wikiloader | 99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6

Resubmissions

31/07/2024, 19:49

240731-yjqkmazfqp 10

30/04/2024, 21:42

240430-1kpe3agd3x 10

Analysis

max time kernel
1079s
max time network
867s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
31/07/2024, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6.zip
Size

8.5MB
MD5

1914923016185375510ebe77c41de172
SHA1

1526594013143e48da425decb19d7b4d00e85dc1
SHA256

99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6
SHA512

31232130dc9cc78e00dc38cf64c664bb2254afe75c14cb12bdc06d1abe207c3c0f06e9b3301f9910a6b1c07b63d73a4c70557286d0e149ccb600639363859bda
SSDEEP

196608:Lz1xWKqkGTSOwUDLMpvM4KBCmbhOj+UIs1mkSxCBND3R/:LzDb9Ownp/0lTsUnwND3R/

Score

10^/10

wikiloader backdoor loader

Malware Config

Extracted

Family

wikiloader

https://unokodkelas.cl/wp-content/themes/twentytwenty/pttfrp.php?id=1

https://www.judicialconsulting.es/wp-content/themes/hello-elementor/t745ny.php?id=1

https://polarishousingsystems.com/wp-content/themes/twentytwentyfour/qshgfl.php?id=1

https://barliam.com/ph/wp-content/themes/twentytwentythree/plxka3.php?id=1

Signatures

Wikiloader
Wikiloader is a loader and backdoor written in C++.
loader backdoor wikiloader

Executes dropped EXE 1 IoCs

pid	Process
4064	notepad.exe

Loads dropped DLL 4 IoCs

pid	Process
4064	notepad.exe
4064	notepad.exe
4064	notepad.exe
4064	notepad.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4064	notepad.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2248	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2316	powershell.exe
2316	powershell.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2180	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeRestorePrivilege	4076	7zG.exe
Token: 35	4076	7zG.exe
Token: SeSecurityPrivilege	4076	7zG.exe
Token: SeSecurityPrivilege	4076	7zG.exe
Token: SeDebugPrivilege	2180	taskmgr.exe
Token: SeSystemProfilePrivilege	2180	taskmgr.exe
Token: SeCreateGlobalPrivilege	2180	taskmgr.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeSecurityPrivilege	2180	taskmgr.exe
Token: SeTakeOwnershipPrivilege	2180	taskmgr.exe
Token: SeBackupPrivilege	5008	svchost.exe
Token: SeRestorePrivilege	5008	svchost.exe
Token: SeSecurityPrivilege	5008	svchost.exe
Token: SeTakeOwnershipPrivilege	5008	svchost.exe
Token: 35	5008	svchost.exe
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE
Token: SeShutdownPrivilege	3516	Explorer.EXE
Token: SeCreatePagefilePrivilege	3516	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4076	7zG.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe
2180	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4064	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2248	2316	powershell.exe	101
PID 2316 wrote to memory of 2248	2316	powershell.exe	101
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56
PID 4064 wrote to memory of 3516	4064	notepad.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3516
- C:\Windows\Explorer.exe
  C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6.zip
  2⤵
  PID:1256
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6\" -spe -an -ai#7zMap30726:208:7zEvent6047
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4076
- C:\Users\Admin\AppData\Local\Temp\99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6\npp.8.6.3.portable.x64\notepad.exe
  "C:\Users\Admin\AppData\Local\Temp\99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6\npp.8.6.3.portable.x64\notepad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4064
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:2248

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6\npp.8.6.3.portable.x64\certificate.pem

Filesize
127KB

MD5
2720481c2c754efcf5ac5e779040be5f

SHA1
866a989b9b4d615de35cd7bb68ddb902e8d3f63b

SHA256
548ea79b9e93e71b94a721c2cb3bb1a4e8f8b8f25227dc96612c5e664f417021

SHA512
8ce1efb98f4486e2087edead72ab4dac3e1625bdfd55bc5cafc61644275dfd0739c384fbd6ef394a540082c3545689bcf1fd3fe8f0e50112bc1bbc3ec05ba741

Download Submit
C:\Users\Admin\AppData\Local\Temp\99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6\npp.8.6.3.portable.x64\config.xml

Filesize
7KB

MD5
7a90522d275e13ab0813da65e9b0da43

SHA1
2bf10880d9d7f84fc761d3cd720d037f3c022c2a

SHA256
c9ecaff72fbbcdde1f7614d306fe9d6884da76557bfc9a2e498a8f97724121f9

SHA512
06394dc52ed7f55455d4a327be7155f4b2ca2e416ce1ed2cfc8a74edf088f233500d4647ac2907aea562af01a9450ccd324d97f8e4a9725781b6648ea0a9fe1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6\npp.8.6.3.portable.x64\contextMenu.xml

Filesize
4KB

MD5
fde4cc09d1c18c6cd7c1a4878e89d27e

SHA1
22fba21b254fed1a60da5de2b8af3cf6e132b647

SHA256
43ac0b7ba9b1f91fd8d4841b8119344e6212b307a1decccf61658f31d38bb425

SHA512
fcc87b93cb4dd0949e82edb7d2788d7abd317f9f4c5f046ceba1cd85a64b12b29c6baba3e8646265db02a48a2dc20c3b5e893a1334d9b1e91d26692b4e9c2d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6\npp.8.6.3.portable.x64\langs.xml

