BARIUM (cc70bdbd-afa7-4e19-bba2-2443811ef3af)

Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6)	Threat Actor	BARIUM (cc70bdbd-afa7-4e19-bba2-2443811ef3af)	Microsoft Activity Group actor	1
Brass Typhoon (2fc42ffc-dd1a-560e-ac97-05e8fa27bbe5)	Microsoft Activity Group actor	APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6)	Threat Actor	2
APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6)	Threat Actor	APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb)	Threat Actor	2
LEAD (f542442e-ba0f-425d-b386-6c10351a468e)	Microsoft Activity Group actor	APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6)	Threat Actor	2
APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6)	Threat Actor	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	2
APT41 (9c124874-042d-48cd-b72b-ccdc51ecbbd6)	Threat Actor	Speculoos (201e8794-a93b-476f-9436-1dd859c6e5d9)	Backdoor	2
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb)	Threat Actor	3
APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb)	Threat Actor	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	3
APT17 (99e30d89-9361-4b73-a999-9e5ff9320bcb)	Threat Actor	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	3
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	3
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	3
PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	3
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	3
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Winnti Group - G0044 (c5947e1c-1cbc-434c-94b8-27c7e3be0fff)	Intrusion Set	3
RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
DNS Server - T1583.002 (197ef1b9-e764-46c3-b96c-23f77985dc81)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Botnet - T1584.005 (810d8072-afb6-4a56-9ee7-86379ac4a6f3)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	4
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	4
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795)	Attack Pattern	4
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	4
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Axiom - G0001 (a0cb9370-e39b-44d5-9f50-ef78e412b973)	Intrusion Set	4
Build social network persona - T1341 (9108e212-1c94-4f8d-be76-1aad9b4c86a4)	Attack Pattern	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	4
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	4
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	4
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	4
Obfuscate infrastructure - T1331 (72c8d526-1247-42d4-919c-6d7a31ca8f39)	Attack Pattern	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	4
Develop social network persona digital footprint - T1342 (271e6d40-e191-421a-8f87-a8102452c201)	Attack Pattern	APT17 - G0025 (090242d7-73fc-4738-af68-20162f7a5aae)	Intrusion Set	4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Winnti (Windows) (7f8166e2-c7f4-4b48-a07b-681b61a8f2c1)	Malpedia	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Winnti (9b3a4cff-1c5a-4fd6-b49c-27240b6d622c)	Tool	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995)	Attack Pattern	4
Winnti for Windows - S0141 (d3afa961-a80c-4043-9509-282cdf69ab21)	Malware	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	PipeMon - S0501 (8393dac0-0583-456a-9372-fd81691bca20)	Malware	4
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee)	Malpedia	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa)	Tool	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070)	RAT	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	4
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	4
Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5)	Attack Pattern	RDP Hijacking - T1563.002 (e0033c16-a07e-48aa-8204-7c3ca669998c)	Attack Pattern	5
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	DNS Server - T1583.002 (197ef1b9-e764-46c3-b96c-23f77985dc81)	Attack Pattern	5
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Aurora (2f899e3e-1a46-43ea-8e68-140603ce943d)	Malpedia	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	5
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	5
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	5
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	5
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	5
Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703)	Tool	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	5
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	5
9002 RAT (bab647d7-c9d6-4697-8fd2-1295c7429e1f)	Malpedia	Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	5
Hydraq - S0203 (73a4793a-ce55-4159-b2a6-208ef29b326f)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Hikit (06953055-92ed-4936-8ffd-d9d72ab6bef6)	Tool	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	5
Hikit - S0009 (95047f03-4811-4300-922e-1ba937d53a61)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	5
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5)	Attack Pattern	5
Botnet - T1584.005 (810d8072-afb6-4a56-9ee7-86379ac4a6f3)	Attack Pattern	Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9)	Attack Pattern	5
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	gh0st (1b1ae63f-bcee-4aba-8994-6c60cee5e16f)	Tool	5
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	5
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b)	Attack Pattern	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	5
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	5
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	5
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	5
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Derusbi (eff68b97-f36e-4827-ab1a-90523c16774c)	Tool	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Derusbi (Windows) (7ea00126-add3-407e-b69d-d4aa1b3049d5)	Malpedia	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	5
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	5
Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	5
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	5
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	5
Derusbi - S0021 (94379dec-5c87-49db-b36e-66abc0b81344)	Malware	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	5
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	5
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235)	Attack Pattern	Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	5
