Update malware-analysis_ref_and_memo.md

malware-analysis_ref_and_memo.md

@@ -102,6 +102,10 @@
 [Trickbot artifact decrypter](https://github.com/snemes/malware-analysis/tree/master/trickbot)
 - Injecition/Hollowingされたプロセスの自動検出<br>
 [Memhunter](https://github.com/marcosd4h/memhunter)<br>
+    - **ref:**<br>
+        - [Memhunter (Memory resident malware hunting at scale)](https://docs.google.com/presentation/d/1hgx2FTNIkry9Nt8LOJVz_rHNhcGfJChxZVGckv7VI8E/edit#slide=id.g5712e7065f_1_1)<br>
+        - [Reflective DLL Injection Detection through Memhunte,youtube](https://www.youtube.com/watch?v=t_fR1sCENkc)<br>
+        - [Process Hollowing Injection Detection through Memhunter,youtube](https://www.youtube.com/watch?v=QxCguP76uyg)<br>
     - メモリダンプが不要で，感染環境でメモリスキャンを行う
     - メモリスキャンのヒューリスティックトリガーにETWデータを利用している
     - ETWのSuspicious Eventsとして以下を定義
@@ -112,10 +116,6 @@
 > - Image Load Operations<br>
 > - Kernel Audit APIs usage<br>
 > - etc.<br>
-- **ref:**<br>
-    - [Memhunter (Memory resident malware hunting at scale)](https://docs.google.com/presentation/d/1hgx2FTNIkry9Nt8LOJVz_rHNhcGfJChxZVGckv7VI8E/edit#slide=id.g5712e7065f_1_1)<br>
-    - [Reflective DLL Injection Detection through Memhunte,youtube](https://www.youtube.com/watch?v=t_fR1sCENkc)<br>
-    - [Process Hollowing Injection Detection through Memhunter,youtube](https://www.youtube.com/watch?v=QxCguP76uyg)<br>
 
 
 # Doc Analysis