Technical Information
Malicious functions
Creates and executes the following (exploit)
- '%TEMP%\iqvoeeadl\jr_zgtrw65.exe' $uvvaaxjiahkmoouskuu_g_kpkzvmj_rjllu=']$qsc ';$ueufyeeonxmu_bf='Byp';$tzgyhunzigjtdtdkterrsvqsbaugy='$env:t';$swtadnatwuepvecun_mbryyaes='th;R';$oaaaouglgnbouew='pa';$eonpnaeoumhmikngjy_cltgidx...
Executes the following (exploit)
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 376
Modifies file system
Creates the following files
- %TEMP%\iqvoeeadl\certificate.format.ps1xml
- %TEMP%\iqvoeeadl\en-us\microsoft.powershell.consolehost.dll-help.xml
- %TEMP%\iqvoeeadl\en-us\microsoft.powershell.commands.utility.dll-help.xml
- %TEMP%\iqvoeeadl\en-us\microsoft.powershell.commands.management.dll-help.xml
- %TEMP%\iqvoeeadl\en-us\microsoft.powershell.commands.diagnostics.dll-help.xml
- %TEMP%\iqvoeeadl\en-us\importallmodules.psd1
- %TEMP%\iqvoeeadl\en-us\default.help.txt
- %TEMP%\iqvoeeadl\en-us\about_ws-management_cmdlets.help.txt
- %TEMP%\iqvoeeadl\en-us\about_wmi_cmdlets.help.txt
- %TEMP%\iqvoeeadl\en-us\about_windows_powershell_ise.help.txt
- %TEMP%\iqvoeeadl\en-us\about_windows_powershell_2.0.help.txt
- %TEMP%\iqvoeeadl\en-us\about_wildcards.help.txt
- %TEMP%\iqvoeeadl\en-us\about_while.help.txt
- %TEMP%\iqvoeeadl\en-us\about_variables.help.txt
- %TEMP%\iqvoeeadl\en-us\about_type_operators.help.txt
- %TEMP%\iqvoeeadl\en-us\microsoft.powershell.security.dll-help.xml
- %TEMP%\iqvoeeadl\en-us\about_types.ps1xml.help.txt
- %TEMP%\iqvoeeadl\en-us\about_trap.help.txt
- %TEMP%\iqvoeeadl\en-us\about_transactions.help.txt
- %TEMP%\iqvoeeadl\en-us\about_throw.help.txt
- %TEMP%\iqvoeeadl\en-us\about_switch.help.txt
- %TEMP%\iqvoeeadl\en-us\about_split.help.txt
- %TEMP%\iqvoeeadl\en-us\about_special_characters.help.txt
- %TEMP%\iqvoeeadl\en-us\about_signing.help.txt
- %TEMP%\iqvoeeadl\en-us\about_session_configurations.help.txt
- %TEMP%\iqvoeeadl\en-us\about_script_internationalization.help.txt
- %TEMP%\iqvoeeadl\en-us\about_script_blocks.help.txt
- %TEMP%\iqvoeeadl\en-us\about_scripts.help.txt
- %TEMP%\iqvoeeadl\en-us\about_scopes.help.txt
- %TEMP%\iqvoeeadl\en-us\about_return.help.txt
- %TEMP%\iqvoeeadl\en-us\about_reserved_words.help.txt
- %TEMP%\iqvoeeadl\en-us\about_try_catch_finally.help.txt
- %TEMP%\iqvoeeadl\modules\bitstransfer\microsoft.backgroundintelligenttransfer.management.interop.dll
- %TEMP%\iqvoeeadl\wsman.format.ps1xml
- %TEMP%\iqvoeeadl\en-us\powershell_ise.resources.dll
- %TEMP%\iqvoeeadl\types.ps1xml
- %TEMP%\iqvoeeadl\registry.format.ps1xml
- %TEMP%\iqvoeeadl\pwrshsip.dll
- %TEMP%\iqvoeeadl\pwrshmsg.dll
- %TEMP%\iqvoeeadl\pspluginwkr.dll