Zox - S0672 (fb28627c-d6ea-4c35-b138-ab5e96ae5445)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830)	Attack Pattern	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	5
PoisonIvy - S0012 (b42378e0-f147-496f-992a-26a49705395b)	Malware	Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	5
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	5
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795)	Attack Pattern	5
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	ZxShell - S0412 (cfc75b0d-e579-40ae-ad07-a1ce00d49a6c)	Malware	5
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235)	Attack Pattern	5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	Multi-Stage Channels - T1104 (84e02621-8fdf-470f-bd58-993bb6a89d91)	Attack Pattern	5
BLACKCOFFEE - S0069 (d69c8146-ab35-4d50-8382-6fc80e641d43)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	5
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	5
Obfuscate infrastructure - T1309 (e6ca2820-a564-4b74-b42a-b6bdf052e5b6)	Attack Pattern	Obfuscate infrastructure - T1331 (72c8d526-1247-42d4-919c-6d7a31ca8f39)	Attack Pattern	5
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	5
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	5
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	5
Winnti (Windows) (7f8166e2-c7f4-4b48-a07b-681b61a8f2c1)	Malpedia	Winnti (9b3a4cff-1c5a-4fd6-b49c-27240b6d622c)	Tool	5
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	5
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	5
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	5
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	5
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	5
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	5
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	5
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	5
Environmental Keying - T1480.001 (f244b8dd-af6c-4391-a497-fc03627ce995)	Attack Pattern	Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	5
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	5
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	5
Print Processors - T1547.012 (2de47683-f398-448f-b947-9abcc3e32fad)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	5
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	5
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	5
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a)	Attack Pattern	5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	5
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	5
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	5
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	5
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	5
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b)	Attack Pattern	MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96)	Attack Pattern	5
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	5
DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	5
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	5
DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	5
PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee)	Malpedia	PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa)	Tool	5
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070)	RAT	PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa)	Tool	5
PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee)	Malpedia	PlugX (663f8ef9-4c50-499a-b765-f377d23c1070)	RAT	5
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	5
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	6
Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703)	Tool	9002 RAT (bab647d7-c9d6-4697-8fd2-1295c7429e1f)	Malpedia	6
Aurora (70c31066-237a-11e8-8eff-37ef1ad0c703)	Tool	Aurora (2f899e3e-1a46-43ea-8e68-140603ce943d)	Malpedia	6
HiKit (35fd4bd7-d510-40fd-b89c-8a1b10dbc3f1)	Malpedia	Hikit (06953055-92ed-4936-8ffd-d9d72ab6bef6)	Tool	6
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Code Signing Policy Modification - T1553.006 (565275d5-fcc3-4b66-b4e7-928e4cac6b8c)	Attack Pattern	6
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	6
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	6
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	6
Derusbi (Windows) (7ea00126-add3-407e-b69d-d4aa1b3049d5)	Malpedia	Derusbi (eff68b97-f36e-4827-ab1a-90523c16774c)	Tool	6
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	6
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	6
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	6
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	6
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	6
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	6
PoisonIvy (4e104fef-8a2c-4679-b497-6e86d7d47db0)	RAT	Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	6
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	6
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Active Setup - T1547.014 (22522668-ddf6-470b-a027-9d6866679f67)	Attack Pattern	6
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	6
poisonivy (e336aeba-b61a-44e0-a0df-cd52a5839db5)	Tool	Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	6
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	6
Poison Ivy (7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7)	Malpedia	Poison Ivy (2abe89de-46dd-4dae-ae22-b49a593aff54)	Tool	6
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	6
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	6
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	6
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	6
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	6
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	6
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	6
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Torn RAT (32a67552-3b31-47bb-8098-078099bbc813)	Tool	7
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3)	RAT	7
APT14 (c82c904f-b3b4-40a2-bf0d-008912953104)	Threat Actor	Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f)	Tool	7
Gh0st RAT (255a59a7-db2d-44fc-9ca9-5859b65817c3)	RAT	Ghost RAT (225fa6cf-dc9c-4b86-873b-cdf1d9dd3738)	Malpedia	8
Gh0st Rat (cb8c8253-4024-4cc9-8989-b4a5f95f6c2f)	Tool	APT43 (aac49b4e-74e9-49fa-84f9-e340cf8bafbc)	Threat Actor	8