Question Suspicious Power-Shell Script Found - Need Help Analysing

[aci]

Hi everyone,

I recently found a suspicious PowerShell script execution log on my system, and I'm trying to understand what it does. Here's the relevant log entry:

Here's what I've observed:

• The script uses AES encryption to decrypt and execute code from C:\Windows\sys.txt.
• It runs with hidden window (-WindowStyle Hidden) and without loading a profile (-NoProfile).
• The script reads the content of a file located in the windows folder which is very suspicious.

What could be the purpose of this script?
I did scanned whole system with windows defender and with malwarebytes. It has found lots of files and i deleted them. But it still pops up on my screen every 30 minutes
Any insights or guidance would be greatly appreciated.

Thanks

 

[Ralston18]

More information needed.

Look in Task Manager > Startup for anything that is unknown or unexpected.

Look in Task Scheduler for anything set up to trigger after 30 minutes.

Take a screenshot of what pops up and post the screen shot here via imgur (www.imgur.com > green "New post" icon.

Which Windows folder?

Take a screenshot of the script and post.

Then, for the time being, disable Powershell from being run.

 

[aci]

Nothing unknown in task manager>startup
Cant take screenshot because sometimes it quickly pops up blue powershell and nothing there and it just dissapear.
Also when playing games, game minimizes by itself and then i know script started doing things.
i will paste link so you can see. multiple powershell scripts launches in seconds. <<<there
Which windows folder?>its system32/sys.txt
i opened that text but its just bunch of non readable text so i deleted it.
here is img from task scheduler.
full details here <<<full details
i did disabled powershell also. But nothing really...

and here is img of script

 

[Ralston18]

Interesting script.

Not the sort of Powershell things that I have done or othewise (full disclosure) "tinkered" with.

Overall, the script appears to be attempting to and/or possibly succeeding in changing some sort of key and hide its' doing so. Again that is simply my first impression and I need to check on some specific details.

I am not one to immediately think "Virus" or "Malware" but cannot rule that out.

What may be more likely is that some app, game, utility, etc.. is trying to spoof a key or otherwise work around some encryption or security safeguard.

There are other Forum members here who are very knowledgeable of such things.

My immediate suggestions (and others may comment as well):

NOTE: Before doing anything ensure that all important data is backed up at least 2 x to locations away from the system in question. Verify that the backups are recoverable and readable.

The following actions are simply discovery and preventative. However, when it comes to unexplained code/script there are no guarantees about what is being attempted or done through other means.

First:

In Task Manager > Startup:

Do you see any references to Powershell or Powershell scripts? Scripts (filesnames that end in .ps1).

If so, disable them.

Also look for any unknown or unexplained apps, utilities, etc.. be launched at startup. Find out what they are and what they do. Be careful as some may appear legitimate when they are not. Using a name that is close to some real filename and easily misread.

Second:

If Powershell is running stop Powershell via Task Manager.

Task Manager > Processes > Windows Powershell.

If Powershell continues to run or somehow launches again then more effort will be needed to stop that from continuing.

Third:

In Task Scheduler look at all fo the scheduled tasks, their respective rules/ triggers, and what each trigger does.

Post accordingly.

 

[aci]

First:
There are no any powershell scripts. Look, even terminal is disabled.

nothing unfamiliar launches at startup sir.

Second:
Powershell is not running i have checked multiple times.

Here it says it has been created in 2024. But i just discovered it before three days

Third:
i inspected task scheduler and nothing unfamiliar really. Windows update, edge update something for keyboard and mouse also. Nothing weird.

and this is what i installed on pc back then,

 

[alceryes]

One of (if not the) most exhaustive startup program examiner is Autoruns. It's a Microsoft tool.

https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns

Load up Autoruns and be amazed that you probably have 60+ items starting up under specific criteria. Finding that script here may give you some more info about it.

Note: Autoruns is an advanced Windows startup analyzer. Do not just start disabling things willy-nilly - you can mess up programs/Windows.