Notepad++ update hijacking

Notepad ++ update infrastructure has been hijacked. A summary of IOCs searches

We have started this week with a very bad case. The hack of Notepad++.

If you don't know what is Notepad++, or don't see how critical such attack is, please move forward, and take some courses. Because, yes, this is a supply chain attack. One of the most dangerous attack an organization could suffer. Whatever is your level of security, if a trusted source, partner, provider etc is compromised, it becomes very hard to ensure the integrity of your infrastructure. We must in such case apply a zero trust logic, and the principles of Defense in Depth. In this case, it is actually worst, it is a 2 levels supply chain attack. The attackers compromised the notepad++'s provider hosting infrastructure, which was then used to compromise users of notepad++.

This post is written on Feb 3rd, at 11.00AM UTC+1. So all the information present here, are based on what is available at this time.

What happened ?

Quick summary of the initial incident from my understanding, based on the already published information.

The former hosting infrastructure of NPP used to update the client was compromised. How ? we don't really know yet. The threat actor, which seems to be a Chinese state sponsored actor, was able to redirect the update package download from NPP updater (gup.exe) to a malicious package. They did exploit a vulnerability in the update process, in which the updater did not validate the legitimacy of the update package (hash, signature, certificate etc). The target was selected by the threat actor on unknown criteria's.

What is the issue for you?

The incident started in June 2025 and lasted up to December 2025.

The log retention of a mature infrastructure mainly lead to have infrastructure level logs for this period, while endpoint logs (EDR/XDR) are most of the time shorter. So finding trace of the malicious actor starts to become complex.

But that's not all. We have almost no IOCs to search for. When the alert was triggered on Monday morning, my team and me was looking for... we did not know.

The previous legit packages of NPP was signed with a self signed certificate. We had the hashes of the legit installers we have collected from the official website, but no hashes of the running processes. The installer is downloaded only on installation. If it was a malicious one, it would have been 6 months ago.

Monday afternoon, Rapid7 has published a blog article, providing payload and infrastructure analysis with some IOCs. Are those IOCs exhaustive, we don't know. But it is a starting point.

Let's consider that you have a properly secured infrastructure. Which means :

-A proxy, mandatory for any internet access, or at least an URL filtering at your boundaries, with SSL inspection, and full details logs. So you have the user-agent, the filenames, the hash of downloaded files, the full URI etc

-A sufficient log retention for your proxy logs, and firewall logs.

-An EDR. In my case, we'll do the searches in MS Defender for Endpoint, which brings me the limit of 30 days hot logs. 😭

I share with you my elements, my searches.

Extracted IOCs from multiple sources

Resources

https://securelist.com/notepad-supply-chain-attack/118708/

The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit

Exploring the C2 Infrastructure of the Notepad++ Compromise | Validin

Payloads SHA256:

•             8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e

•             2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924

•             77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e

•             3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad

•             0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd

•             4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8

•             e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda

•             078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5

•             b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3

•             7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd

•             fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a

•             a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9

•             9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600

•             f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a

•             4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906

•             831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd

•             c7cc87ef3829a33b7f178d88a71ba548c37020005b09d16a76fcd356621335e6

•             36c98c18215a244e501673d9f01fa093d1906d08a7ad9927905f8f004640e4e1

•             4d4aec6120290e21778c1b14c94aa6ebff3b0816fb6798495dc2eae165db4566

KQL file events

DeviceFileEvents

| where SHA256 in ("8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e",

"2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924",

"77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e",

"3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad",

"0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd",

"4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8",

"e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda",

"078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5",

"b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3",

"7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd",

"fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a",

"a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9",

"9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600",

"f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a",

"4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906",

"831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd",

"c7cc87ef3829a33b7f178d88a71ba548c37020005b09d16a76fcd356621335e6",

"36c98c18215a244e501673d9f01fa093d1906d08a7ad9927905f8f004640e4e1",

"4d4aec6120290e21778c1b14c94aa6ebff3b0816fb6798495dc2eae165db4566")

KQL process events

DeviceProcessEvents

| where SHA256 in ("8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e",

"2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924",

"77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e",

"3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad",

"0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd",

"4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8",

"e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda",

"078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5",

"b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3",

"7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd",

"fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a",

"a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9",

"9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600",

"f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a",

"4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906",

"831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd",

"c7cc87ef3829a33b7f178d88a71ba548c37020005b09d16a76fcd356621335e6",

"36c98c18215a244e501673d9f01fa093d1906d08a7ad9927905f8f004640e4e1",

"4d4aec6120290e21778c1b14c94aa6ebff3b0816fb6798495dc2eae165db4566")

