104.16.101.12 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 104.16.101.12 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 60/100

Host and Network Information

• Mitre ATT&CK IDs: T1018 - Remote System Discovery, T1027 - Obfuscated Files or Information, T1031 - Modify Existing Service, T1036 - Masquerading, T1045 - Software Packing, T1046 - Network Service Scanning, T1055 - Process Injection, T1059 - Command and Scripting Interpreter, T1070 - Indicator Removal on Host, T1071 - Application Layer Protocol, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1095 - Non-Application Layer Protocol, T1096 - NTFS File Attributes, T1100 - Web Shell, T1105 - Ingress Tool Transfer, T1112 - Modify Registry, T1114 - Email Collection, T1119 - Automated Collection, T1129 - Shared Modules, T1140 - Deobfuscate/Decode Files or Information, T1156 - Malicious Shell Modification, T1199 - Trusted Relationship, T1202 - Indirect Command Execution, T1449 - Exploit SS7 to Redirect Phone Calls/SMS, T1497 - Virtualization/Sandbox Evasion, T1518 - Software Discovery, T1539 - Steal Web Session Cookie, T1543 - Create or Modify System Process, T1547 - Boot or Logon Autostart Execution, T1553 - Subvert Trust Controls, T1560 - Archive Collected Data, T1562 - Impair Defenses, T1565 - Data Manipulation, T1566 - Phishing, T1568 - Dynamic Resolution, T1569 - System Services, T1573 - Encrypted Channel, T1574 - Hijack Execution Flow, T1583.002 - DNS Server, T1583 - Acquire Infrastructure, TA0002 - Execution, TA0003 - Persistence, TA0004 - Privilege Escalation, TA0005 - Defense Evasion, TA0006 - Credential Access, TA0007 - Discovery, TA0011 - Command and Control