Filesize
451KB

MD5
0ca5163fef9dc83b8fba4f6524fd5801

SHA1
a2a7b6d3ca67a56c9f384c74e96912ebea7262cd

SHA256
d5bfd6ae3c031de46b4bb30abe9b44dbe4caa33228946853481be1b1d23c1a6d

SHA512
7b81e6457200712f1b1beaea215fc68fea522517ba8dbaf4ab1230703da22d8ceb08e0057e60fccd076b087e9edf7c660957e4a3763c0bf906e9a6c827fac4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6\npp.8.6.3.portable.x64\notepad.exe

Filesize
6.9MB

MD5
2cd84602fc2428e0db00dbce5e20dc80

SHA1
965a62dbba7cbb95b6a7694dc33963ffb105819a

SHA256
4e271372528a9b439d99a7376fc1ac9c67884226a2f7bcbe2f68694c80548287

SHA512
a6f715224a5e9ffb35833591bdc5cf1b76da479c2a6fd2108d921526708f918e6d5d2e9569c879d1d4c76e4606cdd271364b6f85acd8c811439bd08b61665fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6\npp.8.6.3.portable.x64\plugins\Config\nppPluginList.dll

Filesize
204KB

MD5
18a0b5fef18fc27926a4aa3965374fea

SHA1
a1517a5c1356f00c63c60e464276b115ef7087e7

SHA256
fd046bbe51b6106ff41cf766ec002f2fd9e5ec18fb60c6c1b3224c0963036f85

SHA512
ea056caa9dfdd23df08bc47058246b4430e71ec4d2646055d11ed99e82d443397e48bc44a3c3532ff89e1b0eebb304453df3bb6935d558a91df6ce8da0b7d92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6\npp.8.6.3.portable.x64\plugins\NppConverter\NppConverter.dll

Filesize
198KB

MD5
3469d4e293654053868b54ca8cf7c5c9

SHA1
48a77bd9369465efe93db1afc173836e38f1c63c

SHA256
d03c1a63ea0dfb0eb588168d36ffb6141f5780abe24c8c19873549788c1c7a6d

SHA512
3494869d7e1c80d8c6f1bb17cbc648e80ebdc6ce57fa9a66b1f341d3eb54304def7e5ce39ffd7e4798757ad6b966439c7feb15b7f56400bab98afce7259d047c

Download Submit
C:\Users\Admin\AppData\Local\Temp\99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6\npp.8.6.3.portable.x64\plugins\NppExport\NppExport.dll

Filesize
153KB

MD5
4f465c958622681513e45ced7fa456ad

SHA1
22766bd48fe89128c7242377053bcae532d35e70

SHA256
e0a90cd22bee74bf16b42961ea373303a74bebe3ac19107eb90c25c1687586c8

SHA512
9d27edb6c3ae548a56806dc63ff8259f52c089c1d0adf7193b9aed558735450555f434e73e5f264310cf555a7232bcc87668acf15a3641a18cff9414bb96eeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6\npp.8.6.3.portable.x64\plugins\mimeTools\mimeTools.dll

Filesize
145KB

MD5
2126f8d0d398ef95e1c505209986b638

SHA1
9259f505d8ff5655906b52598e5a139168cec0ab

SHA256
f1a49cea454bac3e78ac765b247b65d00c896d84de2028892b00d4310453c665

SHA512
819a5b67a8e64311113948efcb0476c976a2de32f41e3a8c8e01f8a437f43349dfcff1ec50f3c8a988742eb96372f52386b0527c1b17ef585d9e1dfe3de34566

Download Submit
C:\Users\Admin\AppData\Local\Temp\99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6\npp.8.6.3.portable.x64\session.xml

Filesize
193B

MD5
5d261612f9233dc1754c83fee2c5a854

SHA1
16f3543dcc6ed0bb3f111e6bca845fe1cd1a20ec

SHA256
52226d6d91ffe76d8aa3ce42982da9bb4881f04eb0d8d4ebb34a6e3204845901

SHA512
875bbffd4772964ada70a4cf3aab6e9f6193757dc653d2cf58642156b4b15d6a806b86b6252f6bfec503065d3f7384b248b669064327fe74a948d9c273084bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6\npp.8.6.3.portable.x64\shortcuts.xml

Filesize
3KB

MD5
fb573784b83033dd4361f52006d02cb8

SHA1
0a2923a44ec1bd5e7e8bc7cace15857ae03bf63c

SHA256
37a24662cd55b627807bc2bb7cbba5bbf2abaf6da4dd7bbb949bfaa7903eae9c

SHA512
753b44b5e8bea858cf5cc5ddfdc38098a2f3f921949cf98706ead95bdfa1de7ab0c115e9d69237623a03c422969480204c69d3ba277141527458c68230d0c67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6\npp.8.6.3.portable.x64\stylers.xml

