104.16.211.191 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 104.16.211.191 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 57/100

Host and Network Information

• Mitre ATT&CK IDs: T1011 - Exfiltration Over Other Network Medium, T1012 - Query Registry, T1018 - Remote System Discovery, T1027.002 - Software Packing, T1027 - Obfuscated Files or Information, T1031 - Modify Existing Service, T1033 - System Owner/User Discovery, T1040 - Network Sniffing, T1043 - Commonly Used Port, T1045 - Software Packing, T1047 - Windows Management Instrumentation, T1053 - Scheduled Task/Job, T1055 - Process Injection, T1056.001 - Keylogging, T1056 - Input Capture, T1057 - Process Discovery, T1059.002 - AppleScript, T1059.007 - JavaScript, T1059 - Command and Scripting Interpreter, T1060 - Registry Run Keys / Startup Folder, T1063 - Security Software Discovery, T1071.001 - Web Protocols, T1071.003 - Mail Protocols, T1071.004 - DNS, T1071 - Application Layer Protocol, T1082 - System Information Discovery, T1094 - Custom Command and Control Protocol, T1105 - Ingress Tool Transfer, T1106 - Native API, T1107 - File Deletion, T1110.002 - Password Cracking, T1112 - Modify Registry, T1114 - Email Collection, T1119 - Automated Collection, T1129 - Shared Modules, T1132 - Data Encoding, T1140 - Deobfuscate/Decode Files or Information, T1143 - Hidden Window, T1176 - Browser Extensions, T1215 - Kernel Modules and Extensions, T1410 - Network Traffic Capture or Redirection, T1449 - Exploit SS7 to Redirect Phone Calls/SMS, T1457 - Malicious Media Content, T1491 - Defacement, T1497 - Virtualization/Sandbox Evasion, T1560 - Archive Collected Data, T1563 - Remote Service Session Hijacking, T1583.002 - DNS Server, T1583.005 - Botnet, TA0001 - Initial Access, TA0002 - Execution, TA0003 - Persistence, TA0004 - Privilege Escalation, TA0005 - Defense Evasion, TA0006 - Credential Access, TA0007 - Discovery, TA0008 - Lateral Movement, TA0009 - Collection, TA0010 - Exfiltration, TA0011 - Command and Control, TA0034 - Impact, TA0040 - Impact

