| 文件名 | OInstall_x64.exe |
| 文件类型 |
PE32+ executable (GUI) x86-64, for MS Windows
|
| 扫描器版本 | 1.0.185.174 |
| 数据库版本 | 2024-08-31 18:00:39 UTC |
恶意软件家族: KMS
| 哈希类型 | 值 | 操作 |
|---|---|---|
| MD5 |
80f8a2ffd54a73c6cc17f427d10dd1da
|
|
| SHA1 |
099b916641cdb3cb66aa9242bcb92b00ebce8475
|
|
| SHA256 |
2ff9f800cfe3e450b9feb25c171c6813c6e100506068fd4da25a5c7255d6b0dc
|
|
| SHA512 |
ca420d70aaa290b490e37db18ab691f3497e3adea37d1fd8f623024333275b2110d5a8a66ce54102b238c026ce0bba35b0a8998c0a63db2ab89d06a74d07a845
|
|
| ImpHash |
32e10a07a0a21b800734c8b630e8a320
|
| 图标 |
哈希: cf8b3d44cc80ac3d3f5b2c3f6848133a
模糊: 71fcd2e860bbcd562ce257f969072383 dHash: e0c8ccc6c6c6c0e0 |
| 映像基址 | 0x140000000 |
| 入口点 | 0x140082610 |
| 编译时间 | 2024-01-07 13:13:11 |
| 校验和 | 0x012a886f (实际: 0x012a886f) |
| 操作系统版本 | 5.0 |
| PEiD 签名 |
PE32+ executable (GUI) x86-64, for MS Windows
|
| 数字签名 | Chain verification from CN=WZTeam (serial:-155843482902537470358085606074993314206, sha1:648384a4dee53d4c1c87e10d67cc99307ccc9c98) failed: The X.509 certificate provided is self-signed - "Common Name: WZTeam" |
| 导入 | 13 库 |
| 导出 | 0 函数 |
| 资源 | 7 资源 |
| 节 | 12 节 |
| ProductName | Office 2013-2024 C2R Install |
| FileDescription | Office 2013-2024 C2R Install |
| Translation | 0x0000 0x04b0 |
| 名称 | 虚拟地址 | 虚拟大小 | 原始大小 | 熵 | 特征 | MD5 |
|---|---|---|---|---|---|---|
.text |
0x00001000 |
1,433,443 bytes | 1,433,600 bytes | 6.34 (正常) |
IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ
|
B51ED159A3D21A6D3AD6688972FB0BD1 |
.rdata |
0x0015f000 |
237,008 bytes | 237,056 bytes | 5.92 (正常) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
|
99BF230D9614DC900FD8EAE6F52548F5 |
.pdata |
0x00199000 |
43,476 bytes | 43,520 bytes | 6.12 (正常) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
|
A587EBC7A71CA408E4462F43D1A1FF3F |
.data |
0x001a4000 |
18,257,312 bytes | 17,748,480 bytes | 7.23 (压缩) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
|
B3F839C33CFE6834A22EF430AFB2BC12 |
.rsrc |
0x0130e000 |
87,756 bytes | 88,064 bytes | 2.17 (正常) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ
|
2C7B31387FE3F77F2005D4BC725A9C1D |
.debug_l |
0x01324000 |
123 bytes | 512 bytes | 1.58 (正常) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ
|
649E64A1C3CFD4E0607486B8594AC5AE |
.debug_i |
0x01325000 |
46 bytes | 512 bytes | 0.33 (正常) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ
|
0D264557C72D0E1545D697403C2FC779 |
.debug_a |
0x01326000 |
20 bytes | 512 bytes | 0.30 (正常) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ
|
DA4B92350E5F31B69649F21DC92020C9 |
.debug_a |
0x01327000 |
48 bytes | 512 bytes | 0.18 (正常) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ
|
B97496D046E8D9966345791CFFF3553A |
.debug_s |
0x01328000 |
155 bytes | 512 bytes | 2.32 (正常) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ
|
406B70665A5983D1F1682455C669F732 |
.debug_f |
0x01329000 |
72 bytes | 512 bytes | 0.72 (正常) |
IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ
|
AECF269CC58E17C28B5B25809563C64B |
.modplug |
0x0132a000 |
20,480 bytes | 0 bytes | 0.00 (正常) |
IMAGE_SCN_CNT_UNINITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE
|
D41D8CD98F00B204E9800998ECF8427E |
1 检测到较高熵(≥6.5)的节 - 可能存在压缩
| 资源类型 | 数量 | 总大小 | 百分比 |
|---|---|---|---|
| RT_ICON | 4 | 82,656 字节 | |
| RT_GROUP_ICON | 1 | 62 字节 | |
| RT_VERSION | 1 | 412 字节 | |
| RT_MANIFEST | 1 | 4,173 字节 |
此文件未进行数字签名。
⚠ 此文件缺少数字签名或证书链无法验证。
执行来自未知来源的未签名文件时请谨慎。
Chain verification from CN=WZTeam (serial:-155843482902537470358085606074993314206, sha1:648384a4dee53d4c1c87e10d67cc99307ccc9c98) failed: The X.509 certificate provided is self-signed - "Common Name: WZTeam"
建议: 验证文件来源并确保它来自可信的发布者.
按照以下步骤完全从系统中移除威胁
