104.18.88.101 Threat Intelligence and Host Information

General

This page contains threat intelligence information for the IPv4 address 104.18.88.101 and was generated either as a result of observed malicious activity or as an information gathering exercise to assist with enrichment of security events and context. All information is gathered passively through aggregation of public sources, or observations through activity upon honeynets. The host score is calculated through a series of statistically weighted values and machine learning which takes into account metadata such as host information, frequency, volume and global distribution of malicious activity, association with other known malicious hosts or networks, proxying or anonymising behaviour such as with tor exit nodes, residential proxies or VPN services, and many other attributes. These values are historical and indicative only - and should not be taken to be an accurate representation of the users, businesses or networks in which they reside.

Likely Malicious Host 🟠 60/100

Host and Network Information

• Mitre ATT&CK IDs: T1003 - OS Credential Dumping, T1012 - Query Registry, T1018 - Remote System Discovery, T1023 - Shortcut Modification, T1027 - Obfuscated Files or Information, T1029 - Scheduled Transfer, T1033 - System Owner/User Discovery, T1036 - Masquerading, T1040 - Network Sniffing, T1043 - Commonly Used Port, T1045 - Software Packing, T1047 - Windows Management Instrumentation, T1055 - Process Injection, T1057 - Process Discovery, T1059 - Command and Scripting Interpreter, T1060 - Registry Run Keys / Startup Folder, T1071.001 - Web Protocols, T1071.004 - DNS, T1071 - Application Layer Protocol, T1082 - System Information Discovery, T1089 - Disabling Security Tools, T1090 - Proxy, T1094 - Custom Command and Control Protocol, T1106 - Native API, T1112 - Modify Registry, T1119 - Automated Collection, T1129 - Shared Modules, T1133 - External Remote Services, T1140 - Deobfuscate/Decode Files or Information, T1143 - Hidden Window, T1176 - Browser Extensions, T1189 - Drive-by Compromise, T1203 - Exploitation for Client Execution, T1204 - User Execution, T1210 - Exploitation of Remote Services, T1215 - Kernel Modules and Extensions, T1428 - Exploit Enterprise Resources, T1449 - Exploit SS7 to Redirect Phone Calls/SMS, T1457 - Malicious Media Content, T1485 - Data Destruction, T1491 - Defacement, T1497 - Virtualization/Sandbox Evasion, T1564 - Hide Artifacts, T1566 - Phishing, T1573 - Encrypted Channel, T1583 - Acquire Infrastructure, TA0011 - Command and Control, TA0037 - Command and Control

