104.199.46.221 — Google LLC, BE — Very High (99%)

Check an IP Address, Domain Name, Subnet, or ASN

104.199.46.221 was found in our database!

Confidence Level

99%

Very High?

Geolocation

🇧🇪

BelgiumBrussels

ISPGoogle LLC

ASNAS396982

Activity Timeline

First seenJan 21, 2026, 02:53 AM

Last seen2d ago

437Sessions

1,283Events

Protocol Breakdown

FTP

122 / 588

MONGODB

78 / 280

SMB

74 / 185

POSTGRES

51 / 72

HTTP

40 / 56

HTTPS

30 / 54

ELASTICSEARCH

30 / 30

DOCKER

10 / 14

WINRM

2 / 4

104.199.46.221 has a very high threat confidence level of 99%, originating from Brussels, Belgium, on the Google LLC network (396982). It has been observed across 437 sessions targeting FTP, MONGODB, SMB, POSTGRES, HTTP and 4 other protocols, with detected attack patterns including smb ipc netlogon samr srvsvc rpc chain, First observed on January 21, 2026, most recently active February 28, 2026.

Behaviors

Classified behavioral patterns observed

Smb Ipc Netlogon Samr Srvsvc Rpc Chain

high1x

Session containing IPC$ share access, NETLOGON share access, root directory read, SAMR RPC bind, and SRVSVC pipe open with subsequent RPC bind. Represents this specific chained SMB RPC interaction pattern within a single session.

Smb Remote Enumeration Via Samr And Srvsvc

medium11x

Composite behavior identifying authenticated SMB interaction where a client accesses the IPC$ share, performs root directory reads, binds to the SAMR RPC interface, and interacts with the SRVSVC service pipe. This sequence is consistent with remote host and account enumeration activity over SMB, typically used to gather domain, user, and share information prior to lateral movement or privilege escalation attempts.

Ftp Passive Directory Listing

low9x

FTP session where the client enters passive mode (PASV) and issues a LIST command to retrieve a directory listing from the server.

Ftp Passive Session Initialization

low6x

FTP session where the client authenticates, queries the working directory, sets transfer mode, and enters passive mode without performing any file transfer or directory listing.

Http Root Path Request

info30x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

Https Root Path Request

info8x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

Primitives

Individual actions observed

Mongodb Client Metadata Pymongo191 Mongodb Lsid Present120 Elastic Http Get Request80 Smb Root Read62 Mongodb Buildinfo60 Mongodb Listdatabases60 Elastic Root Path Probe44 Http Method Get31 Ftp Print Working Directory28 Smb Srvsvc Rpc Bind24 Smb Netlogon Share Access19 Elastic Http Bad Request Path Probe18 Ftp Set Utf814 Ftp User Probe14 Ftp Set Ascii Mode14 Ftp Password Attempt14 Ftp Enter Passive Mode14 Smb Ipc Share Access13 Smb Samr Rpc Bind12 Smb Srvsvc Pipe Open12

Related Threats

Explore related threat intelligence

🇧🇪More threats fromBelgium ASMore threats fromGoogle LLC FTPMore threats targetingFTP MONGODBMore threats targetingMONGODB SMBMore threats targetingSMB POSTGRESMore threats targetingPOSTGRES HTTPMore threats targetingHTTP HTTPSMore threats targetingHTTPS ELASTICSEARCHMore threats targetingELASTICSEARCH DOCKERMore threats targetingDOCKER WINRMMore threats targetingWINRM { }Browse allAttack Patterns

WHOIS Lookup

IP Address	Confidence	Events
216.180.246.87	46%	56
198.235.24.9	72%	103
198.235.24.20	73%	79
34.78.178.58	98%	142
147.185.132.55	86%	214

IP Address	Confidence	Events
130.211.53.197	100%	873
34.38.83.65	100%	643
34.140.188.44	100%	1,289
34.14.8.226	95%	70
35.240.75.51	100%	746