• Tags: aaaa, ability, accept, access, access denied, active, active threat, address, adobe dynamic, aig, akamai, akamaias, akamaiasn1, alerts, allocate, allocate rwx, all octoseek, all scoreblue, all search, amazon02, analysis, analysis date, analysis ob0001, analysis ob0002, android, android device, a nxdomain, a poster, aposter, apple, apple attack, apple engineering, apple id, apple ios, applenoc, artemis, as13916, as15169, as16509, as16625, as16625 akamai, as20940, as22843, as24940 hetzner, as2914 ntt, as31109, as31898 oracle, as3359, as396982 google, as54113, as58061 scalaxy, as714, as8068, as8075, as852, as8987 amazon, ascii text, asnone united, assessment, attack, attacks against, authority, av detection, av detections, b0001 process, b0003 delayed, backdoor, bad login, bahamut, bell south, bellsouth, body, body length, brian, brian sabey, briansabey, browse scan, brute force passwords, bundled, business value, ca, ca1 odigicert, canvas, catalog tree, cellbrite, certificate, china, chrome, cidr, ck id, ck matrix, class, click, cmd, cname, cobalt strike, command, command decode, commands, communicating, communications, complete, comspec, config, conhost, contact, contacted, contains pdb, contentencoding, contextualizing, co number, copy, core, costa rica, create, created, create new, creation date, critical, crowdstrike, crypto, csccorpdomains, cuba, cus cndigicert, customer, cve20185723, cyber army, cybercrime, cyber defense, cyber stalking, dashboard, data, data manipulation, date, default, delete c, destination, discovery, displayname, div div, dll sideloading, dname, dns replication, dns resolutions, domain, domain entries, domains, domains part, domain tracker, dos executable, duptwux, dynamicloader, e1082 file, e1083 impact, e1203 windows, economic impact, email, embeddedwb, encrypt, endpoints all, entries, enumerate, error, et, et cins, et tor, evasion ob0006, executable, execute, execution, exit, expiration, expiration date, facebook, falcon sandbox, false, fancy bear, fear, february, file, filehashmd5, filehashsha1, filehashsha256, files, file score, files dropped, file system, final url, final url summary, first, flow t1574, forbidden, form, formbook, found, ftp username, full name, gartner, general, generator, generic, generic windos, geoip, germany, germany unknown, get file, ghost, gmt content, google, graph, hackers, hallrender, hashes, hashes files, headers nel, high, highest, high level, historical, historical ssl, hostname, html info, http response, https, hx88x9ax1e, hybrid, hybrid analysis, icann whois, icefog, icloud, ico rtgroupicon, ids detections, inc validity, indonesia, infrastructure, install, installer, intel, intelligence, invalid url, iocs, ioc search, iocs kb, ip address, ip traffic, ipv4, ipv6, japan national police agency, jekyll, known tor, kx81xdbx0f, layer protocol, learn, legacy, level3, link function, local, localappdata, logistics, logo analysis, look, magic quadrant, mail spammer, main, malicious host, malvertizing, malware, masquerading, may sleep, media, medium, memory pattern, meta, meta tags, metro, mexico, mini, mirai, misc attack, mitre, mitre att, mitre attk, mobileoptimized, modify system, modules t1129, moved, msclkidn, msie, ms windows, mtsub26293293, multi scan, mutexes, name, name servers, national police agency japan, net148, net1480000, nethandle, netrange, network, neutral, new ioc, new problems, next, nids, node traffic, no expiration, nuance, null, number, nxdomain, ob0007 system, octoseek, open, os2 executable, osi application, otx scoreblue, overlay, panda, pandas, passive dns, paste, path, pattern domains, pattern match, pcap, pdf report, pe32, pe file, pegasus, persistence, phishing, please, port, problems, process, process t1543, project skynet, proofpoint, proton, public url, pulse pulses, pulse submit, pulse use, push, python, quasar, query, read c, realized, record type, record value, referrer, refresh, regbinary, registrar abuse, registry, registry keys, regsetvalueexa, reinsurance, relacion, relay, relayrouter, remote, remote system, reports, request email, resolutions, restart, reverse dns, robtex, root, root account, root ca, roundup, rticon neutral, sabey, samplepath, samples, sandbox, scalaxy, scan endpoints, script, script domains, script urls, search, sections, server, servers, serving ip, set registrya, severity, seznam, sha1, sha256, show, showing, show technique, signals mutexes, simple, size, size17kib type, small, southeast, span, speakez securus, ssh on server, ssl certificate, ssl hostname, starfield, startpage, state, status, status codes, steals, stix, stream, strings, subdomains, subid, subject public, submission name, submit, submit quasar, suricata stream, suspicious path, switch dns, t1055 system, t1059 accept, t1105 ingress, t1497 query, tagging, tag management, target, tcp syn, teams api, tech, telecom, temp, threat, threat analyzer, threat network, threat roundup, tls rsa, tofsee, tools, tool transfer, tracker, tracking, trident, trojan, tsara brashears, ttl value, tulach, twitter, ukraine, united, united kingdom, United states, unknown, unknown urls, unknown win, upgrade, url analysis, url http, url https, urls, urls https, urls tcp, user, username, userprofile, utc bing, utc na, utf8 text, v3 serial, ver2, verdict, verify, verisign, virtual mobile, virustotal, wannacry kill, whitelisted, whois lookup, win16 ne, win32, win32 exe, win64, windows, windows event, windows link, windows nt, windows service, workaposter, worm, write, written c, wx99xcdx11, x82xd4, x86xd3, xa1xf1, xe8xc2x14, xe8xc6x13, xml rtmanifest, x msedge, xobo, yara detections

