diff --git a/Indian/APT/Donot/17-09-19/Malware analysis.md b/Indian/APT/Donot/17-09-19/Malware analysis.md
index b54652f..4f4bd49 100644
--- a/Indian/APT/Donot/17-09-19/Malware analysis.md	
+++ b/Indian/APT/Donot/17-09-19/Malware analysis.md	
@@ -72,6 +72,34 @@
 
 ## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
 ### Opendir analysis <a name="opendir"></a>
+###### We can note that the server are main hosted by DigitalOcean cloud provider.
+|IP|URL|Opendir|ASN|Organization|Route|Coordinates|Country|
+| :---------------: | :--------------- | :---------------: | :---------------: | :---------------: | :---------------: | :---------------: |:---------------: |
+|178.62.188.63|hxxp[:]//en-content.com/SecurityM/EFILE|Yes|AS14061|DigitalOcean Amsterdam|178.62.128.0/18|52.3740,4.8897|Netherlands|
+|178.62.186.233|hxxp[:]//bsodsupport.icu/ScanSecurity/XLSSN|Yes|AS14061|DigitalOcean Amsterdam|178.62.128.0/18|52.3740,4.8897|Netherlands|
+|156.67.222.128|hxxp[:]//noitfication-office-client.890m.com/fcfdae-9dfc335ca-bd10/NHSORE/jjhl|No|AS47583|Hostinger International Limited|156.67.208.0/20|1.3667,103.8000|Singapore|
+|159.89.104.38|hxxp[:]//plug.msplugin.icu/MicrosoftSecurityScan/DOCSDOC|No|AS14061|DigitalOcean, LLC|159.89.96.0/20|50.1155,8.6842|Germany|
+|157.230.213.81|hxxp[:]//mscheck.icu/SecurityScan/XLSS|No|AS14061|DigitalOcean, LLC|157.230.208.0/20|40.8043,-74.0121|United States|
+|146.185.139.134|hxxp[:]//sdn.host/MicrosoftSecurityScan/11MVEM1X|No|AS14061|DigitalOcean Amsterdam|146.185.128.0/19|52.3740,4.8897|Netherlands|
+|146.185.139.134|hxxp[:]//sdn.host/MicrosoftSecurityScan/FRSI080222F|No|AS14061|DigitalOcean Amsterdam|146.185.128.0/19|52.3740,4.8897|Netherlands|
+###### The group use multiple OS and Web Servers, this can be explained by two possible reasons. First, Donot can be multiple groups with differents levels of skills or the attacker have don't protect some servers due this used for weak interest targets.
+
+|IP|URL|Opendir|Webserver|OS|
+| :---------------: | :---------------: | :---------------: | :---------------: | :---------------: |
+|178.62.188.63|hxxp[:]//en-content.com/SecurityM/EFILE|Yes|Apache|CentOS|
+|178.62.186.233|hxxp[:]//bsodsupport.icu/ScanSecurity/XLSSN|Yes|Apache|CentOS|
+|156.67.222.128|hxxp[:]//noitfication-office-client.890m.com/fcfdae-9dfc335ca-bd10/NHSORE/jjhl|No|LiteSpeed|CentOS|
+|159.89.104.38|hxxp[:]//plug.msplugin.icu/MicrosoftSecurityScan/DOCSDOC|No|Apache|CentOS|
+|157.230.213.81|hxxp[:]//mscheck.icu/SecurityScan/XLSS|No|Nginx ?|Ubuntu ?|
+|146.185.139.134|hxxp[:]//sdn.host/MicrosoftSecurityScan/11MVEM1X|No|Nginx|Ubuntu|
+|146.185.139.134|hxxp[:]//sdn.host/MicrosoftSecurityScan/FRSI080222F|No|Nginx|Ubuntu|
+###### List of files on the opendir :
+|IP|URL|Files|Date (Last modified)|Size|
+| :---------------: | :---------------: | :---------------: | :---------------: |:---------------: |
+|178.62.188.63|hxxp[:]//en-content.com/SecurityM/|DFILE<br>DFILE-<br>EFILE<br>EFILE-<br>LIN|2019-08-30 12:46<br>2019-08-29 12:05<br>2019-08-30 12:49<br>2019-08-29 12:19<br>2019-08-30 12:49|1.1M<br>1.1M<br>685K<br>685K<br>685K|
+|178.62.186.233|hxxp[:]//bsodsupport.icu/ScanSecurity/|DOCS<br>DOCSN<br>DOCSN-1<br>XLSS<br>XLSSN<br>XLSSN-1|2019-08-16 08:17<br>2019-08-27 07:03<br>2019-08-22 08:52<br>2019-08-16 08:26<br>2019-08-28 06:39<br>2019-08-22 08:59|1.1M<br>1.1M<br>1.7M<br>697K<br>685K<br>885K|
+###### We can confirm that the campaign have begin early August 2019 and reuse old tools.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Donot/17-09-19/Images/date.png "")
 
 ## Cyber kill chain <a name="Cyber-kill-chain"></a>
 ###### The process graph resume the cyber kill chain used by the attacker.