• Tags: 2nd corintnthians 4:8-9, 443 ma2592000, 707713, aaaa, accept, access, access ta0001, access ta0006, active related, activity, activity dns, activity mirai, adaptivebee, added active, address, address domain, a domains, adversaries, adware malware, aes256gcm, ag alberto, agent tesla, ag ingo, air force, akamaias, akamaiasn1, alerts, alexa, alexa top, algorithm, alien labs, all octoseek, all quiet, all scoreblue, all search, all txt, amadey, amazon02, america asn, analyze, analyzer paste, andariel, android, anomalous_deletefile, anomalous file, anonymizer, antidebug_guardpages, antivm_generic_bios, antivm_generic_disk, a nxdomain, apple, apple ios, april, array indexing, artemis, as12337 noris, as133618, as134175 unit, as14061, as15133 verizon, as15169, as15169 google, as15598, as16276, as16509, as16552 tiggee, as16625 akamai, as174 cogent, as19024, as1921, as20940, as21342, as24940 hetzner, as29066 host, as29789, as32787 akamai, as32934, as3359, as35994 akamai, as38365 beijing, as393601 state, as397241, as40021 contabo, as44273 host, as45430, as47846, as4837 china, as49505, as51167 contabo, as62597 nsone, as63949 linode, as6461 zayo, as714 apple, as8068, as8075, as852, as8560, as8972 host, as9009 m247, asn as15598, asnone, asnone dns, asnone germany, asnone related, asnone united, asn owner, asyncrat, attack, august, austria, author, av detections, avg clamav, awful, azorult, backdoor, backdoor type, bank, banker, beta version, binbusybox, binder, bios, bitrat, bits, blacklist http, blacklist https, body, brazil, brian sabey, brontok, browsing, bundled, bypass_firewall, c2, ca1 odigicert, cachecontrol, cape, catalog tree, cellbrite, certificate, certsentry, chaos, charter communications, check in, checkin, china, china unknown, chrome, cisco umbrella, ck id, ck matrix, click, clickable urls, cmstp, cname, cnapple public, cnc, cnc beacon, cobalt, cobalt strike, code, collections, collections ip, collections wow, command, command and control, command decode, communicating, components, confirm http, connection, contact, contacted, contact phone, content type, control ta0011, cookie, copy, copyright, core, cp bus, crack, creates, creation date, critical, crlf line, cryp, cryptowall, csc corporate, cuba, cur cono, cus cndigicert, cve201717215, cyber espionage, cyber folks, cyber warfare, czechia unknown, daisy coleman, dalles, dark, dark power, data, data redacted, date, date hash, date tue, dbatloader, dcom, ddos, default, defense evasion, delete, delete c, delete shadows, delphi, demonbot, denvecolorado, denver, denver colorado, detected m1, detection list, diplomatic, disables_windowsupdate, discovery, discovery e1082, div div, dns lookup, dns query, dns replication, docguard, dock, domain, domain name, domain privacy, domains, downer, download, dridex, dropper, dynamic, dynamic_function_loading, dynamicloader, e1203 data, e1564 hidden, ecacc saa83dd, echo request, ee edcje4j, ekyxe, emails, emails info, emotet, encrypt, entity, entries, enumerates_physical_drives, eofae, epss, error, eternalblue, etpro malware, et tor, eva reimer, evasion ob0006, evilnum, execution, exit, expiration date, expires thu, expl, exploit, exploitation, exploit none, exports data, externalport, fabookie, facebook, fakedout threat, february, federation asn, fexp24007246, file execution, filehash, filehashmd5, filehashsha1, filehashsha256, files, file samples, files domain, files ip, file size, files location, files matching, file type, fin ivdo, flag united, floxif, format, formbook, for privacy, found, france unknown, fuery, full name, gafgyt, gecko, general, genkryptik, geoip, germany, germany mail, germany unknown, get na, ghost, glasgow, global g2, gmt cache, gmt content, gmt contenttype, gmt server, gmt setcookie, gmt vary, go, goldfinder, goldmax, google, google safe, government, grum, guard, hacking apple, hacktool, hallrender, hash avast, hashes cape, hawkeye, helloworld, heur, hichina, hide artifacts, high, high assurance, highly targeted, historical, historical ssl, hitmen, holidaycheck ag, home network, honduras, hong kong, hosting, hostmaster, hostname, hostnames, hour ago, house.mo.gov, html, http, http headers, http host, http request, http_request, https://lawlink.com/documents/10935/blackbag-technologies-announ, huawei hg532, huawei remote, hybrid, icmp traffic, ids detections, ieudinit, immobilien ag, impact ob0008, impact ta0040, inbound, india, indicator role, indonesia, industrial, info, injection_create_remote_thread, injection_inter_process, install, installcore, installer, instrumentation, intel, internalport, iobit, iocs, ios, ip address, ip check, ip country, ip traffic, ipv4, ireland, ireland unknown, issuing ca, java, javascript, june, keepaliveyes, keylogger, kgs0, khtml, kls0, known tor, kraupa, kryptikxp, kurt walther, labs pulses, level3, licess, lnmp, lnmp a, loaded module, local, location united, lockbit, lokibot, lolkek, look, lredmond, lumma, lumma stealer, m1, magic pdf, mail spammer, main, malicious, malicious site, maltiverse, malware, malware infection, malware site, malware traffic, malware worm, manufacturing, masquerade, maui ransomware, maze, media, media center, mediamagnet, medium, memcommit, memory pattern, memreserve, meta, metasploit, method status, metro, mexico, mhkz, midia-4, million, mini, miniigd upnp, minutes ago, mirai, mirai variant, misc http, missouri, mitm, mitre att, modify_proxy infostealer_cookies, module load, moved, mozilla, msdefender apr, msie, msms57295540, ms windows, mtb apr, mtb aug, mtb feb, mvi2, name servers, name verdict, nanocore rat, nat32, netwire, network, network_bind, network_http, networks, next, nids, njrat, njrat malware, node tcp, nondns, november, nsyt, number, nxdomain, ob0005 defense, observed dns, october, odigicert inc, onelouder, onl our, open, openpgp public, open ports, otx octoseek, otx scoreblue, outbreak, oval oval, overview ip, oxypumper, packing t1045, parallax rat, parent domain, passive dns, paste, pattern domains, payload hello, pdb path, pdf document, pdf execution, pe32, pedraz, pegasus, pega type, pe resource, persistence, persistence_ads, persistence_autorun, phishing, phishing site, phy samo, .pl, playgame, please, poland, poland unknown, porn, pornhub.software, port, possible, post, powershell, powershell_download, powershell_request, privateloader, probe ms17010, problems, process32nextw, procmem_yara, project pi, proton, public url, pulse pulses, pulses, pulses cve, pulse submit, pulses url, puma se, push, python, qakbot, qbot, quantum fiber, quasar, quasar rat, query, ransom, ransomexx, ransomware, rat, read c, reads, reads_self, realtek sdk, record type, record value, recycle bin, redacted for, redir, redline, redline stealer, referrer, regbinary, regdword, registrar, registrar abuse, registrar iana, registrar url, registry domain, regsetvalueexa, relacionada, related nids, related pulses, relayrouter, remcos, remcos rat, remote procedure call, report spam, resolutions, resolverror, reverse dns, rgba, riskware, role title, roundup, rpcs, rsa ca, rsa sha256, rsa tls, runescape, russia as49505, sabey, safebae, safe site, sality, sameorigin, sample, samples, sandbox, scan, scan endpoints, script domains, script urls, search, september, serce internetu, server, server ca, server error, servers, service, seznam, sha256, shell, show, showing, show technique, sibot, simda, sinkhole cookie, site, slcc2, slovakia, small, sniffs, soap command, spammer, spectrum, ssdeep, ssl certificate, startpage, state, status, stealer, stealth_file spawns_dev_utility, stealth network, stealth_network, stream, strings, studio created, stwashington, subdomains, suricata ipv4, suricata udpv4, susp, suspicious, suspicious_command_tools, sweep, swipper, swrort, t1036, t1045, t1047, t1129, t1189 found, tactics, target, targeting, targeting tsara brashears, taskscheduler, tcp syn, team, telecom, thailand, threat, threat analyzer, threat network, threat roundup, timo salzsieder, title, title added, tls rsa, tofsee, tools, tor known, tor relayrouter, total, tptjsw, tracer tool, traffic, trid adobe, trojan, trojandropper, trojan features, trojanspy, trojanx, tsara brashears, ttl value, tulach, twitter, type get, type indicator, type name, types of, typosquatting, UAlberta, ukraine, unicode text, union, united, united kingdom, united states, unknown, unruy, unsafe, update, updated date, url analysis, url hostname, url http, url https, urls, urls http, urls https, ursnif, useragent, users, utah, utf8, v3 serial, value snkz, veryhigh, vhash, videosdewebcams, vietnam, virgin islands, virtool, virus, virustotal, wacatac, wannacry, wc3 rpg, webshell, webtoolbar, white goldmax, whitelisted, whitesky, whois, whois record, whois whois, win32, win32 exe, win64, windows, windows nt, wininit, win.trojan, wiper, world, worm, wow64, write, write c, wsasend, x cache, xe e, xpcegvo2adsnq, xport, yara detections, yara rule, yomi hunter, zenbox

