Staging (#151)

* Fixing links

* Code samples (#149)

* Update obfuscated-files-or-information.md

Added code sample with some proposed formatting incl. annotations explaining broad behavior patterns

* Update obfuscated-files-or-information.md

Added brief clarification to note

* Update obfuscated-files-or-information.md

Made requested changes to format

* Update system-information-discovery.md

Added code snippet from PoisonIvy RAT

* Update debugger-detection.md

Added code with example of PEB access

* Update system-information-discovery.md

Added new method based on code snippet

* Update registry.md

Added snippet for registry key query

* Update generate-pseudorandom-sequence.md

Added example of Mersenne Twister algorithm

* Update keylogging.md

Add Dark Comet keylogging code sample

* Update dns-communication.md

Added code sample from darkcomet

* Update socket-communication.md

Added DarkComet code snippet

* Update delete-file.md

Provided DarkComet sample

* Update file-and-directory-discovery.md

Added DarkComet snippet

* Update allocate-memory.md

Added DarkComet sample

* Update modulo.md

Added Hupigon snippet

* Update get-file-attributes.md

Added Hupigon sample

* Update application-window-discovery.md

Added Hupigon snippet

* Update create-process.md

Added Hupigon snippet.

* Update conditional-execution.md

Added Hupigon snippet

* Update create-thread.md

Added Hupigon snippet

* Update resume-thread.md

Added Hupigon snippet

* Update command-and-scripting-interpreter.md

Added SmokeLoader sample

* Update change-memory-protection.md

Added SmokeLoader snippet

* Update console.md

Added snippet from SmokeLoader

* Update dynamic-analysis-evasion.md

Added Industroyer sample

* Update interprocess-communication.md

Added CobaltStrike sample

* Update read-file.md

Added Cobalt Strike snippet

* Update writes-file.md

Added cobalt strike snippet

* Update noncryptographic-hash.md

Added emotet snippet

* Update clipboard-modification.md

Added emotet snippet

* Update check-mutex.md

Added emotet sampler

* Update check-mutex.md

Fixed typo

* Update create-mutex.md

Added Emotet snippet

* Update allocate-thread-local-storage.md

Added emotet snippet

* Update registry-run-keys-startup-folder.md

Added emotet snippet

* Update wininet.md

Added EnvyScout snippet

* Update http-communication.md

Added EnvyScout snippet

* Update enumerate-threads.md

Added Envyscout snippet

* Update set-thread-local-storage-value.md

Added Envyscout sample

* Update create-directory.md

Added explosive snippet

* Update delete-directory.md

Added explosive code snippet (note: the malware is called "explosive")

* Update set-file-attributes.md

Added explosive sample

* Update terminate-process.md

Added explosive snippet

* Update terminate-thread.md

Added explosive sample

* Update move-file.md

Added Finfisher snippet

* Update screen-capture.md

Added ECCENTRICBANDWAGON snippet

* Fix links (#150)

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* fix link

* update mod date

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* fix links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* update links

* Update code-discovery.md

* Update taskbar-discovery.md

* Update conditional-execution.md

* Update memory-dump-evasion.md

* Update execution-dependency.md

* Update compromise-data-integrity.md

* Update dns-communication.md

* Update http-communication.md

* Update interprocess-communication.md

* Update socket-communication.md

* Update wininet.md

* Update generate-pseudorandom-sequence.md

* Update modulo.md

* Update noncryptographic-hash.md

* Update create-directory.md

* Update delete-directory.md

* Update delete-file.md

* Update get-file-attributes.md

* Update move-file.md

* Update read-file.md

* Update terminate-thread.md

* Update set-file-attributes.md

* Update writes-file.md

* Update allocate-memory.md

* Update change-memory-protection.md

* Update console.md

* Update registry.md

* Update allocate-thread-local-storage.md

* Update check-mutex.md

* Update terminate-process.md

* Update create-mutex.md

* Update create-process.md

* Update set-thread-local-storage-value.md

* Update resume-thread.md

* Update enumerate-threads.md

* Update create-thread.md

* update for 3.1 release

* update for 3.1 release

* update for 3.1 release

---------

Co-authored-by: ryan <[email protected]>
Co-authored-by: brightmt <[email protected]>

Author: 3 people

README.md

@@ -1,4 +1,4 @@
-# <a name="mbc"></a>Malware Behavior Catalog v3.0 #
+# <a name="mbc"></a>Malware Behavior Catalog v3.1 #
 The Malware Behavior Catalog (MBC) is a catalog of malware objectives and behaviors, created to support malware analysis-oriented use cases, such as labeling, similarity analysis, and standardized reporting. Please see the [FAQ](./yfaq/README.md) page for answers to common questions, and read the [newsletters](./ynewsletters/README.md) for information on the most recent MBC updates and activity.
 