Search in your proxy logs for the hashes

Payloads SHA1

·         8e6e505438c21f3d281e1cc257abdbf7223b7f5a

·         90e677d7ff5844407b9c073e3b7e896e078e11cd

·         573549869e84544e3ef253bdba79851dcde4963a

·         13179c8f19fbf3d8473c49983a199e6cb4f318f0

·         4c9aac447bf732acc97992290aa7a187b967ee2c

·         821c0cafb2aab0f063ef7e313f64313fc81d46cd

·         06a6a5a39193075734a32e0235bde0e979c27228

·         9c3ba38890ed984a25abb6a094b5dbf052f22fa7

·         ca4b6fe0c69472cd3d63b212eb805b7f65710d33

·         0d0f315fd8cf408a483f8e2dd1e69422629ed9fd

·         2a476cfb85fbf012fdbe63a37642c11afa5cf020

·         d7ffd7b588880cf61b603346a3557e7cce648c93

·         94dffa9de5b665dc51bc36e2693b8a3a0a4cc6b8

·         21a942273c14e4b9d3faa58e4de1fd4d5014a1ed

·         7e0790226ea461bcc9ecd4be3c315ace41e1c122

·         f7910d943a013eede24ac89d6388c1b98f8b3717

·         73d9d0139eaf89b7df34ceeb60e5f8c7cd2463bf

·         bd4915b3597942d88f319740a9b803cc51585c4a

·         c68d09dd50e357fd3de17a70b7724f8949441d77

·         813ace987a61af909c053607635489ee984534f4

·         9fbf2195dee991b1e5a727fd51391dcc2d7a4b16

·         07d2a01e1dc94d59d5ca3bdf0c7848553ae91a51

·         3090ecf034337857f786084fb14e63354e271c5d

·         d0662eadbe5ba92acbd3485d8187112543bcfbf5

·         9c0eff4deeb626730ad6a05c85eb138df48372ce

KQL file events

DeviceFileEvents

| where SHA1 in ("8e6e505438c21f3d281e1cc257abdbf7223b7f5a",

"90e677d7ff5844407b9c073e3b7e896e078e11cd",

"573549869e84544e3ef253bdba79851dcde4963a",

"13179c8f19fbf3d8473c49983a199e6cb4f318f0",

"4c9aac447bf732acc97992290aa7a187b967ee2c",

"821c0cafb2aab0f063ef7e313f64313fc81d46cd",

"06a6a5a39193075734a32e0235bde0e979c27228",

"9c3ba38890ed984a25abb6a094b5dbf052f22fa7",

"ca4b6fe0c69472cd3d63b212eb805b7f65710d33",

"0d0f315fd8cf408a483f8e2dd1e69422629ed9fd",

"2a476cfb85fbf012fdbe63a37642c11afa5cf020",

"d7ffd7b588880cf61b603346a3557e7cce648c93",

"94dffa9de5b665dc51bc36e2693b8a3a0a4cc6b8",

"21a942273c14e4b9d3faa58e4de1fd4d5014a1ed",

"7e0790226ea461bcc9ecd4be3c315ace41e1c122",

"f7910d943a013eede24ac89d6388c1b98f8b3717",

"73d9d0139eaf89b7df34ceeb60e5f8c7cd2463bf",

"bd4915b3597942d88f319740a9b803cc51585c4a",

"c68d09dd50e357fd3de17a70b7724f8949441d77",

"813ace987a61af909c053607635489ee984534f4",

"9fbf2195dee991b1e5a727fd51391dcc2d7a4b16",

"07d2a01e1dc94d59d5ca3bdf0c7848553ae91a51",

"3090ecf034337857f786084fb14e63354e271c5d",

"d0662eadbe5ba92acbd3485d8187112543bcfbf5",

"9c0eff4deeb626730ad6a05c85eb138df48372ce")

KQL process events

DeviceProcessEvents

| where SHA1 in ("8e6e505438c21f3d281e1cc257abdbf7223b7f5a",

"90e677d7ff5844407b9c073e3b7e896e078e11cd",

"573549869e84544e3ef253bdba79851dcde4963a",

"13179c8f19fbf3d8473c49983a199e6cb4f318f0",

"4c9aac447bf732acc97992290aa7a187b967ee2c",

"821c0cafb2aab0f063ef7e313f64313fc81d46cd",

"06a6a5a39193075734a32e0235bde0e979c27228",

"9c3ba38890ed984a25abb6a094b5dbf052f22fa7",

"ca4b6fe0c69472cd3d63b212eb805b7f65710d33",

"0d0f315fd8cf408a483f8e2dd1e69422629ed9fd",

"2a476cfb85fbf012fdbe63a37642c11afa5cf020",

"d7ffd7b588880cf61b603346a3557e7cce648c93",

"94dffa9de5b665dc51bc36e2693b8a3a0a4cc6b8",

"21a942273c14e4b9d3faa58e4de1fd4d5014a1ed",

"7e0790226ea461bcc9ecd4be3c315ace41e1c122",

"f7910d943a013eede24ac89d6388c1b98f8b3717",

"73d9d0139eaf89b7df34ceeb60e5f8c7cd2463bf",

"bd4915b3597942d88f319740a9b803cc51585c4a",

"c68d09dd50e357fd3de17a70b7724f8949441d77",

"813ace987a61af909c053607635489ee984534f4",

"9fbf2195dee991b1e5a727fd51391dcc2d7a4b16",

"07d2a01e1dc94d59d5ca3bdf0c7848553ae91a51",

"3090ecf034337857f786084fb14e63354e271c5d",

"d0662eadbe5ba92acbd3485d8187112543bcfbf5",

"9c0eff4deeb626730ad6a05c85eb138df48372ce")

Search in your proxy logs for the hashes

Payloads filename 

• update.exe // excluded due to FP 
• [NSIS.nsi]
• [NSIS].nsi
• BluetoothService.exe
• BluetoothService
• log.dll
• u.bat
• conf.c
• libtcc.dll
• admin // excluded due to FP
• loader1
• uffhxpSy
• loader2
• 3yzr31vk
• ConsoleApplication2.exe
• system // excluded due to FP
• s047t5g.exe

KQL

DeviceFileEvents
| where FileName in (
//"update.exe",
"[NSIS].nsi",
"BluetoothService.exe",
"BluetoothService",
"log.dll",
"u.bat",
"conf.c",
"libtcc.dll",
//"admin",
"loader1",
"uffhxpSy",
"loader2",
"3yzr31vk",
"ConsoleApplication2.exe",
//"system",
"s047t5g.exe")

Splunk sysmon

index=sysmon Image IN (

"*[NSIS.nsi]*",

"*[NSIS].nsi*",

"*NSIS.nsi*",

"*BluetoothService.exe*",

"*BluetoothService*",

"*log.dll*",

"u.bat*",

"*conf.c*",

"*libtcc.dll*",

"*loader1*",

"*uffhxpSy*",

"*loader2*",

"*3yzr31vk*",

"*ConsoleApplication2.exe*",

" *s047t5g.exe*")

