104.18.85.75 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 104.18.85.75 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 60/100

Host and Network Information

• Mitre ATT&CK IDs: T1005 - Data from Local System, T1010 - Application Window Discovery, T1012 - Query Registry, T1027 - Obfuscated Files or Information, T1033 - System Owner/User Discovery, T1036.004 - Masquerade Task or Service, T1041 - Exfiltration Over C2 Channel, T1043 - Commonly Used Port, T1046 - Network Service Scanning, T1055 - Process Injection, T1056.001 - Keylogging, T1056 - Input Capture, T1057 - Process Discovery, T1059.007 - JavaScript, T1059 - Command and Scripting Interpreter, T1068 - Exploitation for Privilege Escalation, T1071.001 - Web Protocols, T1071.002 - File Transfer Protocols, T1071.003 - Mail Protocols, T1071.004 - DNS, T1071 - Application Layer Protocol, T1082 - System Information Discovery, T1083 - File and Directory Discovery, T1095 - Non-Application Layer Protocol, T1100 - Web Shell, T1105 - Ingress Tool Transfer, T1106 - Native API, T1112 - Modify Registry, T1114.002 - Remote Email Collection, T1114 - Email Collection, T1122 - Component Object Model Hijacking, T1129 - Shared Modules, T1140 - Deobfuscate/Decode Files or Information, T1176 - Browser Extensions, T1179 - Hooking, T1210 - Exploitation of Remote Services, T1213 - Data from Information Repositories, T1218 - Signed Binary Proxy Execution, T1408 - Disguise Root/Jailbreak Indicators, T1415 - URL Scheme Hijacking, T1421 - System Network Connections Discovery, T1422 - System Network Configuration Discovery, T1427 - Attack PC via USB Connection, T1428 - Exploit Enterprise Resources, T1429 - Capture Audio, T1449 - Exploit SS7 to Redirect Phone Calls/SMS, T1496 - Resource Hijacking, T1497 - Virtualization/Sandbox Evasion, T1518 - Software Discovery, T1546 - Event Triggered Execution, T1560 - Archive Collected Data, T1566 - Phishing, T1573 - Encrypted Channel, T1583.005 - Botnet, TA0001 - Initial Access, TA0002 - Execution, TA0003 - Persistence, TA0004 - Privilege Escalation, TA0005 - Defense Evasion, TA0006 - Credential Access, TA0007 - Discovery, TA0008 - Lateral Movement, TA0009 - Collection, TA0010 - Exfiltration, TA0011 - Command and Control, TA0030 - Defense Evasion, TA0034 - Impact, TA0040 - Impact