Filesize
182KB

MD5
343b8f55f376e88674733286d027f834

SHA1
466886054d5c2641ba6058f58a7a84053aa4696e

SHA256
f002b36e70f0fb159885c21fa6e6395176cd50a254201a94cbed756d9843fa9a

SHA512
ef6643badbb87739f0ae847d201651f8d3e677c54ca2aa3f81277b053355772f71d9b0f490617c104ce861a29e2b283fe6d82faf4cfe8f10bfc571d683cfea8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6\npp.8.6.3.portable.x64\toolbarIcons.xml

Filesize
2KB

MD5
bc4b775a277672fc7edf956120576ecb

SHA1
fe7c2db5b4d4c5a3f5603cf56c4d71cc9ee2d71d

SHA256
4ec98de37193f41242c1a47507bcc4c1af555e71154f7354272bc3e664e19877

SHA512
f87dc3ce52831ee308fbfa2b1b94c07e2811e7028360f046e012f8ea5a8f0ebcd362de7a663dee810c3da0791474c1485b1a2626c7867e76236156b125ff39b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6\npp.8.6.3.portable.x64\updater\gup.exe

Filesize
818KB

MD5
fabdd8cc1e50874481688659ea63b7ec

SHA1
d498dc918010810822902df29ce54ac1766fb446

SHA256
d056ae6e45a62a86199dcc7d0c696469374253fba05a45c877caf28b0b897df3

SHA512
1bda8cd73f00f0e7fd6a924ad6234dc47a183f3f4c5a40d5ca6cc0cdd116ee07fce7a1b744cba31ab2a491e89b23f653b5d38a74eaf5138e3289c799f99b7450

Download Submit
C:\Users\Admin\AppData\Local\Temp\99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6\npp.8.6.3.portable.x64\userDefineLangs\markdown._preinstalled.udl.xml

Filesize
6KB

MD5
672e6d5f89887666ec94711e442644e0

SHA1
8d069ae93347316eff0dcf7aff4d22da18a62af2

SHA256
b34fe6811dacfe49d77d434123867e866daf6e0e27387a0446887dabe8943f04

SHA512
8fc5e9bbe027826304fa6f329fb16e4c9e4e7a597d87e9c691ed6a9f505b7bc1967339b43c6426105432a030260b0654468ab8fcbb4312b2fb6ed6c6aa537edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\99fe6730862db95a23d5996996d99d55a809390b152bfdc15d617545016cbbe6\npp.8.6.3.portable.x64\userDefineLangs\markdown._preinstalled_DM.udl.xml

Filesize
6KB

MD5
3690cef1865e32fe6be1b2ec7656539a

SHA1
bc043bec63c310a60d9e242810036460c467945d

SHA256
e45e49f0895249d951df2c07e0f06ca1242e05c961dd921e5aa2781ae2e7ff25

SHA512
c2be869d96baec2018e13dcf5934dd9cf74146541e852cc2eedb4d83a8af23e2577cde7a0158fefaa11056416ff039df3a7725e320620193e9bfe72c8067c051

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1t3y2xfj.x2r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2180-456-0x0000026F30640000-0x0000026F30641000-memory.dmp

Filesize
4KB

Download
memory/2180-454-0x0000026F30640000-0x0000026F30641000-memory.dmp

Filesize
4KB

Download
memory/2180-448-0x0000026F30640000-0x0000026F30641000-memory.dmp

Filesize
4KB

Download
memory/2180-460-0x0000026F30640000-0x0000026F30641000-memory.dmp

Filesize
4KB

Download
memory/2180-459-0x0000026F30640000-0x0000026F30641000-memory.dmp

Filesize
4KB

Download
memory/2180-458-0x0000026F30640000-0x0000026F30641000-memory.dmp

Filesize
4KB

Download
memory/2180-457-0x0000026F30640000-0x0000026F30641000-memory.dmp

Filesize
4KB

Download
memory/2180-450-0x0000026F30640000-0x0000026F30641000-memory.dmp

Filesize
4KB

Download
memory/2180-455-0x0000026F30640000-0x0000026F30641000-memory.dmp

Filesize
4KB

Download
memory/2180-449-0x0000026F30640000-0x0000026F30641000-memory.dmp

Filesize
4KB

Download
memory/2180-485-0x0000026F305E0000-0x0000026F305F0000-memory.dmp

Filesize
64KB

Download
memory/2180-479-0x0000026F30580000-0x0000026F30590000-memory.dmp

Filesize
64KB

Download
memory/2316-473-0x00000190BCEA0000-0x00000190BCEE4000-memory.dmp

Filesize
272KB

Download
memory/2316-474-0x00000190BCF70000-0x00000190BCFE6000-memory.dmp

Filesize
472KB

Download
memory/2316-472-0x00000190BC0E0000-0x00000190BC102000-memory.dmp

Filesize
136KB

Download
memory/3516-497-0x0000000002610000-0x0000000002625000-memory.dmp

Filesize
84KB

Download
memory/4064-447-0x0000023643110000-0x000002364906F000-memory.dmp

Filesize
95.4MB

Download