[jart]

Are you telling me this thing spawned 50 new processes on your computer? Could you zip up all the executable files and whatever it installed and upload it somewhere so we can analyze the assembly?

[mafriese]

This "thing" is always spawning 3 processes at the time. The processes are always the ones from the virustotal link. I can upload the DLL to a file sharing service of your choice if you don't have a VT premium license. I can also provide an any.run link: https://app.any.run/tasks/bc557b04-5025-46a1-a683-aad3b29b9a... (installer) https://app.any.run/tasks/e257e7f2-7837-4ed1-93c8-5d617d75cc... (zip file containing the files). Let me know if you need further info :).

[jart]

Is there a way for me to curl their executable into my UNIX terminal so I can read the assembly? Or does Any Run keep the samples to themselves? I know a lot about portable executable but very little about these online services.

[mafriese]

https://github.com/mafriese/scarecrow Can upload any files you want there. Direct DL for one of the files: https://github.com/mafriese/scarecrow/raw/main/autoruns.exe