• Tags: 114.114.114.114, aaaa, accept, access, acint, adaptivebee, address, adload, admin country, a domains, adult content, advocates ensure the rights of others, adware, adwind, aes256gcm, agency, agent, agent tesla, agenttesla, aig, aig.com, aig.rastreator.mx, akamaiasn1, alexa, alexa top, algorithm, alienvault results removed from search results, all octoseek, all search, amazonaes, america?, analyze, anchor hrefs, android, android overlay, anti-detection, anyxxxtube, appdata, apple, apple id, appleid, apple ios, apple phone, arizona, artemis, as11042, as14576, as15169 google, as397241, as54455 madeit, as55688 pt, as62597 nsone, as8075, ascii text, asn as55688, asp.net, assaulted by man demanding phone, assign function, asyncrat, attack, attacker, attorney, august, author, authority, available from, avast avg, awful, azorult, baaa, babelpolyfill, back, backdoor, bandoo, bank, banker, bankerx, banking, basic, behav, benjamin, bill, binder, black, blackbag, blackievirus.com, blacklist, blacklist http, blacklist https, bladabindi, blister, blood, body, body length, boolean, boomrapikey, boomr function, boomrmq string, boost mobile, botnet, br, bradesco, brashears blacklisted, brashears bullied to return to PT due to workers compensation ru, brashears cannot digest food, brashears can’t toilet, brashears denied disability benefits for years, brashears denied vocational rehab twice, brashears family identity theft, brashears further injured, brashears given less than $10000 by Brian sabey, brashears stalked, brashears tagged in adult content - not removed, brashears unable to properly articulate, brashears unhirable due to online profile, breast cancer, brian sabey, Brian sabey brings case to silence brashears, brian sabey constant contact ) threats, brontok, bryan counts made aware of recordings, bundled, burg simpson corruption, C2, caaa, caca, caca4baaa, cacf, caea, callback function, cancel anytime, car hacking, cellbrite, charles, chase personal, checkbox, child pornographer, china cobalt, china telecom, cisco umbrella, citadel, ck id, ck matrix, class, cleaner, click, close, cnc, CNC, cnc feodo, cnc server, cobalt strike, code, colorado, comcast tmobile, command, command and control, communicating, company limited, computer, conduit, constant car bomb threats, contact, contacted, contacted urls, contact phone, contained, contentencoding, contextualizing, control server, control ta0011, cookie, copy, core, corruption, country, covid19, covid19 scam, cp cyber, crack, created, create new, creation date, critical, critical risk, cryp, crypto, csc corporate, cus cndigicert, cus cnmicrosoft, cutwail, cybercrime, cyber espionage, cyber harassment, cybersecurity, cyber stalking, cyberstalking, cyber threat, cyber warfare, czech, daddy, da informs brashears no statute, daisy, daisy coleman, danger, dark power, date, date hash, death threats, debugger evasion, december, defacement, defence, de indicators, delaware, delphi generic, delphi programming, denied healthcare, denver, Denver trial attorneys tell brashears statute is 6 years in colo, desktop, detection list, detections type, detplock, deuteronomy 28:7, dev, developer, discrimination, dns replication, dnssec, doctype, domain, domain related, domains, domains domains, domains dropped, domains files, domain status, dos exe, dos executable, downer, downldr, download, download csv, downloader, download json, dropper, elevated exposure, elf collection, elf wgetboat, email, emails, emotet, employer rightfully consider brashears attack a risk to others, empty hash, @emreimer, encrypt, engineering, enjoy, entries, error, eurodns sa, europeberlin, evasive, executable, execution, expiration, expiration date, exploit, exploit source, express, facebook, factory, fakealert, falcon sandbox, false, false criminal records created about brashears, falsified medical records, fareit, february, file, filehashmd5, filehashsha1, filehashsha256, files, files domain, files files, files related, file system, filetour, final, final url, first, floxif, formbook, framing, frankfurt, fraud, fraud apple support chats, fraud service, free, fusioncore, gandi sas, gecko, general, general full, generator, generic, generic malware, generic windos, genkryptik, germany, get dns, get http, getprocaddress, ghost rat, gmbh version, gopher, grandoreiro, graph, green, group, group hacked esurance, group hacked intermountain healthcare, group hacked uchealth colorado, hackers, hackers for hire, hacking, hacktool, hallrender, hall render denver, hashes, hasty hacker, header intel, headers, headers nel, healthone, heodo, heur, high level, hijacker, historical ssl, hitmen, hostname, hostnames, hrefs, hr rtd, hsbc, html document, html info, http, http header, http method, httponly, http requests, http response, https, hunk, hybrid, hydrocephalus not disclosed, iana id, icloud, icons library, ico rtgroupicon, id, iextract2, iframe, import, impressum, indian mix brashears physically attacked often followed, indicator, industry and commerce, info compiler, infor, injector, inmortal, installation, installcore, installer, installpack, intel, iobit, iocs, ios, ip address, ip detections, iphone unlocker, ip summary, ip sun, ip traffic, ipv4, ja3s, january, javascript, jeffrey reimer dpt ‘reported’ assaulter, jeffrey reimer was reported early, jfif standard, jpeg image, json sample, judge sided with brashears, june, kb