This workflow is static-only. Do not execute attacker-provided files. Do not run binaries. Do not install unknown packages. Do not fetch live payloads.
Hashing:
sha256sum quarantine/core_fix_v2.zip
md5sum quarantine/core_fix_v2.exe
Archive listing without extraction:
unzip -l quarantine/core_fix_v2.zip
zipinfo quarantine/core_fix_v2.zip
7z l quarantine/core_fix_v2.zip
File type and magic inspection:
file quarantine/core_fix_v2.zip
file quarantine/core_fix_v2.exe
String extraction:
strings -a quarantine/core_fix_v2.exe
strings -a -n 8 quarantine/core_fix_v2.exe
PE metadata:
objdump -x quarantine/core_fix_v2.exe
rabin2 -I quarantine/core_fix_v2.exe
rabin2 -i quarantine/core_fix_v2.exe
osslsigncode verify quarantine/core_fix_v2.exe
Before extracting any archive, inspect entries for:
.. traversal;Prefer listing and metadata inspection over extraction. If extraction is required, use a disposable quarantine directory outside the repository worktree and do not execute or import the extracted files.
Use precise labels:
0x0000000140073280, image base 0x0000000140000000..text, .rdata, .data, .pdata, .xdata, .idata, .reloc, .symtab.kernel32.dll include: WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry.