[New WTFBin]: WTFBIN Here

[0xDeadcell]

• Contributor Name: Matthew W/0xdeadcell
• Application/Executable: C:\Windows\system32\Startupscan.dll SusRunTask
• WTF Behavior Description: System executes a suspiciously named DLL export with a name of SusRunTask, and this dll checks many various scheduled task and autostart execution locations such as registry persistence locations and C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ as well as spawning new processes that are not child processes.

List of registry keys it opens: "Registry Keys Opened" https://www.virustotal.com/gui/file/7e20bd611bf14082ef28068073abc9f84faeb04fc9f4735b8fc7c0c0a1fbc87b/behavior

In a windows environment it is not uncommon to see execution of rundll32 Startupscan.dll,SusRunTask, however this is normal startup behavior that is executed by task scheduler during startup - it scans startup apps and warns the user if there are too many.

• Link to Documentation of Behavior: https://strontic.github.io/xcyclopedia/library/Startupscan.dll-4EA151DBB72D2BB5C73E16A91547E453.html https://www.virustotal.com/gui/file/8b49b3f3d7773802cbb1e1400504fa5ad437502a3752f8149e6bb8d231a2522f/detection/ https://renenyffenegger.ch/notes/Windows/dirs/Windows/System32/Startupscan_dll "StartupAppTask" https://superuser.com/questions/884839/windows-8-1-automatic-maintenance-whats-really-going-on-under-the-hood#:~:text=compattelrunner%20%2Dmaintenance.-,StartupAppTask,-%3A%20scans%20startup%20apps https://windows10dll.nirsoft.net/startupscan_dll.html

https://www.hybrid-analysis.com/sample/7e20bd611bf14082ef28068073abc9f84faeb04fc9f4735b8fc7c0c0a1fbc87b/5c60484b7ca3e14e0132f425

• Please provide any images for additional evidence. Please check the links for images

[mttaggart]

Great submission. Added in 6e626a753a6. Thank you!