body, kde, keygen, keylogger, kgs0, khtml, kidney cancer, killav, kls0, konqueror, kratona, kyriazhs1975, language, larimer st, law, layer protocol, lcc linker, legal, level, link library, list, liver cancer, loader, local, localappdata, local law enforcement, lockbit, logistics, lokibot, look, love, luke, lumma stealer, lung cancer, macho restore, macintosh disk, main, major, make others aware, malicious, malicious site, malicious url, maltiverse, malvertizing, malware, malware host, malware hosting, malware ransom trojan evader rat, malware site, malware spreading evader, mark brian sabey, markmonitor, matches rule, matsnu, mdm hacking, media, mediamagnet, medical center, memory pattern, meta, meterpreter, metro, metro t-mobile, mile high media, milehighmedia, Miles IT, million, milton keynes, mind, miner, mirai, missouri, mitre, mitre att, mk14, model, modified, monitoring, montano threatened brashears with breaking the law if not return, month ago, months ago, most viewed, moved, msil, ms windows, mtb may, name, name md5, name server, name servers, name verdict, nanocore, nanocore rat, neill positively identified - no charges, netlify, netlify edge, network, network ascii text, network rats, networm, neutral, new relic, next, nimda, nircmd, njrat, no charges, no expiration, noname057, non stop harassment, north wales, nothing new, nr-data.net, null, number, nxdomain, nymaim, occamy, odigicert inc, open, opencandy, origin1, orkut, os2 executable, otx octoseek, otx telemetry, outbreak, overlay, overly large campaign, override, pa, packed, parent domain, passive dns, password bypass, paste, patcher, path, pattern ips, pattern match, payment, paypal, pdf report, pe32, pe32 executable, pe32 linker, pe32 packer, pegasus, pegasus attackers do kill, pegasus attackers make in person contact, pegasus involves malicious actions by humans, pegasus technology disallows victim to report to regulatory boar, pe resource, performs dns, permanent damage, persistence, petite, phi, phishing, phishing chase, phishing google, phishing site, phishtank, phonenumber, pii, play, please, plugx, pony, pornhub, pornography, porn videos, postal code, post root, presbyterianst, presenoker, privacy invasion, privacy tech, private investigators tailed stalkers. became afraid when learni, privilege escalation, probe, problem, problems, process, processes tree, products, products id, project, prostate cancer, protect, protocol h2, protocol t1071, psexec, pulse pulses, pulse use, qakbot, qbot, quasar, quasi case, raccoon, radar ineractive, ramnit, ransom, ransomexx, ransomware, rat, rat trojan, rebel ltd, recordings demanded, recordings retrieved by bgp, recordings storedonline, record type, record value, redacted for, redirector, redline, redline stealer, referrer, refresh, registrant fax, registrar abuse, registry, registry keys, reimer, reimer promoted, reimer protected and hidden, reimer recorded, relacionada, relations apple, relic, remcos, remember george floyd? brashears survived that injury, remote, remote access trojan, remote cnc, replacement, report spam, resolutions, resource hash, resources cyber, restart, reverse dns, risk assessment, riskware, rms, rob neill drives brashears off road, root ca, rticon neutral, runescape, runtime process, rust, sabey, sabey data centers, sabey motions dismissed, safebae, safebae.org, safe site, sality, samesite=none, samesitenone, sample, sample path, samples, sarcoma, sat dec, sat jun, scan endpoints, scanning host, script, scriptsrcelem, script urls, sdn bhd, search, secrisk, security, security tls, seraph, server, server ca, servers, service, service privacy, services, serving ip, sex_phot.jpg.exe, sha1, sha256, sha2 secure, shell, shell code, shinjiru msc, show, showing, show technique, show technique span, siblings domain, siem compliance, silly, simda, site, skin cancer, skip, smokeloader, sneaky server, soc http, soc https, social engineering, software, spammer, span, specialist, spyware, squirrelwaffle, ssdp, ssl certificate, stalker, stalkers, startpage, state and governments cover white offender jeffrey reimer, status, status code, status page, stealer, stealthyness, steam route, strike, strings, strong, subdomains, subject, submitters, suite, summary, sun jan, suppobox, survivor, swisscom root, swrort, system, systweak, t1046 sends, t1140, ta0007 network, tag count, tags, targeting, targeting tsara brashears, targets, targets sa, tcp traffic, team, team phishing, tech email, telefonica, telefonica co, text, threat, threat report, threat round, threat roundup, threats et, tiggre, title charles, t-mobile, tofsee, tool, tools, top rated, tracker, tracker malware, tracking, treats, trim, trojan, trojandropper, trojanspy, trojanx, TrojanX, trust, tsara brashears, ttl value, tue dec, tue nov, tulach, tulach.cc, twitter, type, type name, uaaa, unauthorized, unicode text, united, unknown, unlocker, unruy, unsafe, url, url http, url https, urls, urls https, url summary, urls url, ursnif, utc submissions, utf8 text, utmsourcemailer, value, variables, vawtrak, verify, vidar, videos, view charles, views, virtool, virut, vs98, vt report, waaa, wacatac, watch, webcompanion, webshell, webtoolbar, who else is unheard., whois record, whois sslcert, whois whois, who’s driving, widget, win16 ne, win32, win32 dynamic, win32 exe, win64, windir, windows nt, wiper, wiza meta, writes data to a remote process, wTJh.exe, xobo, xrat, xtrat, yaaa, yixun, zbot, zpevdo

