![](https://pbs.twimg.com/media/D-iLVE6XsAEkcem.png)
threatintelligence.guardicore.com/?utm_medium=or…
github.com/guardicore/lab…
![](https://pbs.twimg.com/media/D-ihL7DXsAAc3jd.jpg)
* open port 65529 and redirect all traffic from it to 1.1.1.1:53
* Create and run a scheduled task named Rtsa to execute #Powershell with a base64-encoded command
* Add Powershell to %PATH%
* Run another PS script if the infection vector runs as NETWORK SERVICE
![](https://pbs.twimg.com/media/D-ih5u5WkAIxPTt.png)
threatintelligence.guardicore.com/domain/t.zer2.…
![](https://pbs.twimg.com/media/D-ikxvOWkAAll0n.jpg)
threatintelligence.guardicore.com/domain/t.awcna…
![](https://pbs.twimg.com/media/D-ikL0KXoAATTHi.png)
![](https://pbs.twimg.com/media/D-ioRtOXUAA9wmT.png)
![](https://pbs.twimg.com/media/D-ip_snXkAAyp1q.png)
![](https://pbs.twimg.com/media/D-irYVHXUAAX7Uv.png)
![](https://pbs.twimg.com/media/D-jY-3ZXoAATudZ.png)