Merge pull request #2 from BatsIhor/master

Two chars MZ are represented by two bytes not one
2025-12-21 16:04:20 +01:00 · 2017-03-29 19:06:19 -07:00
parent f5b271c983 2db5aaf309
commit ef9f87ada0
1 changed files with 2 additions and 2 deletions
--- a/triage.md
+++ b/triage.md
@@ -91,7 +91,7 @@ You can use the **Malware Analysis Report** template [HERE](https://securedorg.g
 1. Run the Victim VM
 2. Copy over the unknown file
 3. Check the file header by opening the file in the hex editor **HxD**
-* Notice the first 1 byte is **MZ** meaning it's a PE Binary
+* Notice the first 2 bytes are **MZ** meaning it's a PE Binary
 ![alt text](https://securedorg.github.io/images/triage1.png "MZ Header")
 4. Add the file extension **.exe** to the **Unknown** file so that it reads as **Unknown.exe**. Now right click the file and select **CFF explorer** to check the PE header
 * Note the imports it's using