Search for filenames in your proxy logs and sysmon logs

Network

• 45.76.155.202
• 45.77.31.210
• 59.110.7.32
• 61.4.102.97
• 95.179.213.0
• 124.222.137.114
• 45.76.155.202
• 45.32.144.255
• 160.250.93.48
• 45.32.144.255
• 103.159.133.178

• api.skycloudcenter.com
• 59.110.7.32:8880
• 124.222.137.114:9999
• api.wiresguard.com
• 61.4.102.97
• 95.179.213.0
• cdncheck.it.com
• temp.sh
• self-dns.it.com
• safe-dns.it.com
• cloudtrafficservice.com

Search in your proxy logs for the IPs and domains

Search in your firewall logs for the IPs

KQL

Search known IOCs

DeviceNetworkEvents

| where RemoteIP in ("59.110.7.32","124.222.137.114","61.4.102.97","95.179.213.0","45.76.155.202","45.77.31.210","45.76.155.202","45.32.144.255","160.250.93.48","45.32.144.255","103.159.133.178") or RemoteUrl has_any("cdncheck.it.com","self-dns.it.com","safe-dns.it.com","api.wiresguard.com","api.skycloudcenter.com","temp.sh"," cloudtrafficservice.com")

Reverse search (baselining). We exclude anything known legit and search the remaining.

DeviceNetworkEvents

| where InitiatingProcessFileName == "GUP.exe" or InitiatingProcessFileName == "gup.exe"
| where ActionType != "ListeningConnectionCreated"
| where RemoteIP !="127.0.0.1"
| where RemoteUrl !in ("https://notepad-plus-plus.org","notepad-plus-plus.org", "release-assets.githubusercontent.com","https://release-assets.githubusercontent.com","https://github.com","github.com")
| where not (InitiatingProcessCommandLine contains "https://notepad-plus-plus.org/update/getDownloadUrl.php" and InitiatingProcessCommandLine contains "https://github.com/notepad-plus-plus/notepad-plus-plus/")

User agent :

"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.4044.92 Safari/537.36",

"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4472.114 Safari/537.36",

"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36"

Search for it in your proxy logs

Path

·         C:\ProgramData\USOShared\

·         %APPDATA%\Roaming\Bluetooth\

·         %appdata%\ProShow\load

·         %APPDATA%\%Adobe\Scripts\script.exe

For USOShared, artifacts found are :

·         C:\ProgramData\USOShared\svchost.exe-nostdlib -run

·         C:\ProgramData\USOShared\conf.c

KQL

search for FileEvents matching the suspicious folder path:

DeviceFileEvents
| where FolderPath contains "C:\\ProgramData\\USOShared" or ((FolderPath contains "appdata" or FolderPath contains "APPDATA") and (FolderPath contains "\\Roaming\\Bluetooth" or FolderPath contains "ProShow")) or FolderPath contains "Adobe\\Scripts\\script.exe"

search for ProcessEvent matching the suspicious folder path:

DeviceProcessEvents

| where FolderPath contains "C:\\ProgramData\\USOShared" or ((FolderPath contains "appdata" or FolderPath contains "APPDATA") and (FolderPath contains "\\Roaming\\Bluetooth" or FolderPath contains "ProShow"))or FolderPath contains "Adobe\\Scripts\\script.exe"

Splunk

index=sysmon EventCode=1

(Image="*\\ProgramData\\USOShared\\*"

 OR Image="*\\AppData\\Roaming\\Bluetooth\\*"

 OR Image="*\\AppData\\Roaming\\ProShow\\load\\*"

 OR CommandLine="*\\ProgramData\\USOShared\\*"

 OR CommandLine="*\\AppData\\Roaming\\Bluetooth\\*"

 OR CommandLine="*\\AppData\\Roaming\\ProShow\\load\\*"

OR CommandLine=”*\\Adobe\\Scripts\\script.exe*”

) AND NOT CommandLine="\"C:\\Windows\\system32\\Robocopy.exe\" C:\\ProgramData\\USOShared\\Logs*"

Processes

search for suspicious connections from gup.exe

KQL

DeviceNetworkEvents

| where InitiatingProcessFileName == "GUP.exe" or InitiatingProcessFileName == "gup.exe"

| where ActionType != "ListeningConnectionCreated"

| where RemoteIP !="127.0.0.1"

| where RemoteUrl !in ("https://notepad-plus-plus.org","notepad-plus-plus.org", "release-assets.githubusercontent.com","https://release-assets.githubusercontent.com","https://github.com","github.com")

| where not (InitiatingProcessCommandLine contains "https://notepad-plus-plus.org/update/getDownloadUrl.php" and InitiatingProcessCommandLine contains "https://github.com/notepad-plus-plus/notepad-plus-plus/")

Splunk

list outbound connection from the process `gup.exe` responsible for the update from sysmon:

index=sysmon EventCode=3 "*\\Notepad++\\updater\\GUP.exe"  dst_ip!="127.0.0.1" | stats  count by dst_ip

List all domains contacted by gup.exe

KQL 

DeviceNetworkEvents

| where InitiatingProcessFolderPath endswith "\\gup.exe"

| where isnotempty(RemoteUrl)

| summarize count() by RemoteUrl

Search for suspicious process created by gup.exe

Searching in whitelist mode (excludes known legit executable, keep anything else)

KQL

DeviceProcessEvents

| where InitiatingProcessCommandLine startswith '"gup.exe"'

| where SHA256 !in ("95049a673d2e498077046714a0723791826daa5f97b4914ceb621afea4137a68",