 Open-source malware analysis tools map their output to MBC and ATT&CK:
@@ -62,7 +62,7 @@ The canonical representation for MBC content is **OBJECTIVE::Behavior::Method**.
 Objectives and behaviors can be used alone, but a method *must* be associated with a behavior.
 
 ### STIX 2.1 Representation ###
-A STIX 2.1 representation for MBC v3.0 is available in the [mbc-stix2.1](https://github.com/MBCProject/mbc-stix2.1) repository. It's based on a refined STIX 2.1 [Malware Behavior Extension](https://github.com/oasis-open/cti-stix-common-objects/tree/main/extension-definition-specifications/malware-behavior-8e9) that includes new STIX domain objects for MBC objectives, behaviors, and methods.
+A STIX 2.1 representation for MBC v3.1 is available in the [mbc-stix2.1](https://github.com/MBCProject/mbc-stix2.1) repository. It's based on a refined STIX 2.1 [Malware Behavior Extension](https://github.com/oasis-open/cti-stix-common-objects/tree/main/extension-definition-specifications/malware-behavior-8e9) that includes new STIX domain objects for MBC objectives, behaviors, and methods.
 
 ### Navigator View ###
 This visual representation of the MBC Matrix is based on the ATT&CK Navigator. Two views are available: 

anti-behavioral-analysis/debugger-detection.md

@@ -17,15 +17,15 @@
 </tr>
 <tr>
 <td><b>Version</b></td>
-<td><b>2.2</b></td>
+<td><b>2.3</b></td>
 </tr>
 <tr>
 <td><b>Created</b></td>
 <td><b>1 August 2019</b></td>
 </tr>
 <tr>
 <td><b>Last Modified</b></td>
-<td><b>6 February 2024</b></td>
+<td><b>27 April 2024</b></td>
 </tr>
 </table>
 
@@ -129,21 +129,31 @@ Details on detecting debuggers can be found in the references.
 
