diff --git a/malware-analysis_ref_and_memo.md b/malware-analysis_ref_and_memo.md
index d6c36c3..4d4c7f7 100644
--- a/malware-analysis_ref_and_memo.md
+++ b/malware-analysis_ref_and_memo.md
@@ -24,7 +24,7 @@
 |IDA pro|[Lighthouse](https://github.com/gaasedelen/lighthouse)<br>[UEFI_RETool](https://github.com/yeggor/UEFI_RETool/tree/master/ida_plugin)|Not free|multi||||||
 |Binary Ninja|[Lighthouse](https://github.com/gaasedelen/lighthouse)|Not free|||||||
 |Cutter|[CutterDRcov](https://github.com/oddcoder/CutterDRcov)<br>[Jupyter Plugin for Cutter](https://github.com/radareorg/cutter-jupyter)<br>[x64dbgcutter](https://github.com/yossizap/x64dbgcutter)<br>[etc.](https://github.com/radareorg/cutter-plugins)|free|multi||||||
-|Ghidra|[pwndra](https://github.com/0xb0bb/pwndra)<br>[ghidra_scripts](https://github.com/alephsecurity/general-research-tools/tree/master/ghidra_scripts)|free|multi||||||
+|Ghidra|[pwndra](https://github.com/0xb0bb/pwndra)<br>[ghidra_scripts](https://github.com/alephsecurity/general-research-tools/tree/master/ghidra_scripts)<br>[OOAnalyzer](https://insights.sei.cmu.edu/sei_blog/2019/07/using-ooanalyzer-to-reverse-engineer-object-oriented-code-with-ghidra.html)|free|multi||||||
 |x64/x32dbg|[DbgChild](https://github.com/David-Reguera-Garcia-Dreg/DbgChild)|free|windows||||||
 |WinDbg||free|windows|Kernel mode debugging possible|||||
 |GDB|gdbpeda<br>pwngdb|free|linux||||||
@@ -73,12 +73,16 @@
 - Fake-net NG
 - INetSim
 - Noriben
+
 ### Forensic
-- EQL
 - Sysinternals
 - Volatility
     - malconfscan
     - hollowfind
+    
+### Threat hunting
+- EQL
+
 ### Online Sandbox
 |name|site|remarks|
 |:-|:-|:-|
@@ -111,6 +115,11 @@
 [PE-Sieve](https://github.com/hasherezade/pe-sieve)<br>
 - PE-Sieveを使用してシステム全体をスキャン<br>
 [HollowsHunter](https://github.com/hasherezade/hollows_hunter)<br>
+- ファイルやプロセスメモリ内の文字列の抽出<br>
+[strings2](http://split-code.com/strings2.html)<br>
+- 文字列，正規表現でプロセスメモリをスキャン<br>
+[mnemosyne](https://github.com/nccgroup/mnemosyne)<br>
+[Memory Scraping for Fun & Profit - Matt Lewis, NCC Group at CRESTCon & IIP Congress,youtube](https://www.youtube.com/watch?v=5HdYcE-woDc)
 - Injecition/Hollowingされたプロセスの自動検出<br>
 [Memhunter](https://github.com/marcosd4h/memhunter)<br>
     - **ref:**<br>
@@ -132,7 +141,14 @@
 # Doc Analysis
 - VBA マクロの解析についての資料<br>
 [Advanced VBA Macros Attack&Defence,BHEU2019](https://www.decalage.info/files/eu-19-Lagadec-Advanced-VBA-Macros-Attack-And-Defence.pdf)<br>
+- RTFファイルからOLEパッケージオブジェクトを検出し、埋め込みファイルを抽出<br>
+[rtfobj](https://github.com/decalage2/oletools/wiki/rtfobj)<br>
+
 # C2 Analysis
+### Emotet
+- Emotetのc2通信部分のエミュレータ<br>
+[Emutet](https://github.com/d00rt/emotet_network_protocol)<br>
+
 ### Ursnif
 - Ursnif(version 2)のc2通信の仕組みと復号ツールについて<br>
 [Writing Malware Traffic Decrypters for ISFB/Ursnif](https://labs.sentinelone.com/writing-malware-traffic-decrypters-for-isfb-ursnif/)
@@ -140,9 +156,13 @@
 # Binary Analysis
 ### Symbolic Execurtion
 to do...
+
 ### Taint Analysis
 to do...
+
 ### Decompiler
+to do...
+
 ### ref:
 - Intel系アーキテクチャSoftware Developer向けのマニュアル<br>
 [Intel® 64 and IA-32 Architectures Software Developer Manuals](https://software.intel.com/en-us/articles/intel-sdm)<br>