- %TEMP%\iqvoeeadl\psevents.dll
- %TEMP%\iqvoeeadl\powershell_ise.exe
- %TEMP%\iqvoeeadl\powershelltrace.format.ps1xml
- %TEMP%\iqvoeeadl\powershellcore.format.ps1xml
- %TEMP%\iqvoeeadl\powershell.exe
- %TEMP%\iqvoeeadl\modules\troubleshootingpack\troubleshootingpack.psd1
- %TEMP%\iqvoeeadl\modules\troubleshootingpack\troubleshootingpack.format.ps1xml
- %TEMP%\iqvoeeadl\modules\troubleshootingpack\en-us\microsoft.windows.diagnosis.troubleshootingpack.dll-help.xml
- %TEMP%\iqvoeeadl\modules\psdiagnostics\psdiagnostics.psm1
- %TEMP%\iqvoeeadl\en-us\about_requires.help.txt
- %TEMP%\iqvoeeadl\modules\psdiagnostics\psdiagnostics.psd1
- %TEMP%\iqvoeeadl\modules\bitstransfer\en-us\microsoft.backgroundintelligenttransfer.management.dll-help.xml
- %TEMP%\iqvoeeadl\modules\bitstransfer\en-us\about_bits_cmdlets.help.txt
- %TEMP%\iqvoeeadl\modules\bitstransfer\bitstransfer.psd1
- %TEMP%\iqvoeeadl\modules\bitstransfer\bitstransfer.format.ps1xml
- %TEMP%\iqvoeeadl\modules\applocker\en-us\microsoft.security.applicationid.policymanagement.cmdlets.dll-help.xml
- %TEMP%\iqvoeeadl\modules\applocker\applocker.psd1
- %TEMP%\iqvoeeadl\help.format.ps1xml
- %TEMP%\iqvoeeadl\getevent.types.ps1xml
- %TEMP%\iqvoeeadl\filesystem.format.ps1xml
- %TEMP%\iqvoeeadl\examples\profile.ps1
- %TEMP%\iqvoeeadl\en-us\system.management.automation.dll-help.xml
- %TEMP%\iqvoeeadl\en-us\pwrshmsg.dll.mui
- %TEMP%\iqvoeeadl\en-us\pspluginwkr.dll.mui
- %TEMP%\iqvoeeadl\en-us\psevents.dll.mui
- %TEMP%\iqvoeeadl\en-us\microsoft.wsman.management.dll-help.xml
- %TEMP%\iqvoeeadl\en-us\powershell.exe.mui
- %TEMP%\iqvoeeadl\en-us\about_remote_troubleshooting.help.txt
- %TEMP%\iqvoeeadl\en-us\about_history.help.txt
- %TEMP%\iqvoeeadl\en-us\about_functions_advanced_parameters.help.txt
- %TEMP%\iqvoeeadl\en-us\about_functions_advanced_methods.help.txt
- %TEMP%\iqvoeeadl\en-us\about_functions_advanced.help.txt
- %TEMP%\iqvoeeadl\en-us\about_functions.help.txt
- %TEMP%\iqvoeeadl\en-us\about_format.ps1xml.help.txt
- %TEMP%\iqvoeeadl\en-us\about_foreach.help.txt
- %TEMP%\iqvoeeadl\en-us\about_for.help.txt
- %TEMP%\iqvoeeadl\en-us\about_execution_policies.help.txt
- %TEMP%\iqvoeeadl\en-us\about_eventlogs.help.txt
- %TEMP%\iqvoeeadl\en-us\about_escape_characters.help.txt
- %TEMP%\iqvoeeadl\en-us\about_environment_variables.help.txt
- %TEMP%\iqvoeeadl\en-us\about_do.help.txt
- %TEMP%\iqvoeeadl\en-us\about_debuggers.help.txt
- %TEMP%\iqvoeeadl\en-us\about_data_sections.help.txt
- %TEMP%\iqvoeeadl\en-us\about_functions_cmdletbindingattribute.help.txt
- %TEMP%\iqvoeeadl\en-us\about_core_commands.help.txt