 |Tool: CAPE|Mapping|APIs|
 |---|---|---|
-|[antidebug_checkremotedebuggerpresent](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_checkremotedebuggerpresent.py)|Debugger Detection (B0001)|CheckRemoteDebuggerPresent, NtQueryInformationProcess|
-|[antiav_nthookengine_libs](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antiav_nthookengine_libs.py)|Debugger Detection (B0001)|LdrGetDllHandle, LdrLoadDll|
-|[antiav_nthookengine_libs](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antiav_nthookengine_libs.py)|Debugger Detection::API Hook Detection (B0001.001)|LdrGetDllHandle, LdrLoadDll|
-|[antidebug_setunhandledexceptionfilter](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_setunhandledexceptionfilter.py)|Debugger Detection (B0001)|SetUnhandledExceptionFilter|
-|[antidebug_setunhandledexceptionfilter](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_setunhandledexceptionfilter.py)|Debugger Detection::UnhandledExceptionFilter (B0001.030)|SetUnhandledExceptionFilter|
-|[antidebug_addvectoredexceptionhandler](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_addvectoredexceptionhandler.py)|Debugger Detection (B0001)|AddVectoredExceptionHandler|
-|[antidebug_outputdebugstring](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_outputdebugstring.py)|Debugger Detection (B0001)|GetLastError, SetLastError, OutputDebugStringW, OutputDebugStringA|
-|[antidebug_outputdebugstring](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_outputdebugstring.py)|Debugger Detection::OutputDebugString (B0001.016)|GetLastError, SetLastError, OutputDebugStringW, OutputDebugStringA|
-|[antidebug_gettickcount](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_gettickcount.py)|Debugger Detection (B0001)|GetTickCount|
-|[antidebug_gettickcount](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_gettickcount.py)|Debugger Detection::Timing/Delay Check GetTickCount (B0001.032)|GetTickCount|
-|[antidebug_guardpages](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_guardpages.py)|Debugger Detection (B0001)|VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory|
-|[antidebug_guardpages](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_guardpages.py)|Debugger Detection::Memory Breakpoints (B0001.009)|VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory|
-|[antidebug_ntsetinformationthread](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_ntsetinformationthread.py)|Debugger Detection (B0001)|NtSetInformationThread|
-|[antidebug_ntsetinformationthread](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_ntsetinformationthread.py)|Debugger Detection::NtSetInformationThread (B0001.014)|NtSetInformationThread|
-|[antidebug_debugactiveprocess](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_debugactiveprocess.py)|Debugger Detection (B0001)|DebugActiveProcess|
+|[antidebug_checkremotedebuggerpresent](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_checkremotedebuggerpresent.py)|Debugger Detection (B0001)|CheckRemoteDebuggerPresent, NtQueryInformationProcess|
+|[antiav_nthookengine_libs](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_nthookengine_libs.py)|Debugger Detection (B0001)|LdrGetDllHandle, LdrLoadDll|
+|[antiav_nthookengine_libs](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_nthookengine_libs.py)|Debugger Detection::API Hook Detection (B0001.001)|LdrGetDllHandle, LdrLoadDll|
+|[antidebug_setunhandledexceptionfilter](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_setunhandledexceptionfilter.py)|Debugger Detection (B0001)|SetUnhandledExceptionFilter|
+|[antidebug_setunhandledexceptionfilter](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_setunhandledexceptionfilter.py)|Debugger Detection::UnhandledExceptionFilter (B0001.030)|SetUnhandledExceptionFilter|
+|[antidebug_addvectoredexceptionhandler](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_addvectoredexceptionhandler.py)|Debugger Detection (B0001)|AddVectoredExceptionHandler|
+|[antidebug_outputdebugstring](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_outputdebugstring.py)|Debugger Detection (B0001)|GetLastError, SetLastError, OutputDebugStringW, OutputDebugStringA|
+|[antidebug_outputdebugstring](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_outputdebugstring.py)|Debugger Detection::OutputDebugString (B0001.016)|GetLastError, SetLastError, OutputDebugStringW, OutputDebugStringA|
+|[antidebug_gettickcount](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_gettickcount.py)|Debugger Detection (B0001)|GetTickCount|
+|[antidebug_gettickcount](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_gettickcount.py)|Debugger Detection::Timing/Delay Check GetTickCount (B0001.032)|GetTickCount|
+|[antidebug_guardpages](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_guardpages.py)|Debugger Detection (B0001)|VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory|
+|[antidebug_guardpages](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_guardpages.py)|Debugger Detection::Memory Breakpoints (B0001.009)|VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory|
+|[antidebug_ntsetinformationthread](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_ntsetinformationthread.py)|Debugger Detection (B0001)|NtSetInformationThread|
+|[antidebug_ntsetinformationthread](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_ntsetinformationthread.py)|Debugger Detection::NtSetInformationThread (B0001.014)|NtSetInformationThread|
+|[antidebug_debugactiveprocess](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_debugactiveprocess.py)|Debugger Detection (B0001)|DebugActiveProcess|
+
+### B0001.019 Snippet
+<details>
+<summary> Anti-Behavioral Analysis::Debugger Detection::Process Environment Block </summary>
+SHA256: e33a713b96b45e2b2e0da350c0fdaaf865139607066aadff3b67b0ced82ca8bc
+Location: 0x1800270A2
+<pre>
+mov     rax, qword ptr GS:[0x60]        ; GS:[0x60] contains a pointer to the Windows Process Environment Block on 64-bit versions of Windows.  This command is copying that pointer into the rax register.
+</pre>
+</details>
 
 ## References
 

anti-behavioral-analysis/debugger-evasion.md

@@ -17,15 +17,15 @@
 </tr>
 <tr>
 <td><b>Version</b></td>
-<td><b>2.2</b></td>
+<td><b>2.3</b></td>
 </tr>
 <tr>
 <td><b>Created</b></td>
 <td><b>1 August 2019</b></td>
 </tr>
 <tr>
 <td><b>Last Modified</b></td>
-<td><b>6 February 2024</b></td>
+<td><b>27 April 2024</b></td>
 </tr>
 </table>
 
