Question Suspicious Power-Shell Script Found - Need Help Analysing

[aci]

Hi everyone,

I recently found a suspicious PowerShell script execution log on my system, and I'm trying to understand what it does. Here's the relevant log entry:

Here's what I've observed:

• The script uses AES encryption to decrypt and execute code from C:\Windows\sys.txt.
• It runs with hidden window (-WindowStyle Hidden) and without loading a profile (-NoProfile).
• The script reads the content of a file located in the windows folder which is very suspicious.

What could be the purpose of this script?
I did scanned whole system with windows defender and with malwarebytes. It has found lots of files and i deleted them. But it still pops up on my screen every 30 minutes
Any insights or guidance would be greatly appreciated.

Thanks

 

[Ralston18]

More information needed.

Look in Task Manager > Startup for anything that is unknown or unexpected.

Look in Task Scheduler for anything set up to trigger after 30 minutes.

Take a screenshot of what pops up and post the screen shot here via imgur (www.imgur.com > green "New post" icon.

Which Windows folder?

Take a screenshot of the script and post.

Then, for the time being, disable Powershell from being run.

 

[aci]

Nothing unknown in task manager>startup
Cant take screenshot because sometimes it quickly pops up blue powershell and nothing there and it just dissapear.
Also when playing games, game minimizes by itself and then i know script started doing things.
i will paste link so you can see. multiple powershell scripts launches in seconds. <<<there
Which windows folder?>its system32/sys.txt
i opened that text but its just bunch of non readable text so i deleted it.
here is img from task scheduler.
full details here <<<full details
i did disabled powershell also. But nothing really...

and here is img of script