This is almost certainly malicious.
Let's take it apart. It invokes Windows PowerShell (a legitimate and very useful command interpreter) without user customizations (-noprofile
) in a hidden window (-windowstyle hidden
), allowing the PowerShell session to run scripts regardless of the system policy (-executionpolicy bypass
). It then runs this command:
iex ([Text.Encoding]::ASCII.Get.String([Convert]::FromBase64string((gp'HKCU:\Software\Classes\SAJELFZIXHQTV').ADUXJH)))
gp
means Get-ItemProperty
, which can be used to retrieve values of Registry keys, and that's what it's doing here. Apparently, there's a key called SAJELFZIXHQTV
in your current user Software\Classes
key. That key has a value called ADUXJH
, the data in which is what gp
retrieves. That data (evidently a string) is then Base64-decoded into a byte array (FromBase64String
). Those bytes are then interpreted as ASCII text (ASCII.GetString
). Bizarrely, there's an extra dot in the original, which should cause an error because the ASCII
object has no member called Get
. Given that the process sticks around, though, I suspect the extra dot is just a transcription error.
If that error wasn't there, the resulting text would be invoked as a PowerShell command (iex
). In short, this command is designed to load an encoded script from the Registry and execute it. To see exactly what it's running, copy the above PowerShell command minus the iex
and with the extra dot removed into a PowerShell prompt and run it. It will print the command that would be invoked. It almost certainly won't be benign.
You can stop that entry from auto-starting with the Autoruns tool. However, it's probably a good idea to do a deeper clean of your machine, since it's likely infected. Please see How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?