Staging (#151)

* Fixing links * Code samples (#149) * Update obfuscated-files-or-information.md Added code sample with some proposed formatting incl. annotations explaining broad behavior patterns * Update obfuscated-files-or-information.md Added brief clarification to note * Update obfuscated-files-or-information.md Made requested changes to format * Update system-information-discovery.md Added code snippet from PoisonIvy RAT * Update debugger-detection.md Added code with example of PEB access * Update system-information-discovery.md Added new method based on code snippet * Update registry.md Added snippet for registry key query * Update generate-pseudorandom-sequence.md Added example of Mersenne Twister algorithm * Update keylogging.md Add Dark Comet keylogging code sample * Update dns-communication.md Added code sample from darkcomet * Update socket-communication.md Added DarkComet code snippet * Update delete-file.md Provided DarkComet sample * Update file-and-directory-discovery.md Added DarkComet snippet * Update allocate-memory.md Added DarkComet sample * Update modulo.md Added Hupigon snippet * Update get-file-attributes.md Added Hupigon sample * Update application-window-discovery.md Added Hupigon snippet * Update create-process.md Added Hupigon snippet. * Update conditional-execution.md Added Hupigon snippet * Update create-thread.md Added Hupigon snippet * Update resume-thread.md Added Hupigon snippet * Update command-and-scripting-interpreter.md Added SmokeLoader sample * Update change-memory-protection.md Added SmokeLoader snippet * Update console.md Added snippet from SmokeLoader * Update dynamic-analysis-evasion.md Added Industroyer sample * Update interprocess-communication.md Added CobaltStrike sample * Update read-file.md Added Cobalt Strike snippet * Update writes-file.md Added cobalt strike snippet * Update noncryptographic-hash.md Added emotet snippet * Update clipboard-modification.md Added emotet snippet * Update check-mutex.md Added emotet sampler * Update check-mutex.md Fixed typo * Update create-mutex.md Added Emotet snippet * Update allocate-thread-local-storage.md Added emotet snippet * Update registry-run-keys-startup-folder.md Added emotet snippet * Update wininet.md Added EnvyScout snippet * Update http-communication.md Added EnvyScout snippet * Update enumerate-threads.md Added Envyscout snippet * Update set-thread-local-storage-value.md Added Envyscout sample * Update create-directory.md Added explosive snippet * Update delete-directory.md Added explosive code snippet (note: the malware is called "explosive") * Update set-file-attributes.md Added explosive sample * Update terminate-process.md Added explosive snippet * Update terminate-thread.md Added explosive sample * Update move-file.md Added Finfisher snippet * Update screen-capture.md Added ECCENTRICBANDWAGON snippet * Fix links (#150) * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * fix link * update mod date * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * fix links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * update links * Update code-discovery.md * Update taskbar-discovery.md * Update conditional-execution.md * Update memory-dump-evasion.md * Update execution-dependency.md * Update compromise-data-integrity.md * Update dns-communication.md * Update http-communication.md * Update interprocess-communication.md * Update socket-communication.md * Update wininet.md * Update generate-pseudorandom-sequence.md * Update modulo.md * Update noncryptographic-hash.md * Update create-directory.md * Update delete-directory.md * Update delete-file.md * Update get-file-attributes.md * Update move-file.md * Update read-file.md * Update terminate-thread.md * Update set-file-attributes.md * Update writes-file.md * Update allocate-memory.md * Update change-memory-protection.md * Update console.md * Update registry.md * Update allocate-thread-local-storage.md * Update check-mutex.md * Update terminate-process.md * Update create-mutex.md * Update create-process.md * Update set-thread-local-storage-value.md * Update resume-thread.md * Update enumerate-threads.md * Update create-thread.md * update for 3.1 release * update for 3.1 release * update for 3.1 release --------- Co-authored-by: ryan <ryanxu@wustl.edu> Co-authored-by: brightmt <50853930+brightmt@users.noreply.github.com>
MBCProject · May 1, 2024 · bd31003 · bd31003
1 parent 42dc41e
commit bd31003
Show file tree

Hide file tree

Showing 103 changed files with 1,713 additions and 975 deletions.
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# <a name="mbc"></a>Malware Behavior Catalog v3.0 #
+# <a name="mbc"></a>Malware Behavior Catalog v3.1 #
 The Malware Behavior Catalog (MBC) is a catalog of malware objectives and behaviors, created to support malware analysis-oriented use cases, such as labeling, similarity analysis, and standardized reporting. Please see the [FAQ](./yfaq/README.md) page for answers to common questions, and read the [newsletters](./ynewsletters/README.md) for information on the most recent MBC updates and activity.
 
