diff --git a/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md b/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md
index 6ae93d2..577a750 100644
--- a/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md	
+++ b/Pakistan/APT/Gorgon/23-08-19/Malware analysis 25-08-19.md	
@@ -41,11 +41,13 @@
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/tab.PNG "")
 ###### After this replace the caracters %_ by 0x with the replace function for get a valid array of hex bytes and execute it in memory.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/layer2tab.PNG "")
-
 ###### The dll is protected with the ConfuserEx (1.0.0.0) protector, we can see the escaped caracters and the reference module.
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/confuserExref.png "")
 ![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/confStrings.png "")
-
+###### Once the protection removed, we can see the functions used by the dll.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/unpack.png "")
+###### The run method get the payload string push by the second PE and execute it.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Pakistan/APT/Gorgon/23-08-19/Images/Loader%20subPaste/run.png "")
 ## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
 ###### List of all the references with MITRE ATT&CK Matrix