- %TEMP%\iqvoeeadl\en-us\about_comparison_operators.help.txt
- %TEMP%\iqvoeeadl\en-us\about_commonparameters.help.txt
- %TEMP%\iqvoeeadl\en-us\about_comment_based_help.help.txt
- %TEMP%\iqvoeeadl\en-us\about_command_syntax.help.txt
- %TEMP%\iqvoeeadl\en-us\about_command_precedence.help.txt
- %TEMP%\iqvoeeadl\en-us\about_break.help.txt
- %TEMP%\iqvoeeadl\en-us\about_automatic_variables.help.txt
- %TEMP%\iqvoeeadl\en-us\about_assignment_operators.help.txt
- %TEMP%\iqvoeeadl\en-us\about_arrays.help.txt
- %TEMP%\iqvoeeadl\en-us\about_arithmetic_operators.help.txt
- %TEMP%\iqvoeeadl\en-us\about_aliases.help.txt
- %TEMP%\iqvoeeadl\dotnettypes.format.ps1xml
- %TEMP%\iqvoeeadl\diagnostics.format.ps1xml
- %TEMP%\iqvoeeadl\compiledcomposition.microsoft.powershell.gpowershell.dll
- %TEMP%\iqvoeeadl\en-us\about_continue.help.txt
- %TEMP%\iqvoeeadl\en-us\about_pipelines.help.txt
- %TEMP%\iqvoeeadl\en-us\about_remote_output.help.txt
- %TEMP%\iqvoeeadl\en-us\about_if.help.txt
- %TEMP%\iqvoeeadl\en-us\about_remote_jobs.help.txt
- %TEMP%\iqvoeeadl\en-us\about_remote_faq.help.txt
- %TEMP%\iqvoeeadl\en-us\about_remote.help.txt
- %TEMP%\iqvoeeadl\en-us\about_regular_expressions.help.txt
- %TEMP%\iqvoeeadl\en-us\about_ref.help.txt
- %TEMP%\iqvoeeadl\en-us\about_redirection.help.txt
- %TEMP%\iqvoeeadl\en-us\about_quoting_rules.help.txt
- %TEMP%\iqvoeeadl\en-us\about_pssnapins.help.txt
- %TEMP%\iqvoeeadl\en-us\about_pssession_details.help.txt
- %TEMP%\iqvoeeadl\en-us\about_pssessions.help.txt
- %TEMP%\iqvoeeadl\en-us\about_providers.help.txt
- %TEMP%\iqvoeeadl\en-us\about_properties.help.txt
- %TEMP%\iqvoeeadl\en-us\about_prompts.help.txt
- %TEMP%\iqvoeeadl\en-us\about_profiles.help.txt
- %TEMP%\iqvoeeadl\en-us\about_remote_requirements.help.txt
- %TEMP%\iqvoeeadl\en-us\about_preference_variables.help.txt
- %TEMP%\iqvoeeadl\en-us\about_path_syntax.help.txt
- %TEMP%\iqvoeeadl\en-us\about_parsing.help.txt
- %TEMP%\iqvoeeadl\en-us\about_parameters.help.txt
- %TEMP%\iqvoeeadl\en-us\about_operators.help.txt
- %TEMP%\iqvoeeadl\en-us\about_objects.help.txt
- %TEMP%\iqvoeeadl\en-us\about_modules.help.txt
- %TEMP%\iqvoeeadl\en-us\about_methods.help.txt
- %TEMP%\iqvoeeadl\en-us\about_logical_operators.help.txt
- %TEMP%\iqvoeeadl\en-us\about_locations.help.txt
- %TEMP%\iqvoeeadl\en-us\about_line_editing.help.txt
- %TEMP%\iqvoeeadl\en-us\about_language_keywords.help.txt
- %TEMP%\iqvoeeadl\en-us\about_join.help.txt
- %TEMP%\iqvoeeadl\en-us\about_job_details.help.txt
- %TEMP%\iqvoeeadl\en-us\about_jobs.help.txt
- %TEMP%\iqvoeeadl\en-us\about_hash_tables.help.txt
- %TEMP%\1226823.cvr