 Open-source malware analysis tools map their output to MBC and ATT&CK:
@@ -62,7 +62,7 @@ The canonical representation for MBC content is **OBJECTIVE::Behavior::Method**.
 Objectives and behaviors can be used alone, but a method *must* be associated with a behavior.
 
 ### STIX 2.1 Representation ###
-A STIX 2.1 representation for MBC v3.0 is available in the [mbc-stix2.1](https://github.com/MBCProject/mbc-stix2.1) repository. It's based on a refined STIX 2.1 [Malware Behavior Extension](https://github.com/oasis-open/cti-stix-common-objects/tree/main/extension-definition-specifications/malware-behavior-8e9) that includes new STIX domain objects for MBC objectives, behaviors, and methods.
+A STIX 2.1 representation for MBC v3.1 is available in the [mbc-stix2.1](https://github.com/MBCProject/mbc-stix2.1) repository. It's based on a refined STIX 2.1 [Malware Behavior Extension](https://github.com/oasis-open/cti-stix-common-objects/tree/main/extension-definition-specifications/malware-behavior-8e9) that includes new STIX domain objects for MBC objectives, behaviors, and methods.
 
 ### Navigator View ###
 This visual representation of the MBC Matrix is based on the ATT&CK Navigator. Two views are available: 

diff --git a/anti-behavioral-analysis/debugger-detection.md b/anti-behavioral-analysis/debugger-detection.md
@@ -17,15 +17,15 @@
 </tr>
 <tr>
 <td><b>Version</b></td>
-<td><b>2.2</b></td>
+<td><b>2.3</b></td>
 </tr>
 <tr>
 <td><b>Created</b></td>
 <td><b>1 August 2019</b></td>
 </tr>
 <tr>
 <td><b>Last Modified</b></td>
-<td><b>6 February 2024</b></td>
+<td><b>27 April 2024</b></td>
 </tr>
 </table>
 
@@ -129,21 +129,31 @@ Details on detecting debuggers can be found in the references.
 