"73c5902a9eace229d519ec6362dbb8e39b44ffc9078584f535671be6d368981f",

"8e22725756fa567c86170d3601228bbe623b9c5b0c4846c546318efd2ac8a6e3",

"76e63d28e91d3aa176e49b89d8d862a45260c55ebf606eba741b6eb85d6a7b6b",

"72ea3fa91e6bde264be6dfff75a30f15cb0fc43d9884ed4491b16ea4a3a37d9d",

"a14919060ef3cfe9d451a515f9780c1b9101ead1cede6d61ca241e970ac164d2",

"4d313e1903c594d66214d749b5b9dbf1c454180e14bccf9b9c565f55e4c1d1ae",

"017100b1694d55b950f2236746093c20fdb6006a0b691c88ae0f21f351c081c3",

"0ba83b48a3461e5ae22830e900835407ab452107732ab9be7b1e4f134d643522",

"f2d53031fc3039015aa7c34298298b638e96877390d600f31ef7569ee98319a3",

"b82530d4af21c7fcceda0c5dcea81aacbaeefdfd7aca7119045f8db376614bf0",

"9e5166e2f954e1b25116893862971dd4ad95fa78026f9f1829e01e1fd0cca7c8",

"2de4dda71d00730844974774c2c64ccc7caa57a35de4eec3d82abdf7e506c8d2",

"ef4824323c499c133f3a4397c146954c398d0b381eff86f4559dd579d070b266",

"71431fa7b66f8132453e18e3a5f8ef0af3ca079a7793f828df06fdb5d7bd915d",

"2dd5473736ef51e4340cae005e3fc8cdf0e42ec649bc6ed186484a79be409928",

"95e0884b5189c40e0e683a402a5fcfa19cad69bad68ebff545a0f2043c655ea6",

"7c0e2bf947100fdae4c8b199b0f9eceae852b74d2cd3447d55f10315201bc773",

"9efbbc9a75ea2db490103f9cdaed8ab2ba886f1d631c06100e92316711be5758",

"97beb2cd8214f08a030aee0d5afcd410162d99673619bdf22012766bfeff2cc6",

"a5767dc1924e3252d8044221f7e0979588b331e62ac28c22a799b528dc353bc2",

"277ebcbe690e868a050784be127178e6cf5e9dbb181731f2b92dfdbcfd42ca20",

"4ecd2ab6285066d5158f60c8ca3d99b3817bd66dc394c3f51b20d0a232b5af65",

"f86ac130feb3c63659c8ae113f51c0cda74338732999386f82b095f9e1f95906",

"4db7d6ae535eb6315e1005137344664cab341555ada9b073644bdea53070e628",

"2755917bc52bde476305cd442f91a8e3966e4d199d3b2b584211c4ff674e2c7b",

"e163697b981c317982c2633872259004bb33df6d08f7561dac3832e05ca9e36c",

"a19aa1cd7ecb9ca3f1fd0e118fffd0d673fba404ced8c39c2e210a63b70f9c15",

"e22abc9af328d063e652f0829819124a6a748c224bc8b10f98473f87cda2c0cd",

"0f8baaf17a067fedac75cac6dfebec35b45bf392a7569c413d6007e73d830059",

"7539c3006438fd251dc022d3c56bfc7fdc0e022cbc19e932d3cc072516db6da7",

"8588631118f8e613bf09029f08592102bd7d1b4b0444916c735c70b157a34ce7",

"1c13c9efb697320aab6b33cf6884e8509a19d976c92ff2505fab87ca775be073",

"1b525bacf4965e39694459c6ba209da41d0176d14da72530e1e362fa445a33a5",

"218897b54072d18f6f75c856039f8b1dd095809688bf1d7d39977154940330f4",

"e2c84b3a0f0e700a7acc651210680c1e5033a5046082220a321ec69222edc7dc",

"51454878c3c3bece8e8f77ef2d88e750c18a74e47f5784180167bb1f50f55329",

"b8bc370b76653c194caf32450056030be580b9fa97348fb31b2e2e61ee8d2393",

"3095c6601e0a6f1eacb5828cc1489bf15bc6acb4de5c9ea651a78e16911ce175",

"e163697b981c317982c2633872259004bb33df6d08f7561dac3832e05ca9e36c",

"a19aa1cd7ecb9ca3f1fd0e118fffd0d673fba404ced8c39c2e210a63b70f9c15",

"e22abc9af328d063e652f0829819124a6a748c224bc8b10f98473f87cda2c0cd",

"0f8baaf17a067fedac75cac6dfebec35b45bf392a7569c413d6007e73d830059",

"7539c3006438fd251dc022d3c56bfc7fdc0e022cbc19e932d3cc072516db6da7",

"8588631118f8e613bf09029f08592102bd7d1b4b0444916c735c70b157a34ce7",

"1c13c9efb697320aab6b33cf6884e8509a19d976c92ff2505fab87ca775be073",

"1b525bacf4965e39694459c6ba209da41d0176d14da72530e1e362fa445a33a5",

"218897b54072d18f6f75c856039f8b1dd095809688bf1d7d39977154940330f4",

"e2c84b3a0f0e700a7acc651210680c1e5033a5046082220a321ec69222edc7dc",

"51454878c3c3bece8e8f77ef2d88e750c18a74e47f5784180167bb1f50f55329",

"b8bc370b76653c194caf32450056030be580b9fa97348fb31b2e2e61ee8d2393",

"3095c6601e0a6f1eacb5828cc1489bf15bc6acb4de5c9ea651a78e16911ce175",

"337bef6f2d6473062afef3c3c027a24887278fbe2753c0964efb692518264e2a",

"61c3077b989e272117167c90fc35e7f06bea4f992f3395b40ccee083d7258082",

"49d2531893b09cb6a8e3429ca0a734e871a2d96fa2575c0eec3229d383fa233a",

"4824db4c50bdc0dcca2db4fca67aa3e7235060fb794761ea143c21e1136ef63c",

"88405138ea0afcd92f372ef2342761b79506589249432ef2bed42d539a99a670",

"eff5b83aa6af84d6f3fec8ce942805ec3e1e049cde5f04bc0fdaed27d2a0e5e2",

"1ef313b6520b7b207e51ee5d7b0a85e4e71241bad7d7800ab52cd8084f5cda47",

"0657588bdd69bac2ea420aa3147f0b6079d5e9728b6f5d972796c312264f51bb",

"f05411befd0aa4ba5f8362ceb4a1d6466c012f3329b1ec16bdc5a5a7d6b24f23",

"70a5ddb9edb8e87f469bfd6933867ae7820594dde7fe7eab682c81b1cbfd699d",

"92c017802cd6918b0c3f3de1feeb8790e559978ca817b699f446c8464b3c962f",

"2c80ad3d6d9f77c87e1243526a7907fb244aae45fa87f6bffaadbc7c0563a24b",

"8c9f5521774fe22b695df52b0d22c2dd06f5cdd68bad9f826058b038bf612f4c",

"32aa12d3c9521477a5a1e086e400ec0f77f8a97a8190806a0f1953688b883cfb",

"8117c82a3821965d92ee3f9f3ae10efcd602bd4b6e52a2fe957d70aafe479744",

"79a3922dd444c6e10542d7cc42633baf51f8900f989d38df8661760ccbc9a2ab",

"d2e5536c2f78327181caed22ee3cb4bbd4722f2b8b4e0576c1dbcc2fed4649b4",

