Upon executing the Notepad++ installer, the file creates a folder named “Windows Data” under C:ProgramDataMicrosoft, and drops three files.
npp.8.1.7.Installer.x64.exe – the original Notepad++ installation file under C:UsersUsernameAppDataLocalTemp folder.
winpickr.exe – a malicious file under C:WindowsSystem32 folder.
ntuis32.exe – malicious keylogger under C:ProgramDataMicrosoftWindowsData folder
The installation of the code editor continues as expected, and the victim won’t see anything out of the ordinary that could raise suspicions.
As the setup finishes, a new service named “PickerSrv” is created, establishing the malware’s persistence via startup execution.