• Tags: 0 report, aaaa, accept, a claim, active created, activity dns, acurix networks, address, agent, agenttesla, akamaias, alerts, alexa, alexa top, algorithm, all octoseek, all search, amazon, amazon02, amazonaes, american international, analysis, analysis date, analyze, and china, android, apple, appleaustin, apple engineering, apple ios, apple phone, apple unlocker, Apple Zero Day, april, artemis, as133618, as133775 xiamen, as15169 google, as16625 akamai, as20940, as2914 ntt, as3257 gtt, as397240, as46606, as54113, as54990, as6185 apple, as62597 nsone, as62729, as6453 tata, as6461 zayo, as714 apple, as7843 charter, ascii text, asn16509, asn20940, asn as45090, asnone, attack, august, avast avg, av detections, awful, azorult, b2931e3f, b467295d, b535, backdoor, bank, banker, beijing baidu, beijing gu, ben c, benjamin, bitdefender, bitrat, blackhat, blacklist https, bodis, body, body length, botnet, bouvet island, bq feb, brian sabey, briansabey, c2, ca issuers, capture, cargo, cgb stgreater, chaos, china telecom, chinese, chrome, cisco, cisco umbrella, ck id, ck matrix, class, click, cloud, cloudflare, cloudflarenet, cname, cnc, cobalt strike, Cobalt Strike, code, collection, collections, com laude, command, command and control, command decode, commercial auto, communicating, community https, comodo valkyrie, company limited, compensation, compiler, computer, contact, contacted, contacted circa 10.23.2023-, contacted urls, contact phone, content reputation, contexthub, cookie, copy, core, cq function, crack, create c, created, creation date, crime, critical, critical risk, cryp, crypto, csc corporate, cus cnr3, cyber, cyber crime, cybercrime, cyber criminal, cyber stalking, cyber threat, cyberthreat, dao360, dapato, dark, dark power, data, data center, date, date hash, debug, december, default, defense, delete c, de page, description, de summary, detection list, detections type, detplock, devils work, digitaloceanasn, djvu, dns, dns intel, dnspionage, dns replication, dns resolutions, dnssec, dock, document, domain, domain http, domain name, domainpath name, domains, domains ii, domain status, downer, downldr, download, downloader, downloadmr, dropped, dsp1, duckdns, dynamic report, ecc domain, ec oid, egregor, elqq, email, email document, emails, emotet, encrypt, energy, enterprise, entries, error, et, etisalat misr, et tor, evader, execution, exit, expiration date, exploit domain, export, f20b201c, facebook, falcon sandbox, false, february, file, filehash, files, files location, file type, filter https, final url, find, firehol, first, footer, form, formbook, for privacy, found, frankfurt, fusioncore, gamehack, gecko, general, general full, generator, generic, germany, germany unknown, get na, get response, github, gmt cache, gmt content, gmtn, gnu linker, goldfinder, goldmax, google, gootloader, greatness, group, gvb gelimed, hacker, hacking tools, hacktool, hallgrand, hallrender, hashes, hashes hashes, headers, heur, hidden cobra, high, highly targeted, historical ssl, history first, host interaction, hostname, hostnames, http, http method, http redirect, http requests, http response, hunting macro, hybrid, hyperv, icedid, icloud, icmp, icmp traffic, icons library, identifier, ids detections, iframe, ii llc, illegal, indicator, indonesia, info, info header, injection, input, installer, intel, intellectual property theft, internal, iocs, ioc search, ip address, ip check, ips collection, ip summary, ip traffic, ipv4, ireland unknown, issuer, it consultant, j490s6lkpppw, january, javascript, jpeg, july, june, kb acrotray, kb body, keepaliveyes, key algorithm, key identifier, key info, keylogger, khtml, kimsuky, kit exploit, known tor, kuaizip, lfqprnkje8dni0, liability, life, light, limited, link, link library, local, localappdata, location china, location united, lockbit, log id, login aig, login myaig, lolkek, look, lookup wannacry, lowfi, low software, lscottsdale, ltd dba, mac malware, magniber, mailrubar, main, malicious, malicious file transfers, malicious site, maltiverse, malvertizing, malware, malware beacon, malware dns, malware hosting, malware scripting, malware site, malware spreader, march, mark, mark brian sabey, mark sabey, masquerading, maui ransomware, mb iesettings, mb opera, mb super, media, media center, medium, memcommit, memory, memory pattern, memory scanning, meta, metro, metro hacker, microsoftcorpas, million, mime type, miner, mirai, misc attack, mitre att, mitre attack, modified, monitoring, moved, mozilla, ms excel, msie, ms windows, ms word, mtb may, mtb showing, multiple botnetworks, mutex, name, namecheap, namecheap inc, name md5, name server, name servers, name value, nanocore rat, network, network hijacks, network mooooda, network rat, networm, new ioc, next, njrat, no data, node traffic, none related, november, number, nxdomain, observed dns, october, olet, open, optimizer, os2 executable, otx octoseek, overlay, owner exploit, p11642963562, p2404, packing t1045, page url, parent domain, passive dns, password, password bypass, paste, path, pattern, pattern domains, pattern match, pattern urls, pdb path, pe32, pe32 linker, persistence, pe section, phish, phishing, phishing site, phishtank, physical threat, playgame, play ransomware, porkbun llc, pornhub, pornographers, powershell, precondition, premium, presenoker, privacy, privacy service, probe, problems, property, protocol h2, psexec, pt mora, pty ltd, pulse pulses, pulse submit, push, qakbot, qbot, quasar, quasar rat, query, raccoon, ransom, ransomexx, ransomware, Ransomware, read c, record type, record value, redirected, redline stealer, referrer, refresh, region create, region update, registrant name, registrar abuse, registrar url, registrar whois, regsetvalueexa, related nids, related pulses, relayrouter, relic, remcos, remote, remote attacker, report, request, request chain, resolutions, resource, response final, restart, revenge rat, reverse dns, riskware, root ca, rostpay, roundup, r processes, runescape, sabey type, safe site, sality, samplepath, samples, samuel tulach, sanitize object, scan endpoints, scanning host, scheme, script, search, sector, security tls, self, september, server, server ca, servers, service, service tool, serving ip, sha256, shell code, shell commands, show, showing, siblings, sibot, site, skynet, slcc2, snatch, soc, social engineering, softcnapp, source file, span, spreadsheet, ssl certificate, stalker, starizona, startpage, status, status code, stealer, strings, subject key, subject public, submission, submitters, sucurisec, summary, summary iocs, suricata, suricata ipv4, susp, suspicious, suspicous ip, swisyn, systemroot, tag count, tags none, target, targeting, team, teams, teams api, technical city, telecom, telecom italia, textarea, thebrotherssabey, then brothers sabey, threat, threat analyzer, threat network, threat roundup, threats, title, tld count, tlsv1, tls web, t-mobile hacker, tools, torrent trecker, tracker, tracking, tree, trickbot, trojan, trojanclicker, trojanspy, trust, tsara brashears, ttl value, tulach, tulach.cc, tulach exploits, twitter, type name, uk collection, umbrella rank, union, united, united kingdom, univjos, unknown, unlocker, unsafe, url analysis, url history, url http, url https, urls, urlshortner dec, urlshortner sep, urls http, urls https, url summary, urls url, ursnif, usage, user, utc http, utc submissions, v3 serial, value, variables, verdict, verify, vidar, view, virtool, visitor object, vmprotect, vt graph, webtoolbar, white, whitelisted, whois, whois file, whois lookup, whois record, whois sslcert, whois whois, win16 ne, win32, win32 dll, win32 dynamic, win32 exe, win32mydoom feb, win32pcmega jan, win32upatre may, win64, windows, windows nt, wiper, withheld, workers, worm, wow64, write, write c, x509v3 key, xor ddos, xorddos, xport, yara detections, years ago, youth, zbot

