File name:

nvm-setup.exe

Full analysis: https://app.any.run/tasks/502f240a-fa90-47b1-a739-d6546b181495
Verdict: Malicious activity
Analysis date: June 04, 2024, 21:20:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1205D8871D0AC6EE7D7F94A7EC33C2DA

SHA1:

2B777791DBECDC9403AD0D3F24F38916607D23D2

SHA256:

41BE147A7715FAAA74EE404CE920AA7D941F5D6C3B7EDBB0FA097A656AA1A23B

SSDEEP:

98304:7+QqZ8fRSkxloldGXA9BQx1NKXjo7SV4SaogdNPIw3l2+Bm8Ptr+00Dm0MMZICzh:fo5mcjic

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • nvm-setup.exe (PID: 3980)
      • nvm-setup.exe (PID: 2108)
      • nvm-setup.tmp (PID: 864)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • nvm-setup.exe (PID: 3980)
      • nvm-setup.exe (PID: 2108)
      • nvm-setup.tmp (PID: 864)

    • Reads the Windows owner or organization settings

      • nvm-setup.tmp (PID: 864)

    • Starts CMD.EXE for commands execution

      • nvm-setup.tmp (PID: 864)

    • Searches for installed software

      • nvm-setup.tmp (PID: 864)

  • INFO

    • Checks supported languages

      • nvm-setup.exe (PID: 3980)
      • nvm-setup.tmp (PID: 3996)
      • nvm-setup.exe (PID: 2108)
      • nvm-setup.tmp (PID: 864)
      • nvm.exe (PID: 1424)

    • Reads the computer name

      • nvm-setup.tmp (PID: 3996)
      • nvm-setup.tmp (PID: 864)

    • Create files in a temporary directory

      • nvm-setup.exe (PID: 3980)
      • nvm-setup.exe (PID: 2108)
      • nvm-setup.tmp (PID: 864)

    • Creates files or folders in the user directory

      • nvm-setup.tmp (PID: 864)

    • Creates a software uninstall entry

      • nvm-setup.tmp (PID: 864)

    • Creates files in the program directory

      • nvm-setup.tmp (PID: 864)

    • Manual execution by a user

      • nvm.exe (PID: 1424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (65.1)
.exe | Win32 EXE PECompact compressed (generic) (24.6)
.dll | Win32 Dynamic Link Library (generic) (3.9)
.exe | Win32 Executable (generic) (2.6)
.exe | Win16/32 Executable Delphi generic (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:11:15 09:48:30+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741376
InitializedDataSize: 48640
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.1.12.0
ProductVersionNumber: 1.1.12.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Ecor Ventures LLC
FileDescription: Node version manager for Windows
FileVersion: 1.1.12
LegalCopyright: Copyright © 2018-2023 Ecor Ventures LLC, Corey Butler, and contributors.
OriginalFileName:
ProductName: nvm
ProductVersion: 1.1.12
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
12
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start nvm-setup.exe nvm-setup.tmp no specs nvm-setup.exe nvm-setup.tmp cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs nvm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Windows\system32\cmd.exe" /C node "C:\Users\admin\AppData\Local\Temp\is-2SDTO.tmp\nvm_check.js" > "C:\Users\admin\AppData\Local\Temp\is-2SDTO.tmp\nvm_node_check.txt"C:\Windows\System32\cmd.exenvm-setup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
304"C:\Windows\system32\cmd.exe" /C node "C:\Users\admin\AppData\Local\Temp\is-2SDTO.tmp\nvm_check.js" > "C:\Users\admin\AppData\Local\Temp\is-2SDTO.tmp\nvm_node_check.txt"C:\Windows\System32\cmd.exenvm-setup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
864"C:\Users\admin\AppData\Local\Temp\is-D1O41.tmp\nvm-setup.tmp" /SL5="$2013C,4963729,791040,C:\Users\admin\Downloads\nvm-setup.exe" /SPAWNWND=$20130 /NOTIFYWND=$20138 C:\Users\admin\AppData\Local\Temp\is-D1O41.tmp\nvm-setup.tmp
nvm-setup.exe
User:
admin
Company:
Ecor Ventures LLC
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-d1o41.tmp\nvm-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1056"C:\Windows\system32\cmd.exe" /C node "C:\Users\admin\AppData\Local\Temp\is-2SDTO.tmp\nvm_check.js" > "C:\Users\admin\AppData\Local\Temp\is-2SDTO.tmp\nvm_node_check.txt"C:\Windows\System32\cmd.exenvm-setup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1236"C:\Windows\system32\cmd.exe" /C node "C:\Users\admin\AppData\Local\Temp\is-2SDTO.tmp\nvm_check.js" > "C:\Users\admin\AppData\Local\Temp\is-2SDTO.tmp\nvm_node_check.txt"C:\Windows\System32\cmd.exenvm-setup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1424"C:\Users\admin\AppData\Roaming\nvm\nvm.exe" C:\Users\admin\AppData\Roaming\nvm\nvm.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\nvm\nvm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\winmm.dll
c:\windows\system32\user32.dll
1680"C:\Windows\system32\cmd.exe" /C node "C:\Users\admin\AppData\Local\Temp\is-2SDTO.tmp\nvm_check.js" > "C:\Users\admin\AppData\Local\Temp\is-2SDTO.tmp\nvm_node_check.txt"C:\Windows\System32\cmd.exenvm-setup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2108"C:\Users\admin\Downloads\nvm-setup.exe" /SPAWNWND=$20130 /NOTIFYWND=$20138 C:\Users\admin\Downloads\nvm-setup.exe
nvm-setup.tmp
User:
admin
Company:
Ecor Ventures LLC
Integrity Level:
HIGH
Description:
Node version manager for Windows
Exit code:
0
Version:
1.1.12
Modules
Images
c:\users\admin\downloads\nvm-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2116"C:\Windows\system32\cmd.exe" /C node "C:\Users\admin\AppData\Local\Temp\is-2SDTO.tmp\nvm_check.js" > "C:\Users\admin\AppData\Local\Temp\is-2SDTO.tmp\nvm_node_check.txt"C:\Windows\System32\cmd.exenvm-setup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2312"C:\Windows\system32\cmd.exe" /C node "C:\Users\admin\AppData\Local\Temp\is-2SDTO.tmp\nvm_check.js" > "C:\Users\admin\AppData\Local\Temp\is-2SDTO.tmp\nvm_node_check.txt"C:\Windows\System32\cmd.exenvm-setup.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
5 381
Read events
5 338
Write events
37
Delete events
6

