Question Random process window on startup: "npm install winreg"?
Question Random process window on startup: "npm install winreg"?
The startup app was disabled without any changes, yet nothing showed up when I tried to run the command again. This is really odd.
The malicious Google Updater directory is located at <code>C:\Program Files (x86)\Google\GoogleUpdater\132.0.6833.0</code>. Several suspicious files were detected, including <code>updater.exe</code>, <code>uninstall.cmd</code>, and additional components such as <code>crashpad_handler.exe</code>, <code>GoogleUpdate.exe</code>, <code>settings.dat</code>, among others visible in your screenshot.
After many months, I discovered the starting point for the node terminal. A folder called LocalUserHelper in Program Files (x86) appears. It looks like a node package that attempts to install winreg but doesn't do anything else. I'm still puzzled about how it works. If you'd like, I can upload a zip of this folder.