diff --git a/Unknown/Unknown phishing group/Analysis_29-09-2019.md b/Unknown/Unknown phishing group/Analysis_29-09-2019.md
index f868d8e..11910b8 100644
--- a/Unknown/Unknown phishing group/Analysis_29-09-2019.md	
+++ b/Unknown/Unknown phishing group/Analysis_29-09-2019.md	
@@ -92,7 +92,23 @@
 |kill-process|Kill a specific process (by taskkill)|
 |Sleep|Hibernate process via a duration chosen by the attacker|
 
-###### A new sample have been spotted (17 September), this gives a period of 2 months between the two versions. The group seems focus the phishing campaign on the general common topics (Bank, suppliers, service provider...), not specific sectors and only as financial goals.
+###### A new sample have been spotted (17 September), this gives a period of 2 months between the two versions but, this seems be an edited version or code reuse  by a different group for many reasons :
+
+* ###### Different ways and skills to code the script
+* ###### Different paths of .pdb
+
+###### List of PDB paths:
+
+|Module|PDB path|
+| :---------------: |:-------------|
+|RDP module (V2.0)|C:\Users\Android\Documents\Visual Studio 2010\Projects\RDP\RDP\obj\x86\Debug\RDP.pdb|
+|Keylogger Module (V2.0)|C:\Users\Android\documents\visual studio 2010\Projects\Keylogger\Keylogger\obj\x86\Debug\Keylogger.pdb|
+|Reverse Proxy Module (v2.0)|C:\Users\Android\documents\visual studio 2010\Projects\ReverseProxy\ReverseProxy\obj\x86\Debug\ReverseProxy.pdb|
+|RDP module (V1.2)|C:\Users\Android\Documents\Visual Studio 2010\Projects\RDP\RDP\obj\x86\Debug\RDP.pdb|
+|Keylogger Module (V1.2)|C:\Users\Android\documents\visual studio 2010\Projects\Keylogger\Keylogger\obj\x86\Debug\Keylogger.pdb|
+|Reverse Proxy Module (v1.2)|C:\Users\Android\AppData\Local\Temp\uvfPsywleB\Doctorpol\obj\x86\Debug\Doctorpol.pdb|
+
+###### Whatever, the group(s) seems focus the phishing campaign on the general common topics (Bank, suppliers, service provider...), not specific sectors and only as financial goals.
 
 ## Cyber kill chain <a name="Cyber-kill-chain"></a>
 ###### The process graph resume the cyber kill chain used by the attacker.
@@ -140,6 +156,7 @@
 |185.194.141.58|IP C2|
 |185.247.228.159|IP C2|
 
+###### note: Read "open-rdp|1280x720" instead of "open-rdp/1280x720" due to "|" is used for the table column definition, this fixed on the JSON file.
 ###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Unknown/Unknown%20phishing%20group/IOC/IOC_01-10-19.json)	
 
 ## Links <a name="Links"></a>