WTF Behavior Description:
System executes a suspiciously named DLL export with a name of SusRunTask, and this dll checks many various scheduled task and autostart execution locations such as registry persistence locations and C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ as well as spawning new processes that are not child processes.
In a windows environment it is not uncommon to see execution of rundll32 Startupscan.dll,SusRunTask, however this is normal startup behavior that is executed by task scheduler during startup - it scans startup apps and warns the user if there are too many.
C:\Windows\system32\Startupscan.dll
SusRunTask
List of registry keys it opens: "Registry Keys Opened" https://www.virustotal.com/gui/file/7e20bd611bf14082ef28068073abc9f84faeb04fc9f4735b8fc7c0c0a1fbc87b/behavior
In a windows environment it is not uncommon to see execution of
rundll32 Startupscan.dll,SusRunTask
, however this is normal startup behavior that is executed by task scheduler during startup - it scans startup apps and warns the user if there are too many.https://www.hybrid-analysis.com/sample/7e20bd611bf14082ef28068073abc9f84faeb04fc9f4735b8fc7c0c0a1fbc87b/5c60484b7ca3e14e0132f425