 |Tool: CAPE|Mapping|APIs|
 |---|---|---|
-|[antidebug_checkremotedebuggerpresent](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_checkremotedebuggerpresent.py)|Debugger Detection (B0001)|CheckRemoteDebuggerPresent, NtQueryInformationProcess|
-|[antiav_nthookengine_libs](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antiav_nthookengine_libs.py)|Debugger Detection (B0001)|LdrGetDllHandle, LdrLoadDll|
-|[antiav_nthookengine_libs](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antiav_nthookengine_libs.py)|Debugger Detection::API Hook Detection (B0001.001)|LdrGetDllHandle, LdrLoadDll|
-|[antidebug_setunhandledexceptionfilter](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_setunhandledexceptionfilter.py)|Debugger Detection (B0001)|SetUnhandledExceptionFilter|
-|[antidebug_setunhandledexceptionfilter](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_setunhandledexceptionfilter.py)|Debugger Detection::UnhandledExceptionFilter (B0001.030)|SetUnhandledExceptionFilter|
-|[antidebug_addvectoredexceptionhandler](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_addvectoredexceptionhandler.py)|Debugger Detection (B0001)|AddVectoredExceptionHandler|
-|[antidebug_outputdebugstring](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_outputdebugstring.py)|Debugger Detection (B0001)|GetLastError, SetLastError, OutputDebugStringW, OutputDebugStringA|
-|[antidebug_outputdebugstring](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_outputdebugstring.py)|Debugger Detection::OutputDebugString (B0001.016)|GetLastError, SetLastError, OutputDebugStringW, OutputDebugStringA|
-|[antidebug_gettickcount](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_gettickcount.py)|Debugger Detection (B0001)|GetTickCount|
-|[antidebug_gettickcount](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_gettickcount.py)|Debugger Detection::Timing/Delay Check GetTickCount (B0001.032)|GetTickCount|
-|[antidebug_guardpages](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_guardpages.py)|Debugger Detection (B0001)|VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory|
-|[antidebug_guardpages](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_guardpages.py)|Debugger Detection::Memory Breakpoints (B0001.009)|VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory|
-|[antidebug_ntsetinformationthread](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_ntsetinformationthread.py)|Debugger Detection (B0001)|NtSetInformationThread|
-|[antidebug_ntsetinformationthread](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_ntsetinformationthread.py)|Debugger Detection::NtSetInformationThread (B0001.014)|NtSetInformationThread|
-|[antidebug_debugactiveprocess](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_debugactiveprocess.py)|Debugger Detection (B0001)|DebugActiveProcess|
+|[antidebug_checkremotedebuggerpresent](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_checkremotedebuggerpresent.py)|Debugger Detection (B0001)|CheckRemoteDebuggerPresent, NtQueryInformationProcess|
+|[antiav_nthookengine_libs](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_nthookengine_libs.py)|Debugger Detection (B0001)|LdrGetDllHandle, LdrLoadDll|
+|[antiav_nthookengine_libs](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_nthookengine_libs.py)|Debugger Detection::API Hook Detection (B0001.001)|LdrGetDllHandle, LdrLoadDll|
+|[antidebug_setunhandledexceptionfilter](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_setunhandledexceptionfilter.py)|Debugger Detection (B0001)|SetUnhandledExceptionFilter|
+|[antidebug_setunhandledexceptionfilter](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_setunhandledexceptionfilter.py)|Debugger Detection::UnhandledExceptionFilter (B0001.030)|SetUnhandledExceptionFilter|
+|[antidebug_addvectoredexceptionhandler](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_addvectoredexceptionhandler.py)|Debugger Detection (B0001)|AddVectoredExceptionHandler|
+|[antidebug_outputdebugstring](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_outputdebugstring.py)|Debugger Detection (B0001)|GetLastError, SetLastError, OutputDebugStringW, OutputDebugStringA|
+|[antidebug_outputdebugstring](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_outputdebugstring.py)|Debugger Detection::OutputDebugString (B0001.016)|GetLastError, SetLastError, OutputDebugStringW, OutputDebugStringA|
+|[antidebug_gettickcount](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_gettickcount.py)|Debugger Detection (B0001)|GetTickCount|
+|[antidebug_gettickcount](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_gettickcount.py)|Debugger Detection::Timing/Delay Check GetTickCount (B0001.032)|GetTickCount|
+|[antidebug_guardpages](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_guardpages.py)|Debugger Detection (B0001)|VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory|
+|[antidebug_guardpages](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_guardpages.py)|Debugger Detection::Memory Breakpoints (B0001.009)|VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory|
+|[antidebug_ntsetinformationthread](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_ntsetinformationthread.py)|Debugger Detection (B0001)|NtSetInformationThread|
+|[antidebug_ntsetinformationthread](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_ntsetinformationthread.py)|Debugger Detection::NtSetInformationThread (B0001.014)|NtSetInformationThread|
+|[antidebug_debugactiveprocess](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_debugactiveprocess.py)|Debugger Detection (B0001)|DebugActiveProcess|
+
+### B0001.019 Snippet
+<details>
+<summary> Anti-Behavioral Analysis::Debugger Detection::Process Environment Block </summary>
+SHA256: e33a713b96b45e2b2e0da350c0fdaaf865139607066aadff3b67b0ced82ca8bc
+Location: 0x1800270A2
+<pre>
+mov     rax, qword ptr GS:[0x60]        ; GS:[0x60] contains a pointer to the Windows Process Environment Block on 64-bit versions of Windows.  This command is copying that pointer into the rax register.
+</pre>
+</details>
 
 ## References
 

diff --git a/anti-behavioral-analysis/debugger-evasion.md b/anti-behavioral-analysis/debugger-evasion.md
@@ -17,15 +17,15 @@
 </tr>
 <tr>
 <td><b>Version</b></td>
-<td><b>2.2</b></td>
+<td><b>2.3</b></td>
 </tr>
 <tr>
 <td><b>Created</b></td>
 <td><b>1 August 2019</b></td>
 </tr>
 <tr>
 <td><b>Last Modified</b></td>
-<td><b>6 February 2024</b></td>
+<td><b>27 April 2024</b></td>
 </tr>
 </table>
 
