Powershell script running in our environment - Is it malicious???

Any Powershell experts I can use your help.

I have this script below that is running on mulitple hosts, and wondering if you can tell me what it means or does?


C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -version 2 -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp “HKLM:\SOFTWARE\Microsoft\Powershell”).ScriptInit)));


What is the value in ScriptInit registry key?
Looks like, it is invoking a command which is encoded in ScriptInit key.

Also did google and it is pointing to malicious.

If you did not write and deploy it, and or no one you are aware of did so, or it was not part of some packaged you purchased, then the default security process is to fail close / disconnect it from the network / isolate the device / do not tamper it of you ruin forensics / not trusted / kill it, period. Send it to your risk management / security team from review, as a simple text file, or bring the to the system that has it.

If you don’t know what a script is doing, then don’t allow it to run.

All audit modes should be leveraged.


Do your system is managed by any of MSP software like kaseya or connectWise ?