@@ -91,11 +91,11 @@ The related **Debugger Evasion ([T1622](https://attack.mitre.org/techniques/T162
 
 |Tool: CAPE|Mapping|APIs|
 |---|---|---|
-|[antidebug_guardpages](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_guardpages.py)|Debugger Evasion (B0002)|VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory|
-|[antidebug_guardpages](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_guardpages.py)|Debugger Evasion::Guard Pages (B0002.008)|VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory|
-|[antidebug_ntcreatethreadex](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antidebug_ntcreatethreadex.py)|Debugger Evasion (B0002)|NtCreateThreadEx|
-|[debugs_self](https://github.com/CAPESandbox/community/tree/master/modules/signatures/debugs_self.py)|Debugger Evasion (B0002)|CreateProcessInternalW|
-|[debugs_self](https://github.com/CAPESandbox/community/tree/master/modules/signatures/debugs_self.py)|Debugger Evasion::Self-Debugging (B0002.024)|CreateProcessInternalW|
+|[antidebug_guardpages](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_guardpages.py)|Debugger Evasion (B0002)|VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory|
+|[antidebug_guardpages](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_guardpages.py)|Debugger Evasion::Guard Pages (B0002.008)|VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory|
+|[antidebug_ntcreatethreadex](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antidebug_ntcreatethreadex.py)|Debugger Evasion (B0002)|NtCreateThreadEx|
+|[debugs_self](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/debugs_self.py)|Debugger Evasion (B0002)|CreateProcessInternalW|
+|[debugs_self](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/debugs_self.py)|Debugger Evasion::Self-Debugging (B0002.024)|CreateProcessInternalW|
 
 ## References
 

anti-behavioral-analysis/dynamic-analysis-evasion.md

@@ -17,15 +17,15 @@
 </tr>
 <tr>
 <td><b>Version</b></td>
-<td><b>2.1</b></td>
+<td><b>2.2</b></td>
 </tr>
 <tr>
 <td><b>Created</b></td>
 <td><b>1 August 2019</b></td>
 </tr>
 <tr>
 <td><b>Last Modified</b></td>
-<td><b>5 December 2023</b></td>
+<td><b>27 April 2024</b></td>
 </tr>
 </table>
 
@@ -75,15 +75,26 @@ The related **Virtualization/Sandbox Evasion ([T1497](https://attack.mitre.org/t
 
 |Tool: CAPE|Mapping|APIs|
 |---|---|---|
-|[api_spamming](https://github.com/CAPESandbox/community/tree/master/modules/signatures/api_spamming.py)|Dynamic Analysis Evasion (B0003)|--|
-|[api_spamming](https://github.com/CAPESandbox/community/tree/master/modules/signatures/api_spamming.py)|Dynamic Analysis Evasion::Data Flood (B0003.002)|--|
-|[api_spamming](https://github.com/CAPESandbox/community/tree/master/modules/signatures/api_spamming.py)|Dynamic Analysis Evasion::Delayed Execution (B0003.003)|--|
-|[antisandbox_suspend](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antisandbox_suspend.py)|Dynamic Analysis Evasion (B0003)|NtSuspendThread|
-|[antisandbox_restart](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antisandbox_restart.py)|Dynamic Analysis Evasion (B0003)|ExitWindowsEx, InitiateSystemShutdownExW, NtSetSystemPowerState, InitiateSystemShutdownW, InitiateShutdownW, NtRaiseHardError, NtShutdownSystem|
-|[antisandbox_restart](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antisandbox_restart.py)|Dynamic Analysis Evasion::Restart (B0003.010)|ExitWindowsEx, InitiateSystemShutdownExW, NtSetSystemPowerState, InitiateSystemShutdownW, InitiateShutdownW, NtRaiseHardError, NtShutdownSystem|
-|[stealth_timeout](https://github.com/CAPESandbox/community/tree/master/modules/signatures/stealth_timeout.py)|Dynamic Analysis Evasion (B0003)|NtWaitForSingleObject, NtQuerySystemTime, NtTerminateProcess, GetLocalTime, NtDelayExecution, GetSystemTime, GetSystemTimeAsFileTime|
-|[stealth_timeout](https://github.com/CAPESandbox/community/tree/master/modules/signatures/stealth_timeout.py)|Dynamic Analysis Evasion::Delayed Execution (B0003.003)|NtWaitForSingleObject, NtQuerySystemTime, NtTerminateProcess, GetLocalTime, NtDelayExecution, GetSystemTime, GetSystemTimeAsFileTime|
-|[antisandbox_unhook](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antisandbox_unhook.py)|Dynamic Analysis Evasion (B0003)|--|
+|[api_spamming](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/api_spamming.py)|Dynamic Analysis Evasion (B0003)|--|
+|[api_spamming](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/api_spamming.py)|Dynamic Analysis Evasion::Data Flood (B0003.002)|--|
+|[api_spamming](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/api_spamming.py)|Dynamic Analysis Evasion::Delayed Execution (B0003.003)|--|
+|[antisandbox_suspend](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antisandbox_suspend.py)|Dynamic Analysis Evasion (B0003)|NtSuspendThread|
+|[antisandbox_restart](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antisandbox_restart.py)|Dynamic Analysis Evasion (B0003)|ExitWindowsEx, InitiateSystemShutdownExW, NtSetSystemPowerState, InitiateSystemShutdownW, InitiateShutdownW, NtRaiseHardError, NtShutdownSystem|
+|[antisandbox_restart](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antisandbox_restart.py)|Dynamic Analysis Evasion::Restart (B0003.010)|ExitWindowsEx, InitiateSystemShutdownExW, NtSetSystemPowerState, InitiateSystemShutdownW, InitiateShutdownW, NtRaiseHardError, NtShutdownSystem|
+|[stealth_timeout](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/stealth_timelimit.py)|Dynamic Analysis Evasion (B0003)|NtWaitForSingleObject, NtQuerySystemTime, NtTerminateProcess, GetLocalTime, NtDelayExecution, GetSystemTime, GetSystemTimeAsFileTime|
+|[stealth_timeout](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/stealth_timelimit.py)|Dynamic Analysis Evasion::Delayed Execution (B0003.003)|NtWaitForSingleObject, NtQuerySystemTime, NtTerminateProcess, GetLocalTime, NtDelayExecution, GetSystemTime, GetSystemTimeAsFileTime|
+|[antisandbox_unhook](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antisandbox_unhook.py)|Dynamic Analysis Evasion (B0003)|--|
+
+### B0003.003 Snippet
+<details>
+<summary> Anti-Behavioral Analysis::Dynamic Analysis Evasion::Delayed Execution </summary>
+SHA256: 21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561
+Location: 0x40103B
+<pre>
+push    0x36ee80        ; sleep duration: 3600000 milliseconds (1 hour)
+call    dword ptr [->KERNEL32.DLL::Sleep]       ; Windows API call instructing thread to sleep for the time period specified above
+</pre>
+</details>
 