• JARM: 27d40d40d00040d00042d43d00041df04c41293ba84f6efe3a613b22f983e6

• View other sources: Spamhaus VirusTotal

• Country:
• Network:
• Noticed: 23 times
• Protocols Attacked: Anonymous Proxy
• Countries Attacked: Australia, Canada, United States of America
• Passive DNS Results: www.zendesk.com.mx zendesk.com.mx share.hsforms.com pp-iapi-earn-1.kraken.com support.kraken.com preview-ws.kraken.com staging-ws-frontend.kraken.com pp-www-security-1.kraken.com pp-api-onboarding-1.kraken.com pp-api-kweb-3.kraken.com dev-fusion.kraken.com pp-www-security-2.kraken.com pp-www-funding-2.kraken.com beta-ws-auth.kraken.com pp-api-earn-3.kraken.com pp-api-consumer-2.kraken.com dev-rewards.kraken.com cichlids-staging.kraken.com rewards.kraken.com pp-nft-consumer.kraken.com pp-nft-security.kraken.com pp-www-mobile-3.kraken.com pp-api-earn-2.kraken.com blue-api.kraken.com assets-dynamic.kraken.com pp-www-dx-2.kraken.com pp-www-onboarding-1.kraken.com pp-www-kweb-5.kraken.com staging-api.kraken.com beta-ws-frontend.kraken.com nft.kraken.com vglnsw4h.rewards.kraken.com custody.kraken.com docs-staging.kraken.com staging-publish.kraken.com staging-rewards.kraken.com rewards-staging.kraken.com blue-custody.kraken.com green-custody.kraken.com pp-custody-1.kraken.com beta-api.kraken.com pp-www-onboarding-3.kraken.com phraseapp-monitor-dev.kraken.com pp-api-dx-1.kraken.com pp-www-kweb-3.kraken.com pp-www-security-3.kraken.com pp-www-trade-3.kraken.com ws-624cc112b75fefed-us-west-2-las.kraken.com bahneeebohmiog.kraken.com bahnee3ebohmiog0.kraken.com blue-nft.kraken.com wallet.kraken.com pp-pro-web-1.kraken.com pp-pro-web-3.kraken.com green-pro.kraken.com pro.kraken.com pp-api-marketing-1.kraken.com pp-api-sre-2.kraken.com assets-cms.kraken.com pp-www-marketing-3.kraken.com ws-auth-624cc112b75fefed-us-west-2-lax.kraken.com ws-auth-624cc112b75fefed-us-west-2-las.kraken.com pp-www-marketing-2.kraken.com eet9phee.kraken.com pp-www-funding-4.kraken.com pp-api-onboarding-3.kraken.com jobs.kraken.com pp-www-kweb-2.kraken.com blue.kraken.com alpha-api.kraken.com pp-api-dx-2.kraken.com pp-api-dx-3.kraken.com pp-api-funding-5.kraken.com pp-api-funding-2.kraken.com staging.kraken.com pp-www-earn-1.kraken.com ws-624cc112b75fefed-us-west-2-lax.kraken.com pp-www-funding-1.kraken.com pp-www-funding-3.kraken.com pp-api-mobile-3.kraken.com pp-www-sre-3.kraken.com green-api.kraken.com pp-www-kweb-6.kraken.com pp-api-marketing-3.kraken.com status.kraken.com pp-support.kraken.com fdt.kraken.com pp-api-marketing-2.kraken.com beta-ws.kraken.com pp-api-sre-3.kraken.com pp-api-trade-2.kraken.com pp-api-consumer-3.kraken.com pp-www-trade-2.kraken.com pp-pro-2.kraken.com pp-www-mobile-2.kraken.com pp-api-mobile-1.kraken.com pp-www-dx-3.kraken.com green.kraken.com pp-api-mobile-2.kraken.com beta-ws-private.kraken.com pp-www-kweb-1.kraken.com pp-api-trade-1.kraken.com pp-www-dx-1.kraken.com pp-www-earn-3.kraken.com pp-www-kweb-4.kraken.com pp-api-kweb-1.kraken.com pp-api-funding-4.kraken.com pp-api-security-2.kraken.com pp-api-funding-3.kraken.com pp-api-kweb-4.kraken.com pp-www-onboarding-2.kraken.com phraseapp-monitor.kraken.com pp-api-trade-3.kraken.com pp-www-consumer-2.kraken.com aika6aed.kraken.com pp-api-funding-1.kraken.com pp-www-trade-1.kraken.com pp-api-sre-1.kraken.com pp-www-sre-1.kraken.com pp-www-sre-2.kraken.com pp-www-mobile-1.kraken.com careers.kraken.com pp-www-marketing-1.kraken.com pp-www-funding-5.kraken.com pp-www-earn-2.kraken.com pp-api-earn-1.kraken.com pp-api-onboarding-2.kraken.com pp-pro.kraken.com link.kraken.com analytics.kraken.com analytics-dev.kraken.com blog.kraken.com alpha.kraken.com r.kraken.com api-temp1.kraken.com assets.kraken.com ws-auth.kraken.com img.kraken.com beta.kraken.com docs.kraken.com trade.kraken.com ws.kraken.com kraken.com api.kraken.com www.kraken.com mtgox-claims.kraken.com

