IP Address: 122.52.203.208Malicious
IP Address: 122.52.203.208Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
MSSQL SMB |
Tags |
File Operation By CMD DNS Query Access Share Access Suspicious Domain Execute from Share Download File Service Stop Service Creation SMB Share Connect SMB Null Session Login Scheduled Task Creation SMB Service Start Service Deletion Successful SMB Login Download and Execute MSSQL Scheduled Task Run CMD |
Associated Attack Servers |
IP Address |
122.52.203.208 |
|
Domain |
- |
|
ISP |
Philippine Long Distance Telephone |
|
Country |
Philippines |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2020-10-13 |
Last seen in Akamai Guardicore Segmentation |
2024-09-27 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SMB with the following username: Administrator - Authentication policy: Reached Max Attempts |
Successful SMB Login |
psppuapq.exe was executed from the remote share \\server-backup\c$ |
Execute from Share |
c:\windows\system32\services.exe installed and started \\server-backup\c$\psppuapq.exe as a service named Olxl under service group None |
Service Start Service Creation |
C:\WINDOWS\Temp\svchost.exe was downloaded |
Download File |
A user logged in using SMB with the following username: Administrator - Authentication policy: Previously Approved User 4 times |
Successful SMB Login |
ligqshsu.exe was executed from the remote share \\server-backup\c$ |
Execute from Share |
c:\windows\system32\services.exe installed and started \\server-backup\c$\ligqshsu.exe as a service named xRky under service group None |
Service Start Service Creation |
Service xRky was stopped |
Service Stop |
A user logged in using SMB from NULL with the following username: Administrator - Authentication policy: Previously Approved User 6 times |
Successful SMB Login |
Process c:\windows\system32\mshta.exe attempted to access suspicious domains: w.zz3r0.com |
DNS Query Access Suspicious Domain |
c:\windows\system32\services.exe installed and started \\server-backup\c$\cxoxjyji.exe as a service named VDaq under service group None |
Service Start Service Creation |
cxoxjyji.exe was executed from the remote share \\server-backup\c$ |
Execute from Share |
The command line c:\windows\iqjqfQve.exe was scheduled to run by modifying C:\WINDOWS\Tasks\Autostart.job |
|
The file C:\WINDOWS\TPGNUvsk.exe was downloaded and executed |
Download and Execute |
The command line c:\windows\TPGNUvsk.exe was scheduled to run by modifying C:\WINDOWS\Tasks\escan.job |
|
Service VDaq was stopped |
Service Stop |
c:\windows\system32\services.exe installed and started \\server-backup\c$\bdohgvln.exe as a service named XIgn under service group None |
Service Start Service Creation |
bdohgvln.exe was executed from the remote share \\server-backup\c$ |
Execute from Share |
Service XIgn was stopped |
Service Stop |
msnvwufs.exe was executed from the remote share \\server-backup\c$ |
Execute from Share |
c:\windows\system32\services.exe installed and started \\server-backup\c$\msnvwufs.exe as a service named lCxP under service group None |
Service Start Service Creation |
Service lCxP was stopped |
Service Stop |
Connection was closed due to timeout |
|
C:\windows\temp\svchost.exe |
SHA256: 01f02e0b0d3d93a607c06928324bd8f2c754428aa2ea35d70fec2e6322a8c918 |
195000 bytes |
C:\WINDOWS\wYMT.exe |
SHA256: 01f53633e544ec762bd8f01c0232599355cc9b4a0ff158d5be29a18ed5c9af07 |
650000 bytes |
C:\WINDOWS\Temp\svchost.exe |
SHA256: 09491955bdb7a73c938338551b2c290a159180fc4c99db7d99c7b498f3284bc4 |
455000 bytes |
C:\WINDOWS\Temp\svchost.exe |
SHA256: 0a8e6f386a5b036882e87d74cf3082dab5571da222b510c11146aeae61fac71b |
260000 bytes |
C:\windows\temp\svchost.exe |
SHA256: 15a37fb390bf724bdecf13bafcf07c4eb411ba4dc0c3f51348e7af24f580108f |
2470000 bytes |
C:\WINDOWS\Temp\svchost.exe |
SHA256: 16b291f1918e1e1673c3d7c797cfba38a8d9d575d16c1f77caa4ea1494fff70f |
715000 bytes |
C:\WINDOWS\wYMT.exe |
SHA256: 2ed495e5bdb9aa2075447e17162e0c2174f8c569fa740733273251afd89b37c4 |
390000 bytes |
C:\CbtUflUX.exe |
SHA256: 382c01c8012e8c8dfc9a7bfd965aae66d8a9741c42593afa53ff2a93d7c1b91b |
56320 bytes |