• JARM: 27d40d40d00040d1dc42d43d00041d6183ff1bfae51ebd88d70384363d525c

• View other sources: Spamhaus VirusTotal

• Country:
• Network:
• Noticed: 5 times
• Protocols Attacked: Anonymous Proxy
• Countries Attacked: Anguilla, Aruba, Australia, Bahamas, Barbados, Canada, Cayman Islands, Costa Rica, Curaçao, Georgia, Germany, Guatemala, Japan, Mexico, Netherlands, Panama, Philippines, Poland, Saint Kitts and Nevis, Saint Martin (French part), Saint Vincent and the Grenadines, Sint Maarten (Dutch part), Tanzania United Republic of, Trinidad and Tobago, Ukraine, United Kingdom of Great Britain and Northern Ireland, United States of America
• Passive DNS Results: reachout-staging.zoominfo.com operationsos-stg.zoominfo.com engage-support.zoominfo.com admin.zoominfo.com pay-staging.zoominfo.com pay.zoominfo.com opsos.api.zoominfo.com operationsos.zoominfo.com market.zoominfo.com reachout.zoominfo.com briefs-staging.zoominfo.com intake.zoominfo.com lite-pre-prod.zoominfo.com lite-regression.app.zoominfo.com lite-staging.app.zoominfo.com engage-office365-addin.zoominfo.com sol-pre-prod.zoominfo.com sol.zoominfo.com briefs.zoominfo.com operationsos-staging.zoominfo.com engage-app-uat.zoominfo.com etps.zoominfo.com security-gateway.zoominfo.com engage-office365-addin-staging.zoominfo.com content.zoominfo.com cab.zoominfo.com 48r48.com admin-preprod.zoominfo.com subscriber.zoominfo.com okta-login.zoominfo.com atlas.zoominfo.com docusign-staging.zoominfo.com marketingos.zoominfo.com marketingos-preprod.zoominfo.com marketingos-staging.zoominfo.com content-staging.zoominfo.com zspace.zoominfo.com zspace-cms.zoominfo.com pipeline-staging.zoominfo.com 40m.zoominfo-privacy.com chat-preprod.api.zoominfo.com chat.api.zoominfo.com pipeline.zoominfo.com developer.zoominfo.com mobile.zoominfo.com mobile-contacts.zoominfo.com do.zoominfo.com podcast.zoominfo.com community.zoominfo.com privacy.zoominfo.com video.zoominfo.com www-staging.zoominfo.com app.zoominfo.com dozi-cs-dash-stg.zoominfo.com partnerapi.zoominfo.com mobile-app.zoominfo.com ws-assets.zoominfo.com engineering-staging.zoominfo.com do-staging.zoominfo.com ws-preprod.zoominfo.com login-staging.zoominfo.com api-docs.zoominfo.com partnerapi-staging.zoominfo.com oa-staging.zoominfo.com engage-app-preprod.zoominfo.com dozi-complete-staging.zoominfo.com blog-staging.zoominfo.com access.zoominfo.com engage.zoominfo.com engage-app-staging.zoominfo.com engage-app.zoominfo.com engage-wp-stg.zoominfo.com engage-staging.zoominfo.com ws.zoominfo.com discoverorg-staging.zoominfo.com review-room-api.zoominfo.com lpeditor.zoominfo.com signatures.zoominfo.com dozi-complete.zoominfo.com inboxai.zoominfo.com www-lpstaging.zoominfo.com staging-datanyze.zoominfo.com videos.zoominfo.com review-room-api-staging.zoominfo.com ws-staging.zoominfo.com ws-assets-staging.zoominfo.com www-productionwp.zoominfo.com login.zoominfo.com www-stagingpress.zoominfo.com go-staging.zoominfo.com zi-internal-staging.zoominfo.com lpeditor-staging.zoominfo.com app-preprod.zoominfo.com unified-login-staging.zoominfo.com dozi-api.zoominfo.com directory-api.zoominfo.com parse-admin-prod.zoominfo.com university.zoominfo.com parse-admin-staging.zoominfo.com api.zoominfo.com search.zoominfo.com enrich.zoominfo.com search-staging.zoominfo.com enrich-staging.zoominfo.com app-staging.zoominfo.com help.zoominfo.com events.zoominfo.com dozi-oauth.zoominfo.com dozi-internal.zoominfo.com dozi-staging.zoominfo.com dozi-oauth-staging.zoominfo.com dozi-internal-staging.zoominfo.com dozi-api-staging.zoominfo.com blog.zoominfo.com go.zoominfo.com ce.zoominfo.com zoominfo.com www.zoominfo.com sa.kapamilya.com download.parallels.com.cdn.cloudflare.net download.parallels.com

