JonahN Posted March 19, 2022 ID:1507683 Share Posted March 19, 2022 I was doing some digging with Sysinternals Autoruns and I came across a scheduled task that executes a vb script called task; after doing some research it seems like its a part of Intel's system usage reports. However, after taking a look at the vbs script I found that it exhibits some really spooky behavior that give's me the impress it is doing something malicious, or something that it doesn't want the user to notice. Located in \Program Files\Intel\SUR\QUEENCREEK\x64 the task.vbs script executes task.bat, which then runs task.exe — seems a little odd to me that legitimate Intel software would use such poor practice. Without going into to much detail I just want to know if you guys think this is something I should be concerned about. Link to post Share on other sites More sharing options...
MKDB Posted March 19, 2022 ID:1507712 Share Posted March 19, 2022 Hello @JonahN and My name is MKDB and I will assist you. Please follow the steps in the given order and post back the logs as an attachment when ready. Thank you very much for your cooperation. Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed. Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed. As English is not my native language, please do not use slang or idoms. It may be hard for me to understand. I know this task and those files you are talking about. I've noticed them on other systems some time ago as well. Those files are legit. If you still want to have your system checked for malware, please let me know. Thank you! 1 Link to post Share on other sites More sharing options...
JonahN Posted March 20, 2022 Author ID:1507770 Share Posted March 20, 2022 Hello! I really appriciate the reply MKDB, after some further investigation using a decompiler I've concluded the application is safe. All API calls, Registry paths, and Assembly Sections consistent with the legitimate executable and show no signs of manipulation so I hope that this thread can serve as a reference for anyone curious about these files. Below I've attatched some extra information about the file just for SEO sake MD5 d0587fbaf5b48c4e02a21d2a843e2783 SHA-1 56dca57e7a952633ce9dbedb7202a073eff76d5e SHA-256 5dcfcea1cab3e808ca45831ade6bab950e190c3c18f47fd7230b85e952f1c4b3 Signers Intel(R) System Usage Report Intel External Issuing CA 7B Sectigo (formerly Comodo CA) https://www.virustotal.com/gui/file/5dcfcea1cab3e808ca45831ade6bab950e190c3c18f47fd7230b85e952f1c4b3/detection Link to post Share on other sites More sharing options...
MKDB Posted March 20, 2022 ID:1507796 Share Posted March 20, 2022 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection. Thank you. As this topic seems to be solved, I do not follow it any longer. Take care! 1 Link to post Share on other sites More sharing options...
Recommended Posts