Modification events

(PID) Process:(864) nvm-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
60030000369FF518C5B6DA01
(PID) Process:(864) nvm-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
A12F19CBD856472B766050BEC19837866392589494EE9002D602F4B6F95166FD
(PID) Process:(864) nvm-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(864) nvm-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Users\admin\AppData\Roaming\nvm\nvm.exe
(PID) Process:(864) nvm-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
4F5D72295D86AC883F3A030A6E9564C971201880F49C3C062DC78781B176CAA2
(PID) Process:(864) nvm-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\40078385-F676-4C61-9A9C-F9028599D6D3_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.1.2
(PID) Process:(864) nvm-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\40078385-F676-4C61-9A9C-F9028599D6D3_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Users\admin\AppData\Roaming\nvm
(PID) Process:(864) nvm-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\40078385-F676-4C61-9A9C-F9028599D6D3_is1
Operation:writeName:InstallLocation
Value:
C:\Users\admin\AppData\Roaming\nvm\
(PID) Process:(864) nvm-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\40078385-F676-4C61-9A9C-F9028599D6D3_is1
Operation:writeName:Inno Setup: Icon Group
Value:
NVM for Windows
(PID) Process:(864) nvm-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\40078385-F676-4C61-9A9C-F9028599D6D3_is1
Operation:writeName:Inno Setup: User
Value:
admin
Executable files
6
Suspicious files
0
Text files
16
Unknown types
3

Dropped files

PID
Process
Filename
Type
3980nvm-setup.exeC:\Users\admin\AppData\Local\Temp\is-3CBNM.tmp\nvm-setup.tmpexecutable
MD5:AF0D4161F805C8238479DA4C41EF6A35
SHA256:D1E64E7A507324A1A9B130647143C2B83B695B5004AFD88ADBD9ACE217F545F0
864nvm-setup.tmpC:\Users\admin\AppData\Roaming\nvm\unins000.exeexecutable
MD5:58C264F91DAF445EAB1D33CD76AA53C2
SHA256:18EF332CA725A4148E38556B9038827919A39942F1BC45F973C9E4FEFCAE9953
2108nvm-setup.exeC:\Users\admin\AppData\Local\Temp\is-D1O41.tmp\nvm-setup.tmpexecutable
MD5:AF0D4161F805C8238479DA4C41EF6A35
SHA256:D1E64E7A507324A1A9B130647143C2B83B695B5004AFD88ADBD9ACE217F545F0
864nvm-setup.tmpC:\Users\admin\AppData\Roaming\nvm\is-T0J6G.tmpexecutable
MD5:58C264F91DAF445EAB1D33CD76AA53C2
SHA256:18EF332CA725A4148E38556B9038827919A39942F1BC45F973C9E4FEFCAE9953
864nvm-setup.tmpC:\Users\admin\AppData\Roaming\nvm\elevate.cmdtext
MD5:E0A963AA9273275A3DA167C0D169490D
SHA256:792D6A485D26B3AE1C926D1D4915E5EAF9A40113AFD623212D1A9591E56BB1D5
864nvm-setup.tmpC:\Users\admin\AppData\Roaming\nvm\is-5L4O6.tmptext
MD5:9C5E28535C95D143C7F76432D01FE7DF
SHA256:76A89F12D74FE66448499C5ADE1F66D0EDB991AF0BBE6D3E2818353F6A7E6A6F
864nvm-setup.tmpC:\Users\admin\AppData\Roaming\nvm\setuserenv.vbstext
MD5:9C5E28535C95D143C7F76432D01FE7DF
SHA256:76A89F12D74FE66448499C5ADE1F66D0EDB991AF0BBE6D3E2818353F6A7E6A6F
864nvm-setup.tmpC:\Users\admin\AppData\Roaming\nvm\is-0DNHJ.tmpexecutable
MD5:3CA84D1CC2425D431C0B7A6E56960561
SHA256:09C0B24AE56D26CC2AA8C1D583E5C1E58E11C425B0E899EC3124C5551E8F4373
864nvm-setup.tmpC:\Users\admin\AppData\Roaming\nvm\is-24F2D.tmptext
MD5:7978330486AA4946BB3079CC9F0F0AFA
SHA256:6F54EDD8BAB74D5C722EC00AB2F1FADD38CEB1DDCA5AED60A400A6DD846EEFEF
864nvm-setup.tmpC:\Users\admin\AppData\Roaming\nvm\unsetuserenv.vbstext
MD5:7978330486AA4946BB3079CC9F0F0AFA
SHA256:6F54EDD8BAB74D5C722EC00AB2F1FADD38CEB1DDCA5AED60A400A6DD846EEFEF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
nvm-setup.exe