Malware Detected on Host

Count: 85 817c90aca955d83ac3302dff6781047105677e442bd4bff493dc98747dfad2e2 25b653c3f04bdfd7bcf78cd0836c1cdc4224032d158fee926d9a6e6c8b66cfa9 83b1b2af338de075703f3cd13bb62cbfd274b46d2e0d238b8b69988ccc8e098b eb6d780ab11fb5d74e59603865e6401a8bfe23976c5624da0b7124c11757ec2d b81510bcc86603292a8de2c3ac98a584d0a98487793be48ded9bc2b1c02721fd b97213736b1829b03fc243f7f3aa52d586a92536913434883b4cfb3a5ef5616d e48facfb9a1cb582d32a676a7bdb0ae465ffbf2990f6f4a8207b351982c36fb2 4464b77fb108dcf083d4ea73eda0894100dd6c6e5555d4776f038b08a0b46d43 05b998306cd3413409cd8151a58fd4be69c1631d370ddd428cae9ef36afac79a a74ea1f1c713ee6f9e6a970620fef4531679054d2547509bba2ca327608ef94d

Open Ports Detected

2053 2082 2083 2086 2087 2096 443 80 8080 8443 8880

Map

Whois Information

• NetRange: 104.16.0.0 - 104.31.255.255
• CIDR: 104.16.0.0/12
• NetName: CLOUDFLARENET
• NetHandle: NET-104-16-0-0-1
• Parent: NET104 (NET-104-0-0-0-0)
• NetType: Direct Allocation
• OriginAS: AS13335
• Organization: Cloudflare, Inc. (CLOUD14)
• RegDate: 2014-03-28
• Updated: 2024-09-04
• Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
• Comment: Geofeed: https://api.cloudflare.com/local-ip-ranges.csv
• Ref: https://rdap.arin.net/registry/ip/104.16.0.0
• OrgName: Cloudflare, Inc.
• OrgId: CLOUD14
• Address: 101 Townsend Street
• City: San Francisco
• StateProv: CA
• PostalCode: 94107
• Country: US
• RegDate: 2010-07-09
• Updated: 2024-11-25
• Ref: https://rdap.arin.net/registry/entity/CLOUD14
• OrgRoutingHandle: CLOUD146-ARIN
• OrgRoutingName: Cloudflare-NOC
• OrgRoutingPhone: +1-650-319-8930
• OrgRoutingEmail: noc@cloudflare.com
• OrgRoutingRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• OrgAbuseHandle: ABUSE2916-ARIN
• OrgAbuseName: Abuse
• OrgAbusePhone: +1-650-319-8930
• OrgAbuseEmail: abuse@cloudflare.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
• OrgNOCHandle: CLOUD146-ARIN
• OrgNOCName: Cloudflare-NOC
• OrgNOCPhone: +1-650-319-8930
• OrgNOCEmail: noc@cloudflare.com
• OrgNOCRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• OrgTechHandle: ADMIN2521-ARIN
• OrgTechName: Admin
• OrgTechPhone: +1-650-319-8930
• OrgTechEmail: rir@cloudflare.com
• OrgTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
• RTechHandle: ADMIN2521-ARIN
• RTechName: Admin
• RTechPhone: +1-650-319-8930
• RTechEmail: rir@cloudflare.com
• RTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
• RNOCHandle: NOC11962-ARIN
• RNOCName: NOC
• RNOCPhone: +1-650-319-8930
• RNOCEmail: noc@cloudflare.com
• RNOCRef: https://rdap.arin.net/registry/entity/NOC11962-ARIN
• RAbuseHandle: ABUSE2916-ARIN
• RAbuseName: Abuse
• RAbusePhone: +1-650-319-8930
• RAbuseEmail: abuse@cloudflare.com
• RAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN

Links to attack logs

anonymous-proxy-ip-list-2025-06-22