diff --git a/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md b/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md
index f0c1905..4cb72bb 100644
--- a/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md
+++ b/offshore APT organization/Bitter/27-08-19/Malware analysis 31-08-19.md
@@ -42,10 +42,13 @@
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/GetProcname.PNG "")
###### This use too , the EncodePointer function for encoding a specified pointer (encoded pointers can be used to provide another layer of protection for pointer values).
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/PointerDATA.png "")
-###### After perform the reconnaissance actions, this can send a query as pulse with the informations to the C2.
+###### After perform the reconnaissance actions, this can send a query as pulse with the informations to the C2, the URL to send is decoded and an additionnal operation give the final URL.
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/send.png "")
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/offshore%20APT%20organization/Bitter/27-08-19/Images/query.png "")
###### The data are encoded by the algoritm too, with the script, we can decode the strings and see that the roles and data send to the C2.
+`SNI=VTFS.QD&UME=Xjoepxt!8!Qspgfttjpobm&OPQ=benjo&IVR=VTFS.QD$$benjoAA11482.572.3314613.96675&st=0` (Here from the Anyrun sandbox)
+###### We can resume all the variables used and the type of the informations sended in the C2.
+
|Variable|Description|
| ------------- |:-------------|
|SNI|Computer name|
@@ -65,21 +68,21 @@
|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
-|Execution|T1059 - Command-Line Interface
T1106 - Execution through API
T1170 - Mshta
T1086 - PowerShell
T1053 - Scheduled Task
T1064 - Scripting
T1059 - Command-Line Interface|https://attack.mitre.org/techniques/T1059
https://attack.mitre.org/techniques/T1106
https://attack.mitre.org/techniques/T1170
https://attack.mitre.org/techniques/T1086
https://attack.mitre.org/techniques/T1053
https://attack.mitre.org/techniques/T1064
https://attack.mitre.org/techniques/T1059|
-|Persistence|T1060 - Registry Run Keys / Startup Folder
T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1060
https://attack.mitre.org/techniques/T1053|
-|Privilege Escalation|T1053 - Scheduled Task|https://attack.mitre.org/techniques/T1053|
-|Defense Evasion|T1170 - Mshta
T1064 - Scripting|https://attack.mitre.org/techniques/T1170
https://attack.mitre.org/techniques/T1064|
-|Credential Access|T1081 - Credentials in Files|https://attack.mitre.org/techniques/T1081|
-|Collection|T1113 - Screen Capture
T1114 - Email Collection|https://attack.mitre.org/techniques/T1113
https://attack.mitre.org/techniques/T1114|
+|Execution|T1203 - Exploitation for Client Execution|https://attack.mitre.org/techniques/T1203|
+|Persistence|T1060 - Registry Run Keys / Startup Folder|https://attack.mitre.org/techniques/T1060|
+|Discovery|T1012 - Query Registry|https://attack.mitre.org/techniques/T1012|
+|Lateral Movement|T1105 - Remote File Copy|https://attack.mitre.org/techniques/T1105|
+|C & C|T1105 - Remote File Copy|https://attack.mitre.org/techniques/T1105|
+
## Indicators Of Compromise (IOC)
###### List of all the Indicators Of Compromise (IOC)
| Indicator | Description|
| ------------- |:-------------|
-|Urgent Action.docx]|34b53cd683f60800ac4057d25b24d8f083f759d024d22b4e5f2a464bc85de65a|
+|Urgent Action.docx|34b53cd683f60800ac4057d25b24d8f083f759d024d22b4e5f2a464bc85de65a|
|smss.exe|dcb8531b0879d46949dd63b1ac094f5588c26867805d0795e244f4f9b8077ed1|
-|maq.com.pk|domain requested|
-|203.124.43.227|ip requested|
+|maq.com.pk|Domain requested|
+|203.124.43.227|IP requested|
|http[:]//maq.com.pk/|HTTP/HTTPS requests|
|http[:]//maq.com.pk/wehsd|HTTP/HTTPS requests|
|http[:]//maq.com.pk/wehs|HTTP/HTTPS requests|