IP Address: 202.189.6.95Malicious
IP Address: 202.189.6.95Malicious
This IP address attempted an attack on a machine in our threat sensors network
IP Address |
202.189.6.95 |
|
Domain |
- |
|
ISP |
- |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2023-01-18 |
Last seen in Akamai Guardicore Segmentation |
2023-02-28 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using MSSQL with the following credentials: sa / *********** - Authentication policy: Reached Max Attempts |
Successful MSSQL Login |
A user logged in using MSSQL with the following credentials: sa / *********** - Authentication policy: Previously Approved User 2 times |
Successful MSSQL Login |
A user logged in using MSSQL with the following credentials: sa / *********** - Authentication policy: Previously Approved User |
Successful MSSQL Login |
MSSQL procedures were created: sp_addextendedproc and sp_dropextendedproc |
Create MsSql Procedure |
Process c:\windows\system32\ftp.exe attempted to access suspicious domains: cct119.com |
DNS Query Access Suspicious Domain Outgoing Connection |
Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 154.221.149.161:21 |
Outgoing Connection |
c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry 7 times |
Persistency - Mime Filter |
c:\windows\apppatch\apppatch64\aclayers.dll installed a Persistency - Mime Filter backdoor by modifying Windows Registry |
Persistency - Mime Filter |
c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry 39 times |
Persistency - Mime Filter |
The file C:\Windows\System32\60hack.exe was downloaded and executed 18 times |
Download and Execute |
Service CryptSvc was stopped |
Service Stop |
Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 114.55.106.38:21 |
Outgoing Connection |
Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 114.55.106.38:21 4 times |
Outgoing Connection |
MSSQL tables were dropped: #A1E89578 and #A3D0DDEA |
Drop MsSql Table |
Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 114.55.106.38:21 |
Outgoing Connection |
MSSQL tables were created: #temp_jobs_to_delete________________________________________________________________________________________________000000000002 |
Create MsSql Table |
User 2 was created with the password ********* |
User Created User Password Changed |
MSSQL executed 2 shell commands |
Execute MsSql Shell Command |
c:\windows\system32\60hack.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry |
Persistency - Mime Filter |
c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry |
Persistency - Mime Filter |
c:\windows\system32\60hack.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry 2 times |
Persistency - Mime Filter |
c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry |
Persistency - Mime Filter |
c:\windows\system32\60hack.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry 6 times |
Persistency - Mime Filter |
c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry |
Persistency - Mime Filter |
c:\windows\system32\60hack.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry 2 times |
Persistency - Mime Filter |
Process c:\windows\system32\conhost.exe generated outgoing network traffic to: 114.55.106.38:21 |
|
Process c:\windows\system32\conhost.exe generated outgoing network traffic to: 114.55.106.38:21 |
|
Service CryptSvc was started |
Service Start |
Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 114.55.106.38:21 2 times |
Outgoing Connection |
The file C:\321.exe was downloaded and executed 3 times |
Download and Execute |
System file c:\windows\system32\conhost.exe was modified 4 times |
System File Modification |
c:\321.exe installed and started c:\windows\system32\201890.dll as a service named SRDSL under service group None 2 times |
Service Start Service Creation |
The file C:\Windows\SysWOW64\201890.dll was downloaded and loaded by c:\windows\syswow64\svchost.exe |
Download and Execute |
System file C:\Windows\AppCompat\Programs\Amcache.hve was modified |
System File Modification |
The file C:\Windows\SysWOW64\SRDSL.exe was downloaded and executed |
Download and Execute |
Process c:\windows\syswow64\srdsl.exe attempted to access suspicious domains: aaaakkkkk.f3322.net |
DNS Query Access Suspicious Domain Outgoing Connection |
Process c:\windows\syswow64\srdsl.exe generated outgoing network traffic to: 47.98.111.205:2323 |
Outgoing Connection |
Connection was closed due to timeout |
|