"0d3334121e3d531f473ee66eff759e6be5851a91e269650b1fe4fc21665a70a1",

"c2bc87f6d37f02ebef0cbdfc2ebcd355ad1a3d14edebe795b4318897cf8751cc",

"e21071fa2823c92f83d6e4a3cca164b47c3aa43213baa1accc17a460484e0aee",

"850dd98eb813934b05b12f2a27e66c4776059f97175f36691c35624bfd58464c",

"1640a5dd716052821b990faaee1df720a4c6f982fda3860e792b341d5917c352",

"cd4a9f4162c01ef8ceb4f7cc0405d427657f87f6115eab2e1186c6f7d27e3a33",

"97f92119fe0decae3754fe442f296f51205909e37c4677ee2458d31e35dbbd38",

"9e3d7a56c194cd1a1de22cfc3b1cc6893edc3e00657c6249e973b692bea970fd",

"05abc57952974d08feafa399d6fdb37945a3fd0a10f37833dd837a5788e421d5",

"c6d1e5aacbf69aa18df4caf1346fd69638491a5ad0085729bae91c662d1c62bb",

"374b9e6548a574c9dd6b5a8bea50b14f1e26fea9aec28f60c3700e5a4c2bcfe1",

"cf2390328d7c8c7089bd8436d8a8a8d2c7a79893e9af4e260d86cb2c77df3875",

"0d08f428ac33235f6f8b694b9c9967023f222a22542e2a5c9ffc2a595f3f9a4a",

"4c39fb2fda14a1babccac65513d3ef3d919c29d9f8a40fd285e76283becd51f3",

"97b7c8c37a4daff1c87956b614de44a57fd12bee9a2b3c889e6dee216444d454",

"e49625d1b030d952af4b5bff84d87d7eee0f0da054082432b7a30801cc7a2421",

"591f2fb7e48ffbc0e3bb781c2a3fde7632fded09faf5c1084e3d74634335189f",

"372bd3a9b15566af7793df86212a5c213739bd57e1b09ab007a1e00ce4de555b",

"a08a9e4d6a3610f11f1961c4c07bd0ad85b04a47aa46d96b684ac5d2a63237f5",

"45ccf07041b98ee6516a205f87ac2ca571da147ff0541e05edca1c2decda1cd9",

"179613870a9ffc646b77918701481c8ffdae1c82e06cbc7ea7d42af3d1c9e5e2",

"49852273a3e98ad1266a5bb7cd056e1154cc6d14e7c2a6e308ae95f355ca10cf",

"653766823529776e8b4ceee051a8a987f700de62767bd34b4a6709991b019644",

"26e480873fc2bdf39eaedf936bcaae75430089d802381abad2589060c0ef703d",

"ae1875370fc357e9db15807c12ae78a5dcfffd5e0416f2db10ff29036069d85a",

"6a12436a1923df22aa5281169d27f04d4453042bef1641eb301a0845d570cf22",

"f7e142f0be7bb15801078311629b265f72e96942a9891e398ce3fd1ead841c63",

"cd1e3863452cb6ce28749d9f0c18eb258672ba625571e0e7bb20088947988b36",

"6c999c2b2e2dd99886bb390ea463d0bf758a343ddd416e9097f265786031a881",

"5506079a5b372524f72a31ed6df807fe866681262cc8084965d092b02cd72945",

"03d154b8aaa8c51883d03c9a4e530412ee9669ab9efa761a1739603ae755c8d3",

"5c310edfff1c6beb117f173cb59e27a6f589aaecbb6dd5312d5f6f69877a44f9",

"e1df78704001bba1a3d343f62a1242a4484ff6ad269170714263c03b802eb0b1",

"7094a07167648628e47249a16d9d6db922e5aa1255ac4322a2e4900d233372dd",

"2a480885cea729fc3a9b2e7ff28945b0570da6ad59a4046159bda9be76a8e453",

"1976a4f473ca8025572652542c28ec80226d503c6fc5187e31ee826f9947bff1",

"bbe1761c26529cff1bf82a8b50e19c309cd2629fea568605733755e03660f6c8",

"099e160fc980b693d0f8178ae079d80173876c36285f064b1c67c25988c81ea9",

"47e6dc4b4362cc727a1a89a021d3529dbcb9c6645fa6c3af3b5d88d2187bcb6e",

"fb006e93b68815fa06d55eb65370cb819cc9281403ff53bf879c3335bc2582ce",

"8d9f7962ed248b61de44d6b45f2954b02742744456ca6faea843dd2ed461e57e",

"8f4541f624d078175977b96d049e4591afdd9defd4227d594c9a1fdb73ead421",

"ecaea0b9a8a99d6a8d60f4010b7a52aa29a70ac963399db1106978161e03b242",

"85ea19609edb04ba320380fe81cde1e236a495633ba72c74734022d96efc8e1c",

"69020ccd2dae9cc6c613460f41884a29d4c7bf21cc55e09a559cb4afdea47e0c",

"06c42ea6edbbc2c1ffa74d5c3355ced51616896f41aee66372bfb55eb54ae68f",

"e800e62c4eae095d47259111e953c618f09fe69fa4584db63ea220e095900c0a",

"e3ead074b4052966f98f6d95291dd86dd877bd1b5a94aacdd384b499a89e3127",

"88c77fe2cac787de88ac6d0bbf39c529303c9d8982bdbfb72db6a08a400203fe",

"dd03354d4fe0ea2136bbb0bfa256198e44d68d68f82f015d44cd9072483c8bfa",

"19c4bf99be07a08365888c78fee938524fba35337c661c25bec5b2150d4b46b1",

"02914d44dbec415178cf51ddbe7997b681bd976949c0ddb5bce5c85113cd348d",

"b297bac59da6c814ee6f950597041bbaba6a7e2943396bc1c7c4e90e8d0cb4db",

"f52767b8082b0ce6600eec1a36e9157c346fcf60c16cee059d18f30bf56dc17e",

"96d39a00d8264ba652a519063313cf3f9f3a1e6cb99f74c7e9c3cecd9ffae989",

"3e1b4bf90d1a12fe7743784fdf79136a41ed3cf5d74283512e6de71eff21b8bd")

| project-reorder Timestamp, DeviceName, ActionType, FileName, FolderPath, ProcessCommandLine

Splunk 

index=sysmon EventCode=1 ParentImage="*\\Notepad++\\updater\\GUP.exe" NOT (Image="*\\npp.*Installer.exe" OR Image="*\\npp.*Installer.x64.exe")

Search for process created by gup.exe

KQL 

DeviceProcessEvents

| where InitiatingProcessFolderPath endswith "\\gup.exe"

| where InitiatingProcessVersionInfoFileDescription == "WinGup for Notepad++"

| summarize count() by ProcessCommandLine

Search for suspicious files created by gup.exe

search for all files, except known legit ones (whitelist mode)

KQL 

DeviceFileEvents

| where InitiatingProcessCommandLine startswith '"gup.exe"'

| where SHA256 !in ("95049a673d2e498077046714a0723791826daa5f97b4914ceb621afea4137a68",