• View other sources: Spamhaus VirusTotal

• Contained within other IP sets: hphosts_emd

• Country:
• Network:
• Noticed: 18 times
• Protocols Attacked: Anonymous Proxy
• Countries Attacked: Anguilla, Aruba, Australia, Bahamas, Barbados, Belgium, Brazil, Canada, Cayman Islands, Chile, China, Costa Rica, Curaçao, Georgia, Germany, Guatemala, Hong Kong, Hungary, Ireland, Japan, Kenya, Mexico, Morocco, Netherlands, Panama, Peru, Philippines, Poland, Russian Federation, Saint Kitts and Nevis, Saint Martin (French part), Saint Vincent and the Grenadines, Singapore, Sint Maarten (Dutch part), Slovakia, Spain, Taiwan, Tanzania United Republic of, Trinidad and Tobago, Ukraine, United Kingdom of Great Britain and Northern Ireland, United States of America
• Passive DNS Results: qlcdn.lavasoft.com partner-tracking.lavasoft.com www.lavasoft.com lavasoft.com cdnidc.lavasoft.com definitionsbd.lavasoft.com wcdownloader.lavasoft.com gateway.lavasoft.com flow.lavasoft.com.cdn.cloudflare.net acscdn.lavasoft.com gamulatorcdn.lavasoft.com cdn-quicklaunch.lavasoft.com cdndeskify.lavasoft.com featureflags.lavasoft.com uyssdion.icu www.uyssdion.icu uqjnnyuu.icu eventstaging.lavasoft.com www.daargtww.icu www.lprooouc.icu lprooouc.icu www.mbbbuvre.icu h2ocdn.lavasoft.com www.bpflkavx.icu bjogmcmt.icu bpflkavx.icu ckovukik.icu dlpkvxmk.icu lwwcqmgq.icu mbbbuvre.icu acs.lavasoft.com wcdownloadercdn.lavasoft.com wcdownloader-qa.lavasoft.com downloadnada.lavasoft.com flow.lavasoft.com downloads12.lavasoft.com