 ## References
 

anti-behavioral-analysis/emulator-detection.md

@@ -17,15 +17,15 @@
 </tr>
 <tr>
 <td><b>Version</b></td>
-<td><b>2.1</b></td>
+<td><b>2.2</b></td>
 </tr>
 <tr>
 <td><b>Created</b></td>
 <td><b>1 August 2019</b></td>
 </tr>
 <tr>
 <td><b>Last Modified</b></td>
-<td><b>5 December 2023</b></td>
+<td><b>27 April 2024</b></td>
 </tr>
 </table>
 
@@ -57,12 +57,12 @@ Detects whether the malware instance is being executed inside an emulator. If so
 
 |Tool: CAPE|Mapping|APIs|
 |---|---|---|
-|[antiemu_windefend](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antiemu_windefend.py)|Emulator Detection (B0004)|--|
-|[antivm_bochs_keys](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antivm_bochs_keys.py)|Emulator Detection (B0004)|--|
-|[antivm_bochs_keys](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antivm_bochs_keys.py)|Emulator Detection::Check Emulator-related Registry Keys (B0004.003)|--|
-|[antiemu_wine_func](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antiemu_wine_func.py)|Emulator Detection (B0004)|LdrGetProcedureAddress|
-|[antiemu_wine_reg](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antiemu_wine_reg.py)|Emulator Detection (B0004)|--|
-|[antiemu_wine_reg](https://github.com/CAPESandbox/community/tree/master/modules/signatures/antiemu_wine_reg.py)|Emulator Detection::Check Emulator-related Registry Keys (B0004.003)|--|
+|[antiemu_windefend](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antiemu_windefend.py)|Emulator Detection (B0004)|--|
+|[antivm_bochs_keys](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antivm_bochs_keys.py)|Emulator Detection (B0004)|--|
+|[antivm_bochs_keys](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antivm_bochs_keys.py)|Emulator Detection::Check Emulator-related Registry Keys (B0004.003)|--|
+|[antiemu_wine_func](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antiemu_wine_func.py)|Emulator Detection (B0004)|LdrGetProcedureAddress|
+|[antiemu_wine_reg](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antiemu_wine.py)|Emulator Detection (B0004)|--|
+|[antiemu_wine_reg](https://github.com/CAPESandbox/community/tree/master/modules/signatures/windows/antiemu_wine.py)|Emulator Detection::Check Emulator-related Registry Keys (B0004.003)|--|
 
 ## References