Malware Detected on Host

Count: 2 684df6dbac783395d03e4852d0b2e007d7ecde5c04e220c56d76b8b3e8a6c82d 609dc0fc357f5c36cfa1ae3588a45d0937fd77948ed5c60ee977bdf67373b399

Open Ports Detected

2082 2083 2086 2087 2096 443 80 8080 8443 8880

Map

Whois Information

• NetRange: 104.16.0.0 - 104.31.255.255
• CIDR: 104.16.0.0/12
• NetName: CLOUDFLARENET
• NetHandle: NET-104-16-0-0-1
• Parent: NET104 (NET-104-0-0-0-0)
• NetType: Direct Allocation
• OriginAS: AS13335
• Organization: Cloudflare, Inc. (CLOUD14)
• RegDate: 2014-03-28
• Updated: 2024-09-04
• Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
• Comment: Geofeed: https://api.cloudflare.com/local-ip-ranges.csv
• Ref: https://rdap.arin.net/registry/ip/104.16.0.0
• OrgName: Cloudflare, Inc.
• OrgId: CLOUD14
• Address: 101 Townsend Street
• City: San Francisco
• StateProv: CA
• PostalCode: 94107
• Country: US
• RegDate: 2010-07-09
• Updated: 2024-11-25
• Ref: https://rdap.arin.net/registry/entity/CLOUD14
• OrgRoutingHandle: CLOUD146-ARIN
• OrgRoutingName: Cloudflare-NOC
• OrgRoutingPhone: +1-650-319-8930
• OrgRoutingEmail: noc@cloudflare.com
• OrgRoutingRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• OrgAbuseHandle: ABUSE2916-ARIN
• OrgAbuseName: Abuse
• OrgAbusePhone: +1-650-319-8930
• OrgAbuseEmail: abuse@cloudflare.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
• OrgNOCHandle: CLOUD146-ARIN
• OrgNOCName: Cloudflare-NOC
• OrgNOCPhone: +1-650-319-8930
• OrgNOCEmail: noc@cloudflare.com
• OrgNOCRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• OrgTechHandle: ADMIN2521-ARIN
• OrgTechName: Admin
• OrgTechPhone: +1-650-319-8930
• OrgTechEmail: rir@cloudflare.com
• OrgTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
• RTechHandle: ADMIN2521-ARIN
• RTechName: Admin
• RTechPhone: +1-650-319-8930
• RTechEmail: rir@cloudflare.com
• RTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
• RNOCHandle: NOC11962-ARIN
• RNOCName: NOC
• RNOCPhone: +1-650-319-8930
• RNOCEmail: noc@cloudflare.com
• RNOCRef: https://rdap.arin.net/registry/entity/NOC11962-ARIN
• RAbuseHandle: ABUSE2916-ARIN
• RAbuseName: Abuse
• RAbusePhone: +1-650-319-8930
• RAbuseEmail: abuse@cloudflare.com
• RAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN

Links to attack logs

anonymous-proxy-ip-list-2025-06-23 anonymous-proxy-ip-list-2025-06-22