What makes initial detection of these malicious extensions difficult for the user is that, after the so-called utility is downloaded, it attempts to install the legitimate extension. That way the user still gets the tool they expected.
The PowerShell script tries to run the malicious payload with administrator permissions, says the report. If it doesn’t have the appropriate permissions, the script tries to create another System32 directory and copy the ComputerDefaults.exe file to it. Then, the script creates its own malicious DLL named MLANG.dll and tries to execute it using the ComputerDefaults executable.