"73c5902a9eace229d519ec6362dbb8e39b44ffc9078584f535671be6d368981f",

"8e22725756fa567c86170d3601228bbe623b9c5b0c4846c546318efd2ac8a6e3",

"76e63d28e91d3aa176e49b89d8d862a45260c55ebf606eba741b6eb85d6a7b6b",

"72ea3fa91e6bde264be6dfff75a30f15cb0fc43d9884ed4491b16ea4a3a37d9d",

"a14919060ef3cfe9d451a515f9780c1b9101ead1cede6d61ca241e970ac164d2",

"4d313e1903c594d66214d749b5b9dbf1c454180e14bccf9b9c565f55e4c1d1ae",

"017100b1694d55b950f2236746093c20fdb6006a0b691c88ae0f21f351c081c3",

"0ba83b48a3461e5ae22830e900835407ab452107732ab9be7b1e4f134d643522",

"f2d53031fc3039015aa7c34298298b638e96877390d600f31ef7569ee98319a3",

"b82530d4af21c7fcceda0c5dcea81aacbaeefdfd7aca7119045f8db376614bf0",

"9e5166e2f954e1b25116893862971dd4ad95fa78026f9f1829e01e1fd0cca7c8",

"2de4dda71d00730844974774c2c64ccc7caa57a35de4eec3d82abdf7e506c8d2",

"ef4824323c499c133f3a4397c146954c398d0b381eff86f4559dd579d070b266",

"71431fa7b66f8132453e18e3a5f8ef0af3ca079a7793f828df06fdb5d7bd915d",

"2dd5473736ef51e4340cae005e3fc8cdf0e42ec649bc6ed186484a79be409928",

"95e0884b5189c40e0e683a402a5fcfa19cad69bad68ebff545a0f2043c655ea6",

"7c0e2bf947100fdae4c8b199b0f9eceae852b74d2cd3447d55f10315201bc773",

"9efbbc9a75ea2db490103f9cdaed8ab2ba886f1d631c06100e92316711be5758",

"97beb2cd8214f08a030aee0d5afcd410162d99673619bdf22012766bfeff2cc6",

"a5767dc1924e3252d8044221f7e0979588b331e62ac28c22a799b528dc353bc2",

"277ebcbe690e868a050784be127178e6cf5e9dbb181731f2b92dfdbcfd42ca20",

"4ecd2ab6285066d5158f60c8ca3d99b3817bd66dc394c3f51b20d0a232b5af65",

"f86ac130feb3c63659c8ae113f51c0cda74338732999386f82b095f9e1f95906",

"4db7d6ae535eb6315e1005137344664cab341555ada9b073644bdea53070e628",

"2755917bc52bde476305cd442f91a8e3966e4d199d3b2b584211c4ff674e2c7b",

"e163697b981c317982c2633872259004bb33df6d08f7561dac3832e05ca9e36c",

"a19aa1cd7ecb9ca3f1fd0e118fffd0d673fba404ced8c39c2e210a63b70f9c15",

"e22abc9af328d063e652f0829819124a6a748c224bc8b10f98473f87cda2c0cd",

"0f8baaf17a067fedac75cac6dfebec35b45bf392a7569c413d6007e73d830059",

"7539c3006438fd251dc022d3c56bfc7fdc0e022cbc19e932d3cc072516db6da7",

"8588631118f8e613bf09029f08592102bd7d1b4b0444916c735c70b157a34ce7",

"1c13c9efb697320aab6b33cf6884e8509a19d976c92ff2505fab87ca775be073",

"1b525bacf4965e39694459c6ba209da41d0176d14da72530e1e362fa445a33a5",

"218897b54072d18f6f75c856039f8b1dd095809688bf1d7d39977154940330f4",

"e2c84b3a0f0e700a7acc651210680c1e5033a5046082220a321ec69222edc7dc",

"51454878c3c3bece8e8f77ef2d88e750c18a74e47f5784180167bb1f50f55329",

"b8bc370b76653c194caf32450056030be580b9fa97348fb31b2e2e61ee8d2393",

"3095c6601e0a6f1eacb5828cc1489bf15bc6acb4de5c9ea651a78e16911ce175",

"e163697b981c317982c2633872259004bb33df6d08f7561dac3832e05ca9e36c",

"a19aa1cd7ecb9ca3f1fd0e118fffd0d673fba404ced8c39c2e210a63b70f9c15",

"e22abc9af328d063e652f0829819124a6a748c224bc8b10f98473f87cda2c0cd",

"0f8baaf17a067fedac75cac6dfebec35b45bf392a7569c413d6007e73d830059",

"7539c3006438fd251dc022d3c56bfc7fdc0e022cbc19e932d3cc072516db6da7",

"8588631118f8e613bf09029f08592102bd7d1b4b0444916c735c70b157a34ce7",

"1c13c9efb697320aab6b33cf6884e8509a19d976c92ff2505fab87ca775be073",

"1b525bacf4965e39694459c6ba209da41d0176d14da72530e1e362fa445a33a5",

"218897b54072d18f6f75c856039f8b1dd095809688bf1d7d39977154940330f4",

"e2c84b3a0f0e700a7acc651210680c1e5033a5046082220a321ec69222edc7dc",

"51454878c3c3bece8e8f77ef2d88e750c18a74e47f5784180167bb1f50f55329",

"b8bc370b76653c194caf32450056030be580b9fa97348fb31b2e2e61ee8d2393",

