Question Suspicious Power-Shell Script Found - Need Help Analysing

[aci]

Hi everyone,

I recently found a suspicious PowerShell script execution log on my system, and I'm trying to understand what it does. Here's the relevant log entry:

Here's what I've observed:

• The script uses AES encryption to decrypt and execute code from C:\Windows\sys.txt.
• It runs with hidden window (-WindowStyle Hidden) and without loading a profile (-NoProfile).
• The script reads the content of a file located in the windows folder which is very suspicious.

What could be the purpose of this script?
I did scanned whole system with windows defender and with malwarebytes. It has found lots of files and i deleted them. But it still pops up on my screen every 30 minutes
Any insights or guidance would be greatly appreciated.

Thanks

 

[Ralston18]

More information needed.

Look in Task Manager > Startup for anything that is unknown or unexpected.

Look in Task Scheduler for anything set up to trigger after 30 minutes.

Take a screenshot of what pops up and post the screen shot here via imgur (www.imgur.com > green "New post" icon.

Which Windows folder?

Take a screenshot of the script and post.

Then, for the time being, disable Powershell from being run.

 

[aci]

Nothing unknown in task manager>startup
Cant take screenshot because sometimes it quickly pops up blue powershell and nothing there and it just dissapear.
Also when playing games, game minimizes by itself and then i know script started doing things.
i will paste link so you can see. multiple powershell scripts launches in seconds. <<<there
Which windows folder?>its system32/sys.txt
i opened that text but its just bunch of non readable text so i deleted it.
here is img from task scheduler.
full details here <<<full details
i did disabled powershell also. But nothing really...

and here is img of script

 

[Ralston18]

Interesting script.

Not the sort of Powershell things that I have done or othewise (full disclosure) "tinkered" with.

Overall, the script appears to be attempting to and/or possibly succeeding in changing some sort of key and hide its' doing so. Again that is simply my first impression and I need to check on some specific details.

I am not one to immediately think "Virus" or "Malware" but cannot rule that out.

What may be more likely is that some app, game, utility, etc.. is trying to spoof a key or otherwise work around some encryption or security safeguard.

There are other Forum members here who are very knowledgeable of such things.

My immediate suggestions (and others may comment as well):

NOTE: Before doing anything ensure that all important data is backed up at least 2 x to locations away from the system in question. Verify that the backups are recoverable and readable.

The following actions are simply discovery and preventative. However, when it comes to unexplained code/script there are no guarantees about what is being attempted or done through other means.

First:

In Task Manager > Startup:

Do you see any references to Powershell or Powershell scripts? Scripts (filesnames that end in .ps1).

If so, disable them.

Also look for any unknown or unexplained apps, utilities, etc.. be launched at startup. Find out what they are and what they do. Be careful as some may appear legitimate when they are not. Using a name that is close to some real filename and easily misread.

Second:

If Powershell is running stop Powershell via Task Manager.

Task Manager > Processes > Windows Powershell.

If Powershell continues to run or somehow launches again then more effort will be needed to stop that from continuing.

Third:

In Task Scheduler look at all fo the scheduled tasks, their respective rules/ triggers, and what each trigger does.

Post accordingly.

 

[aci]

First:
There are no any powershell scripts. Look, even terminal is disabled.

nothing unfamiliar launches at startup sir.

Second:
Powershell is not running i have checked multiple times.

Here it says it has been created in 2024. But i just discovered it before three days

Third:
i inspected task scheduler and nothing unfamiliar really. Windows update, edge update something for keyboard and mouse also. Nothing weird.

and this is what i installed on pc back then,

 

[alceryes]

One of (if not the) most exhaustive startup program examiner is Autoruns. It's a Microsoft tool.

https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns

Load up Autoruns and be amazed that you probably have 60+ items starting up under specific criteria. Finding that script here may give you some more info about it.

Note: Autoruns is an advanced Windows startup analyzer. Do not just start disabling things willy-nilly - you can mess up programs/Windows.

 

[Ralston18]

Yes - look using Autoruns.

If you see any references to Powershell then take a screenshot(s) and post here via imgur.

If you do not see references to Powershell then open Powershell as Admin.

Run the Get-Process cmdlet. Check the results (long list) for "powershell" it should be listed.

https://learn.microsoft.com/en-us/p...ll.management/get-process?view=powershell-7.5

Use Get-Process only.

Then leave the Powershell window open and run Autoruns again.

Does Powershell appear?

 

[aci]

thats when i type powershell in autoruns.

and thats for running get process command
and then i started autoruns again, typed powershell in search, and still same as first image.

i will post below what i see in autoruns so you can see aswell:

 

[Ralston18]

What is fleshost?

Any registry edits?

 

[aci]

What is fleshost?

Any registry edits?

i have no idea really. I think its something related to counter strike. There is in registry. I will delete that and cs from my pc and see if its happening again.

And again it happened after deleting all of this above^^

 

[Ralston18]

The pattern that I am seeing is that there appears to be way too many processes etc. that are present and may or may not be running. But could be launched if needed by some other process.

Unknown or unidentified processes should be researched and verified as legitimately required for some game or application.

It all becomes quite a mess when game play, recording, streaming, capturing, anti-cheat, etc., etc.. are all be run at once. Not too mention a build that may not be up to the overall requirements needed to support all that.

How that Powershell script may have siipped in is indeed a mystery.

Its' purpose, other than what appears to be some key manipulation, unknown.

Maybe the script came along with a few other bits of code here and there to do who knows what.

I am not a gamer and do not have any relevant sense of the "details" behind the scenes to play, record, stream FH4 or any other game for that matter.

Hopefully someone from the gaming community will take a look and spot things that do not really go with FH4 and all that you are doing. Or spot something missing or not as it should be.

= = = =

Otherwise the only suggestion I can offer at the moment is to go back to a basic setup with only FH4 as the starting point.

Maybe a complete FH4 removal and reinstall - ensure that the source site is legal and that any other apps you use are likewise from legal sources with all applicable licensing and keys.

Keep in mind that you may need to roll back even further to a clean Windows reinstall and do-over to reinstall supporting apps for gaming, streaming, recording.