@@ -91,11 +91,11 @@ The related **Debugger Evasion ([T1622](https://attack.mitre.org/techniques/T162
 
 |Tool: CAPE|Mapping|APIs|
 |---|---|---|
-|[antidebug_guardpages](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_guardpages.py)|Debugger Evasion (B0002)|VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory|
-|[antidebug_guardpages](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_guardpages.py)|Debugger Evasion::Guard Pages (B0002.008)|VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory|
-|[antidebug_ntcreatethreadex](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_ntcreatethreadex.py)|Debugger Evasion (B0002)|NtCreateThreadEx|
-|[debugs_self](https://github.com/CAPESandbox/community/tree/master/modules/signatures/debugs_self.py)|Debugger Evasion (B0002)|CreateProcessInternalW|
-|[debugs_self](https://github.com/CAPESandbox/community/tree/master/modules/signatures/debugs_self.py)|Debugger Evasion::Self-Debugging (B0002.024)|CreateProcessInternalW|
+|[antidebug_guardpages](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_guardpages.py)|Debugger Evasion (B0002)|VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory|
+|[antidebug_guardpages](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_guardpages.py)|Debugger Evasion::Guard Pages (B0002.008)|VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory|
+|[antidebug_ntcreatethreadex](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_ntcreatethreadex.py)|Debugger Evasion (B0002)|NtCreateThreadEx|
+|[debugs_self](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/debugs_self.py)|Debugger Evasion (B0002)|CreateProcessInternalW|
+|[debugs_self](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/debugs_self.py)|Debugger Evasion::Self-Debugging (B0002.024)|CreateProcessInternalW|
 
 ## References
 

diff --git a/anti-behavioral-analysis/dynamic-analysis-evasion.md b/anti-behavioral-analysis/dynamic-analysis-evasion.md
@@ -17,15 +17,15 @@
 </tr>
 <tr>
 <td><b>Version</b></td>
-<td><b>2.1</b></td>
+<td><b>2.2</b></td>
 </tr>
 <tr>
 <td><b>Created</b></td>
 <td><b>1 August 2019</b></td>
 </tr>
 <tr>
 <td><b>Last Modified</b></td>
-<td><b>5 December 2023</b></td>
+<td><b>27 April 2024</b></td>
 </tr>
 </table>
 
@@ -75,15 +75,26 @@ The related **Virtualization/Sandbox Evasion ([T1497](https://attack.mitre.org/t
 
 |Tool: CAPE|Mapping|APIs|
 |---|---|---|
-|[api_spamming](https://github.com/CAPESandbox/community/tree/master/modules/signatures/api_spamming.py)|Dynamic Analysis Evasion (B0003)|--|
-|[api_spamming](https://github.com/CAPESandbox/community/tree/master/modules/signatures/api_spamming.py)|Dynamic Analysis Evasion::Data Flood (B0003.002)|--|
-|[api_spamming](https://github.com/CAPESandbox/community/tree/master/modules/signatures/api_spamming.py)|Dynamic Analysis Evasion::Delayed Execution (B0003.003)|--|
-|[antisandbox_suspend](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antisandbox_suspend.py)|Dynamic Analysis Evasion (B0003)|NtSuspendThread|
-|[antisandbox_restart](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antisandbox_restart.py)|Dynamic Analysis Evasion (B0003)|ExitWindowsEx, InitiateSystemShutdownExW, NtSetSystemPowerState, InitiateSystemShutdownW, InitiateShutdownW, NtRaiseHardError, NtShutdownSystem|
-|[antisandbox_restart](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antisandbox_restart.py)|Dynamic Analysis Evasion::Restart (B0003.010)|ExitWindowsEx, InitiateSystemShutdownExW, NtSetSystemPowerState, InitiateSystemShutdownW, InitiateShutdownW, NtRaiseHardError, NtShutdownSystem|
-|[stealth_timeout](https://github.com/CAPESandbox/community/tree/master/modules/signatures/stealth_timeout.py)|Dynamic Analysis Evasion (B0003)|NtWaitForSingleObject, NtQuerySystemTime, NtTerminateProcess, GetLocalTime, NtDelayExecution, GetSystemTime, GetSystemTimeAsFileTime|
-|[stealth_timeout](https://github.com/CAPESandbox/community/tree/master/modules/signatures/stealth_timeout.py)|Dynamic Analysis Evasion::Delayed Execution (B0003.003)|NtWaitForSingleObject, NtQuerySystemTime, NtTerminateProcess, GetLocalTime, NtDelayExecution, GetSystemTime, GetSystemTimeAsFileTime|
-|[antisandbox_unhook](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antisandbox_unhook.py)|Dynamic Analysis Evasion (B0003)|--|
+|[api_spamming](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/api_spamming.py)|Dynamic Analysis Evasion (B0003)|--|
+|[api_spamming](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/api_spamming.py)|Dynamic Analysis Evasion::Data Flood (B0003.002)|--|
+|[api_spamming](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/api_spamming.py)|Dynamic Analysis Evasion::Delayed Execution (B0003.003)|--|
+|[antisandbox_suspend](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antisandbox_suspend.py)|Dynamic Analysis Evasion (B0003)|NtSuspendThread|
+|[antisandbox_restart](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antisandbox_restart.py)|Dynamic Analysis Evasion (B0003)|ExitWindowsEx, InitiateSystemShutdownExW, NtSetSystemPowerState, InitiateSystemShutdownW, InitiateShutdownW, NtRaiseHardError, NtShutdownSystem|
+|[antisandbox_restart](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antisandbox_restart.py)|Dynamic Analysis Evasion::Restart (B0003.010)|ExitWindowsEx, InitiateSystemShutdownExW, NtSetSystemPowerState, InitiateSystemShutdownW, InitiateShutdownW, NtRaiseHardError, NtShutdownSystem|
+|[stealth_timeout](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/stealth_timelimit.py)|Dynamic Analysis Evasion (B0003)|NtWaitForSingleObject, NtQuerySystemTime, NtTerminateProcess, GetLocalTime, NtDelayExecution, GetSystemTime, GetSystemTimeAsFileTime|
+|[stealth_timeout](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/stealth_timelimit.py)|Dynamic Analysis Evasion::Delayed Execution (B0003.003)|NtWaitForSingleObject, NtQuerySystemTime, NtTerminateProcess, GetLocalTime, NtDelayExecution, GetSystemTime, GetSystemTimeAsFileTime|
+|[antisandbox_unhook](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antisandbox_unhook.py)|Dynamic Analysis Evasion (B0003)|--|
+
+### B0003.003 Snippet
+<details>
+<summary> Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed Execution </summary>
+SHA256: 21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561
+Location: 0x40103B
+<pre>
+push    0x36ee80        ; sleep duration: 3600000 milliseconds (1 hour)
+call    dword ptr [->KERNEL32.DLL::Sleep]       ; Windows API call instructing thread to sleep for the time period specified above
+</pre>
+</details>
 