Malware Detected on Host

Count: 15352 af89c8bb959e723b369bf0a57a9c9890733ad6e72e9f713f063af6c15a444046 b0eb06bbda8ebb57fe52f890262e6085245dde437321b8583c3cd852910c4c62 1c3020cd2017e5de26fcf26a45b0f1aa01a64d7fde43e1e690943984bc5044a7 ed020f313c76298dfbb46690de94fc0afb71656136cfae31cfb3a5432f2d9ea1 f785742ecf247251510d8bdaca983d11850bb2462b6f27c2da7b1cf26326e783 394f6995fd1829a866ae1dc87c050cc236e1bd4c8913a3970dc2e77700116a75 2400c0615996a004b48c561b142ce323c1bdc304fdbdac716fa2aaec9acb02b4 e832cfc1df5f201339bc2bdd32b94227407a7251f8147722503d78f1696f6f66 df5c5742b4dddd6b1052876b18c7b2b0136c801e3a070e1300b6b2bf839d8813 4e296973ae645788765aa5beee14dbee04394349095245d65bc634deb51a55f9

Open Ports Detected

2082 2083 2086 2087 2096 443 80 8080 8443 8880

Map

Whois Information

• NetRange: 104.16.0.0 - 104.31.255.255
• CIDR: 104.16.0.0/12
• NetName: CLOUDFLARENET
• NetHandle: NET-104-16-0-0-1
• Parent: NET104 (NET-104-0-0-0-0)
• NetType: Direct Allocation
• OriginAS: AS13335
• Organization: Cloudflare, Inc. (CLOUD14)
• RegDate: 2014-03-28
• Updated: 2024-09-04
• Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
• Comment: Geofeed: https://api.cloudflare.com/local-ip-ranges.csv
• Ref: https://rdap.arin.net/registry/ip/104.16.0.0
• OrgName: Cloudflare, Inc.
• OrgId: CLOUD14
• Address: 101 Townsend Street
• City: San Francisco
• StateProv: CA
• PostalCode: 94107
• Country: US
• RegDate: 2010-07-09
• Updated: 2024-11-25
• Ref: https://rdap.arin.net/registry/entity/CLOUD14
• OrgNOCHandle: CLOUD146-ARIN
• OrgNOCName: Cloudflare-NOC
• OrgNOCPhone: +1-650-319-8930
• OrgNOCEmail: noc@cloudflare.com
• OrgNOCRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• OrgTechHandle: ADMIN2521-ARIN
• OrgTechName: Admin
• OrgTechPhone: +1-650-319-8930
• OrgTechEmail: rir@cloudflare.com
• OrgTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
• OrgAbuseHandle: ABUSE2916-ARIN
• OrgAbuseName: Abuse
• OrgAbusePhone: +1-650-319-8930
• OrgAbuseEmail: abuse@cloudflare.com
• OrgAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
• OrgRoutingHandle: CLOUD146-ARIN
• OrgRoutingName: Cloudflare-NOC
• OrgRoutingPhone: +1-650-319-8930
• OrgRoutingEmail: noc@cloudflare.com
• OrgRoutingRef: https://rdap.arin.net/registry/entity/CLOUD146-ARIN
• RAbuseHandle: ABUSE2916-ARIN
• RAbuseName: Abuse
• RAbusePhone: +1-650-319-8930
• RAbuseEmail: abuse@cloudflare.com
• RAbuseRef: https://rdap.arin.net/registry/entity/ABUSE2916-ARIN
• RNOCHandle: NOC11962-ARIN
• RNOCName: NOC
• RNOCPhone: +1-650-319-8930
• RNOCEmail: noc@cloudflare.com
• RNOCRef: https://rdap.arin.net/registry/entity/NOC11962-ARIN
• RTechHandle: ADMIN2521-ARIN
• RTechName: Admin
• RTechPhone: +1-650-319-8930
• RTechEmail: rir@cloudflare.com
• RTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN

Links to attack logs

anonymous-proxy-ip-list-2025-06-23 anonymous-proxy-ip-list-2025-06-22