"3095c6601e0a6f1eacb5828cc1489bf15bc6acb4de5c9ea651a78e16911ce175",

"337bef6f2d6473062afef3c3c027a24887278fbe2753c0964efb692518264e2a",

"61c3077b989e272117167c90fc35e7f06bea4f992f3395b40ccee083d7258082",

"49d2531893b09cb6a8e3429ca0a734e871a2d96fa2575c0eec3229d383fa233a",

"4824db4c50bdc0dcca2db4fca67aa3e7235060fb794761ea143c21e1136ef63c",

"88405138ea0afcd92f372ef2342761b79506589249432ef2bed42d539a99a670",

"eff5b83aa6af84d6f3fec8ce942805ec3e1e049cde5f04bc0fdaed27d2a0e5e2",

"1ef313b6520b7b207e51ee5d7b0a85e4e71241bad7d7800ab52cd8084f5cda47",

"0657588bdd69bac2ea420aa3147f0b6079d5e9728b6f5d972796c312264f51bb",

"f05411befd0aa4ba5f8362ceb4a1d6466c012f3329b1ec16bdc5a5a7d6b24f23",

"70a5ddb9edb8e87f469bfd6933867ae7820594dde7fe7eab682c81b1cbfd699d",

"92c017802cd6918b0c3f3de1feeb8790e559978ca817b699f446c8464b3c962f",

"2c80ad3d6d9f77c87e1243526a7907fb244aae45fa87f6bffaadbc7c0563a24b",

"8c9f5521774fe22b695df52b0d22c2dd06f5cdd68bad9f826058b038bf612f4c",

"32aa12d3c9521477a5a1e086e400ec0f77f8a97a8190806a0f1953688b883cfb",

"8117c82a3821965d92ee3f9f3ae10efcd602bd4b6e52a2fe957d70aafe479744",

"79a3922dd444c6e10542d7cc42633baf51f8900f989d38df8661760ccbc9a2ab",

"d2e5536c2f78327181caed22ee3cb4bbd4722f2b8b4e0576c1dbcc2fed4649b4",

"0d3334121e3d531f473ee66eff759e6be5851a91e269650b1fe4fc21665a70a1",

"c2bc87f6d37f02ebef0cbdfc2ebcd355ad1a3d14edebe795b4318897cf8751cc",

"e21071fa2823c92f83d6e4a3cca164b47c3aa43213baa1accc17a460484e0aee",

"850dd98eb813934b05b12f2a27e66c4776059f97175f36691c35624bfd58464c",

"1640a5dd716052821b990faaee1df720a4c6f982fda3860e792b341d5917c352",

"cd4a9f4162c01ef8ceb4f7cc0405d427657f87f6115eab2e1186c6f7d27e3a33",

"97f92119fe0decae3754fe442f296f51205909e37c4677ee2458d31e35dbbd38",

"9e3d7a56c194cd1a1de22cfc3b1cc6893edc3e00657c6249e973b692bea970fd",

"05abc57952974d08feafa399d6fdb37945a3fd0a10f37833dd837a5788e421d5",

"c6d1e5aacbf69aa18df4caf1346fd69638491a5ad0085729bae91c662d1c62bb",

"374b9e6548a574c9dd6b5a8bea50b14f1e26fea9aec28f60c3700e5a4c2bcfe1",

"cf2390328d7c8c7089bd8436d8a8a8d2c7a79893e9af4e260d86cb2c77df3875",

"0d08f428ac33235f6f8b694b9c9967023f222a22542e2a5c9ffc2a595f3f9a4a",

"4c39fb2fda14a1babccac65513d3ef3d919c29d9f8a40fd285e76283becd51f3",

"97b7c8c37a4daff1c87956b614de44a57fd12bee9a2b3c889e6dee216444d454",

"e49625d1b030d952af4b5bff84d87d7eee0f0da054082432b7a30801cc7a2421",

"591f2fb7e48ffbc0e3bb781c2a3fde7632fded09faf5c1084e3d74634335189f",

"372bd3a9b15566af7793df86212a5c213739bd57e1b09ab007a1e00ce4de555b",

"a08a9e4d6a3610f11f1961c4c07bd0ad85b04a47aa46d96b684ac5d2a63237f5",

"45ccf07041b98ee6516a205f87ac2ca571da147ff0541e05edca1c2decda1cd9",

"179613870a9ffc646b77918701481c8ffdae1c82e06cbc7ea7d42af3d1c9e5e2",

"49852273a3e98ad1266a5bb7cd056e1154cc6d14e7c2a6e308ae95f355ca10cf",

"653766823529776e8b4ceee051a8a987f700de62767bd34b4a6709991b019644",

"26e480873fc2bdf39eaedf936bcaae75430089d802381abad2589060c0ef703d",

"ae1875370fc357e9db15807c12ae78a5dcfffd5e0416f2db10ff29036069d85a",

"6a12436a1923df22aa5281169d27f04d4453042bef1641eb301a0845d570cf22",

"f7e142f0be7bb15801078311629b265f72e96942a9891e398ce3fd1ead841c63",

"cd1e3863452cb6ce28749d9f0c18eb258672ba625571e0e7bb20088947988b36",

"6c999c2b2e2dd99886bb390ea463d0bf758a343ddd416e9097f265786031a881",

"5506079a5b372524f72a31ed6df807fe866681262cc8084965d092b02cd72945",

"03d154b8aaa8c51883d03c9a4e530412ee9669ab9efa761a1739603ae755c8d3",

"5c310edfff1c6beb117f173cb59e27a6f589aaecbb6dd5312d5f6f69877a44f9",

