Remove osascript starting after boot and get to know what it does

I am new to Mac and I have the following problem. After I log in after boot/restart, there is always a tab saying osascript wants to make changes which wants my password. I do not want to run this and clicking Cancel or killing this process in Activity monitor helps for the session. I am also able to see the details of it in Activity monitor. But regardless of what I do, after another start, the pop up menu appears again... How can I kill this script or remove it or disable it forever?

Related to that, how do I get to know what exactly is it trying to do? I tried to hit the Sample button in the menu in Activity monitor which gave me a text file of many things starting with the dirs and identifiers of the script and continuing with a lot of information which I don't know how to read/interpret (see below). As I said, I'm new to Mac so any help including the super basics is very welcomed :). Thank you.


EDIT:

Following the comments: Both cd Library/LaunchAgents; grep 'osascript' *.plist and cd /Library/LaunchAgents; grep 'osascript' *.plist output nothing. When I go to the process in Activity monitor and go to the Open files and ports, I get the following:

cwd
/
txt
/usr/bin/osascript
txt
/Library/Preferences/Logging/.plist-cache.xq4DHtYC
txt
/private/var/db/analyticsd/events.whitelist
txt
/System/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree
txt
/System/Library/Components/AppleScript.component/Contents/MacOS/AppleScript
txt
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/HIToolbox.rsrc
txt
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/English.lproj/Localized.rsrc
txt
/private/var/db/mds/messages/502/se_SecurityMessages
txt
/usr/share/icu/icudt64l.dat
txt
/private/var/db/timezone/tz/2020a.1.0/icutz/icutz44l.dat
txt
/System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Resources/AppleKeyboardLayouts-L.dat
txt
/System/Library/Caches/com.apple.IntlDataCache.le.kbdx
txt
/System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/StandardAdditions
txt
/usr/lib/dyld
0
/dev/null
1
/dev/null
2
/dev/null
3
/System/Library/MessageTracer/SubmitDiagInfo.default.domains.searchtree
4
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/HIToolbox.rsrc
5
/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/Resources/English.lproj/Localized.rsrc

If needed, I also have clicked the Sample button. That gives this followed by Call graph section (not shown here):

Sampling process 680 for 3 seconds with 1 millisecond of run time between samples
Sampling completed, processing symbols...
Analysis of sampling osascript (pid 680) every 1 millisecond
Process:         osascript [680]
Path:            /usr/bin/osascript
Load Address:    0x1019b7000
Identifier:      osascript
Version:         395.1
Code Type:       X86-64
Parent Process:  bash [508]

Date/Time:       2020-10-22 10:14:04.108 +0300
Launch Time:     2020-10-22 08:27:11.218 +0300
OS Version:      Mac OS X 10.15.7 (19H2)
Report Version:  7
Analysis Tool:   /usr/bin/sample

Physical footprint:         4844K
Physical footprint (peak):  5056K

The output for:

ps auxwww | grep '[o]sascript'

when the pop up window is still active (presumably what you mean by it running) is:

jan                680   0.0  0.0  5765928   9756   ??  S     8:27AM   0:00.15 osascript -e do shell script "/Library/Scripts/WIS/tmp/Scripts/startup.sh" with administrator privileges

Is this the script what it is calling? What does it do?


As the parent process of osascript is 'bash', that suggests that a command line script is calling AppleScript.

/Library/Scripts/WIS/tmp/Scripts/startup.sh

is very likely the culprit.

Have you installed anything that this might relate to?

If not, I would delete it, and download Malwarebytes to check for malware.