Deletes the following files
- %TEMP%\iqvoeeadl\en-us\about_aliases.help.txt
- %TEMP%\iqvoeeadl\en-us\powershell.exe.mui
- %TEMP%\iqvoeeadl\en-us\microsoft.wsman.management.dll-help.xml
- %TEMP%\iqvoeeadl\en-us\microsoft.powershell.security.dll-help.xml
- %TEMP%\iqvoeeadl\en-us\microsoft.powershell.consolehost.dll-help.xml
- %TEMP%\iqvoeeadl\en-us\microsoft.powershell.commands.utility.dll-help.xml
- %TEMP%\iqvoeeadl\en-us\microsoft.powershell.commands.management.dll-help.xml
- %TEMP%\iqvoeeadl\en-us\microsoft.powershell.commands.diagnostics.dll-help.xml
- %TEMP%\iqvoeeadl\en-us\importallmodules.psd1
- %TEMP%\iqvoeeadl\en-us\default.help.txt
- %TEMP%\iqvoeeadl\en-us\about_ws-management_cmdlets.help.txt
- %TEMP%\iqvoeeadl\en-us\about_wmi_cmdlets.help.txt
- %TEMP%\iqvoeeadl\en-us\about_windows_powershell_ise.help.txt
- %TEMP%\iqvoeeadl\en-us\about_windows_powershell_2.0.help.txt
- %TEMP%\iqvoeeadl\en-us\about_wildcards.help.txt
- %TEMP%\iqvoeeadl\en-us\about_variables.help.txt
- %TEMP%\iqvoeeadl\en-us\psevents.dll.mui
- %TEMP%\iqvoeeadl\en-us\about_type_operators.help.txt
- %TEMP%\iqvoeeadl\en-us\about_types.ps1xml.help.txt
- %TEMP%\iqvoeeadl\en-us\about_try_catch_finally.help.txt
- %TEMP%\iqvoeeadl\en-us\about_trap.help.txt
- %TEMP%\iqvoeeadl\en-us\about_transactions.help.txt
- %TEMP%\iqvoeeadl\en-us\about_throw.help.txt
- %TEMP%\iqvoeeadl\en-us\about_switch.help.txt
- %TEMP%\iqvoeeadl\en-us\about_split.help.txt
- %TEMP%\iqvoeeadl\en-us\about_special_characters.help.txt
- %TEMP%\iqvoeeadl\en-us\about_signing.help.txt
- %TEMP%\iqvoeeadl\en-us\about_session_configurations.help.txt
- %TEMP%\iqvoeeadl\en-us\about_script_internationalization.help.txt
- %TEMP%\iqvoeeadl\en-us\about_script_blocks.help.txt
- %TEMP%\iqvoeeadl\en-us\about_while.help.txt
- %TEMP%\iqvoeeadl\en-us\about_properties.help.txt
- %TEMP%\iqvoeeadl\en-us\pspluginwkr.dll.mui
- %TEMP%\iqvoeeadl\registry.format.ps1xml
- %TEMP%\iqvoeeadl\pwrshsip.dll
- %TEMP%\iqvoeeadl\pwrshmsg.dll
- %TEMP%\iqvoeeadl\pspluginwkr.dll
- %TEMP%\iqvoeeadl\psevents.dll
- %TEMP%\iqvoeeadl\powershell_ise.exe
- %TEMP%\iqvoeeadl\powershelltrace.format.ps1xml
- %TEMP%\iqvoeeadl\powershellcore.format.ps1xml
- %TEMP%\iqvoeeadl\jr_zgtrw65.exe
- %TEMP%\iqvoeeadl\help.format.ps1xml
- %TEMP%\iqvoeeadl\getevent.types.ps1xml
- %TEMP%\iqvoeeadl\filesystem.format.ps1xml
- %TEMP%\iqvoeeadl\dotnettypes.format.ps1xml
- %TEMP%\iqvoeeadl\diagnostics.format.ps1xml
- %TEMP%\iqvoeeadl\en-us\about_scripts.help.txt
- %TEMP%\iqvoeeadl\en-us\powershell_ise.resources.dll
- %TEMP%\iqvoeeadl\modules\troubleshootingpack\troubleshootingpack.psd1