• JARM: 27d40d40d00040d1dc42d43d00041d6183ff1bfae51ebd88d70384363d525c

• View other sources: Spamhaus VirusTotal

• Country:
• Network:
• Noticed: 23 times
• Protocols Attacked: Anonymous Proxy
• Countries Attacked: Indonesia, Japan, United States of America
• Passive DNS Results: ayuda.glassdoor.com.mx glassdoor.com.mx www.glassdoor.com.mx

Open Ports Detected

2052 2082 2083 2086 2087 2096 443 8080 8443 8880

Map

Whois Information

• NetRange: 104.16.0.0 - 104.31.255.255
• CIDR: 104.16.0.0/12
• NetName: CLOUDFLARENET
• NetHandle: NET-104-16-0-0-1
• Parent: NET104 (NET-104-0-0-0-0)
• NetType: Direct Allocation
• OriginAS: AS13335
• Organization: Cloudflare, Inc. (CLOUD14)
• RegDate: 2014-03-28
• Updated: 2024-09-04
• Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
• Comment: Geofeed: https://api.cloudflare.com/local-ip-ranges.csv
• Ref: https://rdap.arin.net/registry/ip/104.16.0.0
• OrgName: Cloudflare, Inc.
• OrgId: CLOUD14
• Address: 101 Townsend Street
• City: San Francisco
• StateProv: CA
• PostalCode: 94107
• Country: US
• RegDate: 2010-07-09
• Updated: 2024-11-25
• Ref: https://rdap.arin.net/registry/entity/CLOUD14
• OrgNOCHandle: CLOUD146-ARIN
• OrgNOCName: Cloudflare-NOC
• OrgNOCPhone: +1-650-319-8930
• OrgNOCEmail: noc@cloudflare.com
• OrgNOCRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• OrgAbuseHandle: ABUSE2916-ARIN
• OrgAbuseName: Abuse
• OrgAbusePhone: +1-650-319-8930
• OrgAbuseEmail: abuse@cloudflare.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
• OrgRoutingHandle: CLOUD146-ARIN
• OrgRoutingName: Cloudflare-NOC
• OrgRoutingPhone: +1-650-319-8930
• OrgRoutingEmail: noc@cloudflare.com
• OrgRoutingRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• OrgTechHandle: ADMIN2521-ARIN
• OrgTechName: Admin
• OrgTechPhone: +1-650-319-8930
• OrgTechEmail: rir@cloudflare.com
• OrgTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
• RNOCHandle: NOC11962-ARIN
• RNOCName: NOC
• RNOCPhone: +1-650-319-8930
• RNOCEmail: noc@cloudflare.com
• RNOCRef: https://rdap.arin.net/registry/entity/NOC11962-ARIN
• RAbuseHandle: ABUSE2916-ARIN
• RAbuseName: Abuse
• RAbusePhone: +1-650-319-8930
• RAbuseEmail: abuse@cloudflare.com
• RAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
• RTechHandle: ADMIN2521-ARIN
• RTechName: Admin
• RTechPhone: +1-650-319-8930
• RTechEmail: rir@cloudflare.com
• RTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN

Links to attack logs

anonymous-proxy-ip-list-2025-06-23 anonymous-proxy-ip-list-2025-06-22