09205c318d4a1fb98126cc020b26a4c63e9004f5

SHA512
59e62252db23520c62ff82fc43d4c979760abb6dbfdf06162bfb5456855c6eae12a4e08d3c9e0ba2253f31c9795f1de6f2b7b325af891b4868989112a16363cf

Download Submit
\Program Files\Notepad++\plugins\mimeTools\mimeTools.dll
Filesize
132KB

MD5
62bb2a4415848be188c74fa4632799a2

SHA1
6684549064f7f37ab9d8b3ba9b6c70f9e7faae61

SHA256
3ee185f6db8a4bdd4bb3431f09205c318d4a1fb98126cc020b26a4c63e9004f5

SHA512
59e62252db23520c62ff82fc43d4c979760abb6dbfdf06162bfb5456855c6eae12a4e08d3c9e0ba2253f31c9795f1de6f2b7b325af891b4868989112a16363cf

Download Submit
\Program Files\Notepad++\plugins\mimeTools\mimeTools.dll
Filesize
132KB

MD5
62bb2a4415848be188c74fa4632799a2

SHA1
6684549064f7f37ab9d8b3ba9b6c70f9e7faae61

SHA256
3ee185f6db8a4bdd4bb3431f09205c318d4a1fb98126cc020b26a4c63e9004f5

SHA512
59e62252db23520c62ff82fc43d4c979760abb6dbfdf06162bfb5456855c6eae12a4e08d3c9e0ba2253f31c9795f1de6f2b7b325af891b4868989112a16363cf

Download Submit
\Program Files\Notepad++\plugins\mimeTools\mimeTools.dll
Filesize
132KB

MD5
62bb2a4415848be188c74fa4632799a2

SHA1
6684549064f7f37ab9d8b3ba9b6c70f9e7faae61

SHA256
3ee185f6db8a4bdd4bb3431f09205c318d4a1fb98126cc020b26a4c63e9004f5

SHA512
59e62252db23520c62ff82fc43d4c979760abb6dbfdf06162bfb5456855c6eae12a4e08d3c9e0ba2253f31c9795f1de6f2b7b325af891b4868989112a16363cf

Download Submit
\Program Files\Notepad++\updater\GUP.exe
Filesize
954KB

MD5
36dbe4aa3b503e721cf41b33cc251aaa

SHA1
6387ccb02deab7e071103b02b1d8ba8af2474352

SHA256
08df2b33b24662749173044f110e6ba21dbeb58939fd64e5c31dfdb405b3afa3

SHA512
8c15a91283678f3c4a863a26f798208aded8fb25cc451256e756698c497d577977586c3785a495fe6b455f675d21925e07e2eccc435eb866f0b3fab7a3ad04de

Download Submit
\Program Files\Notepad++\updater\libcurl.dll
Filesize
666KB

MD5
65c88bf57f832db2cb79695c54fd9fb6

SHA1
d0983b51d5ca1012b403b4c6b317579d8a726d9d

SHA256
cf9712dcec5b054ba8490b7eb1b2dc099ae88c9a61f94be7f3079f528d3a458c

SHA512
86f656bce6604ef144bdfce4a07cdbc2b15a723e88fa39e4d4602a016d874304e5698f1a73ddb9c9e8f4800f258f76eb833cb5b20f59eb359f35e502be6f9774

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\Obzuaolnpp.8.4.7.installer.x64.exe
Filesize
4.4MB

MD5
feaa91429fb314271bb2cd3db61bcb8a

SHA1
50758c9bea853caceddaf49dfbed82db8a72d994

SHA256
515d2c71ece7c4c7432794b9e1bb6fcf60fdaa2e499744c09af113c65d6dbb68

SHA512
fa0a891be025fc207a02018d82d85360f4653c10b414bcc7f175550d992bfefe39dbdbe23b1a848720ee595ae2745e9b9fb171ad2da1eef526ae3ada0fff3ef8

Download Submit
\Users\Admin\AppData\Local\Temp\nsu7062.tmp\InstallOptions.dll
Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
\Users\Admin\AppData\Local\Temp\nsu7062.tmp\InstallOptions.dll
Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
\Users\Admin\AppData\Local\Temp\nsu7062.tmp\LangDLL.dll
Filesize
5KB

MD5
68b287f4067ba013e34a1339afdb1ea8

SHA1
45ad585b3cc8e5a6af7b68f5d8269c97992130b3

SHA256
18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

SHA512
06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

Download Submit
\Users\Admin\AppData\Local\Temp\nsu7062.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nsu7062.tmp\UserInfo.dll
Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
\Users\Admin\AppData\Local\Temp\nsu7062.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
memory/240-192-0x0000000000000000-mapping.dmp

Download
memory/360-128-0x0000000000000000-mapping.dmp

Download
memory/680-174-0x0000000000000000-mapping.dmp

Download
memory/740-179-0x0000000000000000-mapping.dmp

Download
memory/856-126-0x0000000000000000-mapping.dmp

Download
memory/884-90-0x000000006DA60000-0x000000006E00B000-memory.dmp

Filesize
5.7MB

Download
memory/884-85-0x0000000000000000-mapping.dmp

Download
memory/884-88-0x000000006DA60000-0x000000006E00B000-memory.dmp

Filesize
5.7MB

Download
memory/892-167-0x0000000000000000-mapping.dmp

Download
memory/1016-171-0x0000000000000000-mapping.dmp

Download
memory/1208-64-0x0000000000000000-mapping.dmp

Download
memory/1492-59-0x000000006DC80000-0x000000006E22B000-memory.dmp

Filesize
5.7MB

Download
memory/1492-60-0x000000006DC80000-0x000000006E22B000-memory.dmp

Filesize
5.7MB

Download
memory/1492-62-0x000000006DC80000-0x000000006E22B000-memory.dmp

Filesize
5.7MB

Download
memory/1492-57-0x0000000000000000-mapping.dmp

Download
memory/1504-158-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1504-101-0x000000000042354C-mapping.dmp

Download
memory/1504-132-0x0000000069040000-0x0000000069133000-memory.dmp

Filesize
972KB

Download
memory/1504-160-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1504-105-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1576-159-0x0000000000000000-mapping.dmp

Download
memory/1852-183-0x0000000000000000-mapping.dmp

Download
memory/1916-54-0x0000000001380000-0x00000000013B0000-memory.dmp

Filesize
192KB

Download
memory/1916-55-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/1916-56-0x0000000007FD0000-0x0000000008646000-memory.dmp

Filesize
6.5MB

Download
memory/1964-83-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1964-74-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1964-72-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1964-70-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1964-68-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1964-67-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1964-77-0x000000000042354C-mapping.dmp

Download
memory/1964-76-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1964-79-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1964-89-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1964-106-0x0000000068FD0000-0x00000000690C3000-memory.dmp

Filesize
972KB

Download
memory/1964-127-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2020-161-0x0000000000000000-mapping.dmp

Download