 ## References
 

diff --git a/anti-behavioral-analysis/emulator-detection.md b/anti-behavioral-analysis/emulator-detection.md
@@ -17,15 +17,15 @@
 </tr>
 <tr>
 <td><b>Version</b></td>
-<td><b>2.1</b></td>
+<td><b>2.2</b></td>
 </tr>
 <tr>
 <td><b>Created</b></td>
 <td><b>1 August 2019</b></td>
 </tr>
 <tr>
 <td><b>Last Modified</b></td>
-<td><b>5 December 2023</b></td>
+<td><b>27 April 2024</b></td>
 </tr>
 </table>
 
@@ -57,12 +57,12 @@ Detects whether the malware instance is being executed inside an emulator. If so
 
 |Tool: CAPE|Mapping|APIs|
 |---|---|---|
-|[antiemu_windefend](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antiemu_windefend.py)|Emulator Detection (B0004)|--|
-|[antivm_bochs_keys](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antivm_bochs_keys.py)|Emulator Detection (B0004)|--|
-|[antivm_bochs_keys](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antivm_bochs_keys.py)|Emulator Detection::Check Emulator-related Registry Keys (B0004.003)|--|
-|[antiemu_wine_func](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antiemu_wine_func.py)|Emulator Detection (B0004)|LdrGetProcedureAddress|
-|[antiemu_wine_reg](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antiemu_wine_reg.py)|Emulator Detection (B0004)|--|
-|[antiemu_wine_reg](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antiemu_wine_reg.py)|Emulator Detection::Check Emulator-related Registry Keys (B0004.003)|--|
+|[antiemu_windefend](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antiemu_windefend.py)|Emulator Detection (B0004)|--|
+|[antivm_bochs_keys](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antivm_bochs_keys.py)|Emulator Detection (B0004)|--|
+|[antivm_bochs_keys](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antivm_bochs_keys.py)|Emulator Detection::Check Emulator-related Registry Keys (B0004.003)|--|
+|[antiemu_wine_func](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antiemu_wine_func.py)|Emulator Detection (B0004)|LdrGetProcedureAddress|
+|[antiemu_wine_reg](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antiemu_wine.py)|Emulator Detection (B0004)|--|
+|[antiemu_wine_reg](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antiemu_wine.py)|Emulator Detection::Check Emulator-related Registry Keys (B0004.003)|--|
 
 ## References