- %TEMP%\iqvoeeadl\modules\troubleshootingpack\troubleshootingpack.format.ps1xml
- %TEMP%\iqvoeeadl\modules\troubleshootingpack\en-us\microsoft.windows.diagnosis.troubleshootingpack.dll-help.xml
- %TEMP%\iqvoeeadl\modules\psdiagnostics\psdiagnostics.psm1
- %TEMP%\iqvoeeadl\modules\psdiagnostics\psdiagnostics.psd1
- %TEMP%\iqvoeeadl\modules\bitstransfer\microsoft.backgroundintelligenttransfer.management.interop.dll
- %TEMP%\iqvoeeadl\modules\bitstransfer\bitstransfer.psd1
- %TEMP%\iqvoeeadl\modules\bitstransfer\bitstransfer.format.ps1xml
- %TEMP%\iqvoeeadl\modules\bitstransfer\en-us\microsoft.backgroundintelligenttransfer.management.dll-help.xml
- %TEMP%\iqvoeeadl\modules\bitstransfer\en-us\about_bits_cmdlets.help.txt
- %TEMP%\iqvoeeadl\modules\applocker\applocker.psd1
- %TEMP%\iqvoeeadl\modules\applocker\en-us\microsoft.security.applicationid.policymanagement.cmdlets.dll-help.xml
- %TEMP%\iqvoeeadl\examples\profile.ps1
- %TEMP%\iqvoeeadl\en-us\system.management.automation.dll-help.xml
- %TEMP%\iqvoeeadl\certificate.format.ps1xml
- %TEMP%\iqvoeeadl\en-us\pwrshmsg.dll.mui
- %TEMP%\iqvoeeadl\en-us\about_scopes.help.txt
- %TEMP%\iqvoeeadl\en-us\about_return.help.txt
- %TEMP%\iqvoeeadl\en-us\about_reserved_words.help.txt
- %TEMP%\iqvoeeadl\en-us\about_do.help.txt
- %TEMP%\iqvoeeadl\en-us\about_history.help.txt
- %TEMP%\iqvoeeadl\en-us\about_hash_tables.help.txt
- %TEMP%\iqvoeeadl\en-us\about_functions_cmdletbindingattribute.help.txt
- %TEMP%\iqvoeeadl\en-us\about_functions_advanced_parameters.help.txt
- %TEMP%\iqvoeeadl\en-us\about_functions_advanced_methods.help.txt
- %TEMP%\iqvoeeadl\en-us\about_functions_advanced.help.txt
- %TEMP%\iqvoeeadl\en-us\about_functions.help.txt
- %TEMP%\iqvoeeadl\en-us\about_format.ps1xml.help.txt
- %TEMP%\iqvoeeadl\en-us\about_foreach.help.txt
- %TEMP%\iqvoeeadl\en-us\about_for.help.txt
- %TEMP%\iqvoeeadl\en-us\about_execution_policies.help.txt
- %TEMP%\iqvoeeadl\en-us\about_eventlogs.help.txt
- %TEMP%\iqvoeeadl\en-us\about_escape_characters.help.txt
- %TEMP%\iqvoeeadl\types.ps1xml
- %TEMP%\iqvoeeadl\en-us\about_jobs.help.txt
- %TEMP%\iqvoeeadl\en-us\about_debuggers.help.txt
- %TEMP%\iqvoeeadl\en-us\about_data_sections.help.txt
- %TEMP%\iqvoeeadl\en-us\about_core_commands.help.txt
- %TEMP%\iqvoeeadl\en-us\about_continue.help.txt
- %TEMP%\iqvoeeadl\en-us\about_comparison_operators.help.txt
- %TEMP%\iqvoeeadl\en-us\about_commonparameters.help.txt
- %TEMP%\iqvoeeadl\en-us\about_comment_based_help.help.txt
- %TEMP%\iqvoeeadl\en-us\about_command_syntax.help.txt
- %TEMP%\iqvoeeadl\en-us\about_command_precedence.help.txt
