diff --git a/Russia/APT/Gamaredon/16-08-19/Malware analysis 16-08-19.md b/Russia/APT/Gamaredon/16-08-19/Malware analysis 16-08-19.md
index 753cb23..70091e4 100644
--- a/Russia/APT/Gamaredon/16-08-19/Malware analysis 16-08-19.md	
+++ b/Russia/APT/Gamaredon/16-08-19/Malware analysis 16-08-19.md	
@@ -2,7 +2,8 @@
 ## Table of Contents
 * [Malware analysis](#Malware-analysis)
   + [Analysis of the TTPs](#Initial-vector)
-* [Cyber Threat Intel](#Cyber-Threat-Intel)
+  + [Cyber kill chain](#Initial-vector)
+* [Cyber Threat Intel](#Cyber-Kill-Chain)
 * [IOC](#IOC)
 * [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
 * [Links](#Links)
@@ -10,8 +11,8 @@
   + [Ref previous analysis](#Documents)
   + [Link Anyrun](#Links-Anyrun)
 
-## Malware-analysis
-### Analysis of the TTPs
+## Malware-analysis <a name="Malware-analysis"></a>
+### Analysis of the TTPs <a name="Initial-vector"></a>
 ###### Like the last sample analysed, the new samples uses an SFX archive for extract the files and execute the fake document and the payload.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/SFX.png "SFX startup")
 ###### We can see again the cmd file extracted by the SFX archive. The randomization of the obfuscated strings has been by the algorithm in the archive.
@@ -19,11 +20,11 @@
 ###### Also this use the function GetCommandLineA for getting a pointer to the command-line string for the current process.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/command.PNG "Commandline function")
 
-### Cyber kill chain
+### Cyber kill chain <a name="Cyber-Kill-Chain"></a>
 
 ###### The process graph resume the cyber kill chain used by the attacker. We can observe that the TTPs are the same.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/cyber.PNG "Cyber kill chain")
-## Cyber Threat Intel
+## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
 
 ###### Both latest spotted samples have the same C2 hosted in a Russia provider.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/16-08-19/Images/IP.png "IP informations")
@@ -46,13 +47,18 @@
 ###### List of all the Indicators Of Compromise (IOC)
 | Indicator     | Description|
 | ------------- |:-------------|
-|02013f0c6767eb7f0538510ba6ede0103e797fa7b9bc2733d00e3710702fdf1c.scr|02013f0c6767eb7f0538510ba6ede0103e797fa7b9bc2733d00e3710702fdf1c|
-|FDGSKGN.vbs|630c0c86faf828bc4645526ca58b855d1a2db57cca0e406c1d5b7e2de88a1322|
-|PowerShellCertificates_C4BA3647.ps1|8f33ce796ee08525d32f5794ebd355914140e43e4b63e09b384dabda93a8b22c|
-|9856.txt|a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599|
-|176.57.215.22|IP C2|
-|http[:]//shell-create.ddns.net/|URL request|	
-|shell-create.ddns.net|Domain C2|
+|1426f88edaf207d2c62422f343209fae|204da6b16288cf94890ab036836a27a8163bef259092b3eb21c99e52144256e8|
+|a.exe|a94b4e7ecd9482b0e610b2521727715d1d401d775617512514bdd2e0b9351e06|
+|23379.txt|a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599|
+|18535.cmd|29389990ce789001c337e98abd3ff49b3c80dd34e66033c62732e4af89e13f4f|
+|21826.cmd|825deff8a0d7635b2e45ac2d7ad09c80e45cd380a0e54831910e0bb62063d20b|	
+|QoceoIJ.vbs|37b05d4273e3e0a558d431ed3cc443d2a93001b121c4aae9fc8f9778a5578316|
+|zZBwUAc.vbs|f29d970f4ace8516a254515be3b3adf14ebf9651c0ee1aecaddd68a3d12c0315|
+|PowerShellCertificates_C4BA3647.ps1|6de997b9bbfa09def80109108def78a42bc16820c681d12210011ea5d1a86321|
+|Document.docx|2a5c7e6e9347f74e8a5d288274117cb638ff0305a3e46813d64316f869d5e7ec|
+|document-listing.ddns.net|Domain C2|	
+|188.225.24.161|IP C2|
+|http[:]//document-listing.ddns.net/|URL request|
 
 ###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/APT/Gamaredon/06-08-19/IOC_Gamaredon_16-08-19.json)