"e1df78704001bba1a3d343f62a1242a4484ff6ad269170714263c03b802eb0b1",

"7094a07167648628e47249a16d9d6db922e5aa1255ac4322a2e4900d233372dd",

"2a480885cea729fc3a9b2e7ff28945b0570da6ad59a4046159bda9be76a8e453",

"1976a4f473ca8025572652542c28ec80226d503c6fc5187e31ee826f9947bff1",

"bbe1761c26529cff1bf82a8b50e19c309cd2629fea568605733755e03660f6c8",

"099e160fc980b693d0f8178ae079d80173876c36285f064b1c67c25988c81ea9",

"47e6dc4b4362cc727a1a89a021d3529dbcb9c6645fa6c3af3b5d88d2187bcb6e",

"fb006e93b68815fa06d55eb65370cb819cc9281403ff53bf879c3335bc2582ce",

"8d9f7962ed248b61de44d6b45f2954b02742744456ca6faea843dd2ed461e57e",

"8f4541f624d078175977b96d049e4591afdd9defd4227d594c9a1fdb73ead421",

"ecaea0b9a8a99d6a8d60f4010b7a52aa29a70ac963399db1106978161e03b242",

"85ea19609edb04ba320380fe81cde1e236a495633ba72c74734022d96efc8e1c",

"69020ccd2dae9cc6c613460f41884a29d4c7bf21cc55e09a559cb4afdea47e0c",

"06c42ea6edbbc2c1ffa74d5c3355ced51616896f41aee66372bfb55eb54ae68f",

"e800e62c4eae095d47259111e953c618f09fe69fa4584db63ea220e095900c0a",

"e3ead074b4052966f98f6d95291dd86dd877bd1b5a94aacdd384b499a89e3127",

"88c77fe2cac787de88ac6d0bbf39c529303c9d8982bdbfb72db6a08a400203fe",

"dd03354d4fe0ea2136bbb0bfa256198e44d68d68f82f015d44cd9072483c8bfa",

"19c4bf99be07a08365888c78fee938524fba35337c661c25bec5b2150d4b46b1",

"02914d44dbec415178cf51ddbe7997b681bd976949c0ddb5bce5c85113cd348d",

"b297bac59da6c814ee6f950597041bbaba6a7e2943396bc1c7c4e90e8d0cb4db",

"f52767b8082b0ce6600eec1a36e9157c346fcf60c16cee059d18f30bf56dc17e",

"96d39a00d8264ba652a519063313cf3f9f3a1e6cb99f74c7e9c3cecd9ffae989",

"3e1b4bf90d1a12fe7743784fdf79136a41ed3cf5d74283512e6de71eff21b8bd")

| project-reorder Timestamp, DeviceName, ActionType, FileName, FolderPath, InitiatingProcessCommandLine

Search for file created by gup.exe

KQL 

DeviceFileEvents

| where ActionType == "FileCreated"

| where InitiatingProcessFolderPath endswith \\gup.exe

Antivirus logs related to gup.exe

KQL 

DeviceEvents

| where FileName =~ "GUP.exe" or InitiatingProcessFileName =~ "gup.exe"

| where ActionType == "AppControlExecutableBlocked" or ActionType == "AntivirusReport"

[IMPORTANT] Additional measure

If you use a central software deployment system like SCCM, PatchMyPC etc, use a deployment script. After installation, delete completely the folder C:\Program Files\Notepad++\updater
This prevents notepad++ to automatically run the updater. You can also block gup.exe in AppLocker or any application filtering tool you might use.
Why ? because our tests have demonstrated that we can call gup.exe to download and execute any executable file from the internet, also with the last version.

Conclusion

Here we have a perfect example of the logic of defense in depth. The infrastructure logs are insufficient to detect all cases, as the endpoint logs are not enough neither.

But, we can directly see the impact of badly secured infrastructure. Without SSL inspection at the proxy level, you don't get the full uri, user-agent, filename, file hash from proxy logs.

With only a simple url filtering on a firewall, you loose a lot of information.

The importance of the logging system, log retention, parsing of logs, and search capabilities is critical in such case.

We encounter a very problematic limit of log retention on solutions like MS Defender.
While in our case, our proxy logs are very complete, we can search in it. But... we have 1.5To/day of proxy logs. Doing a 6 month search in a such volume takes ages.