- %TEMP%\iqvoeeadl\en-us\about_break.help.txt
- %TEMP%\iqvoeeadl\en-us\about_automatic_variables.help.txt
- %TEMP%\iqvoeeadl\en-us\about_assignment_operators.help.txt
- %TEMP%\iqvoeeadl\en-us\about_arrays.help.txt
- %TEMP%\iqvoeeadl\en-us\about_arithmetic_operators.help.txt
- %TEMP%\iqvoeeadl\en-us\about_environment_variables.help.txt
- %TEMP%\iqvoeeadl\compiledcomposition.microsoft.powershell.gpowershell.dll
- %TEMP%\iqvoeeadl\en-us\about_job_details.help.txt
- %TEMP%\iqvoeeadl\en-us\about_line_editing.help.txt
- %TEMP%\iqvoeeadl\en-us\about_join.help.txt
- %TEMP%\iqvoeeadl\en-us\about_requires.help.txt
- %TEMP%\iqvoeeadl\en-us\about_remote_troubleshooting.help.txt
- %TEMP%\iqvoeeadl\en-us\about_remote_requirements.help.txt
- %TEMP%\iqvoeeadl\en-us\about_remote_output.help.txt
- %TEMP%\iqvoeeadl\en-us\about_remote_jobs.help.txt
- %TEMP%\iqvoeeadl\en-us\about_remote_faq.help.txt
- %TEMP%\iqvoeeadl\en-us\about_remote.help.txt
- %TEMP%\iqvoeeadl\en-us\about_regular_expressions.help.txt
- %TEMP%\iqvoeeadl\en-us\about_ref.help.txt
- %TEMP%\iqvoeeadl\en-us\about_redirection.help.txt
- %TEMP%\iqvoeeadl\en-us\about_quoting_rules.help.txt
- %TEMP%\iqvoeeadl\en-us\about_pssnapins.help.txt
- %TEMP%\iqvoeeadl\en-us\about_pssession_details.help.txt
- %TEMP%\iqvoeeadl\en-us\about_language_keywords.help.txt
- %TEMP%\iqvoeeadl\en-us\about_pssessions.help.txt
- %TEMP%\iqvoeeadl\en-us\about_if.help.txt
- %TEMP%\iqvoeeadl\en-us\about_prompts.help.txt
- %TEMP%\iqvoeeadl\en-us\about_profiles.help.txt
- %TEMP%\iqvoeeadl\en-us\about_preference_variables.help.txt
- %TEMP%\iqvoeeadl\en-us\about_pipelines.help.txt
- %TEMP%\iqvoeeadl\en-us\about_path_syntax.help.txt
- %TEMP%\iqvoeeadl\en-us\about_parsing.help.txt
- %TEMP%\iqvoeeadl\en-us\about_parameters.help.txt
- %TEMP%\iqvoeeadl\en-us\about_operators.help.txt
- %TEMP%\iqvoeeadl\en-us\about_objects.help.txt
- %TEMP%\iqvoeeadl\en-us\about_modules.help.txt
- %TEMP%\iqvoeeadl\en-us\about_methods.help.txt
- %TEMP%\iqvoeeadl\en-us\about_logical_operators.help.txt
- %TEMP%\iqvoeeadl\en-us\about_locations.help.txt
- %TEMP%\iqvoeeadl\en-us\about_providers.help.txt
- %TEMP%\iqvoeeadl\wsman.format.ps1xml
Moves the following files
- from %TEMP%\iqvoeeadl\powershell.exe to %TEMP%\iqvoeeadl\jr_zgtrw65.exe
Network activity
UDP
- DNS ASK in######appdocuments.xyz
Miscellaneous
Creates and executes the following
- '%TEMP%\iqvoeeadl\jr_zgtrw65.exe' $uvvaaxjiahkmoouskuu_g_kpkzvmj_rjllu=']$qsc ';$ueufyeeonxmu_bf='Byp';$tzgyhunzigjtdtdkterrsvqsbaugy='$env:t';$swtadnatwuepvecun_mbryyaes='th;R';$oaaaouglgnbouew='pa';$eonpnaeoumhmikngjy_cltgidx...' (with hidden window)