{ "type": "Domain", "indicator": "win2888.dev", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/win2888.dev", "alexa": "http://www.alexa.com/siteinfo/win2888.dev", "indicator": "win2888.dev", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3449063715, "indicator": "win2888.dev", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "684a3719a2708183b1b16d00", "name": "Follow Bot (black-basta_cova_cryptb) affects threat researcher(s)account(s)", "description": "Surprised: \nFollow bot account affects threat researcher(s)account(s). % path , attempts DoS. Threatening account name,. \n\n\n(00285c99b52d41679b1aa3b8a80895b037df8a7500f4ad97ce06068eac4a95b7 | =\nfollow) \n|| {2025-05-20_bf3a6ba6e3421a7214ffbfe97642a578_amadey_black-basta_cova_cryptbot_elex_luca-stealer\nFastCopy5.9.0.exe}\n\nET DNS Query for .cc \n PROTOCOL-ICMP PATH MTU denial of service attempt\nPROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set", "modified": "2025-07-12T01:02:11.925000", "created": "2025-06-12T02:10:33.839000", "tags": [ "gtmkvjvztk", "open threat", "learn", "levelblue", "exchange meta", "tags twitter", "alienvault", "script tags", "iframe tags", "google tag", "html internet", "html document", "ascii text", "ta0004 defense", "evasion ta0005", "command", "control ta0011", "number", "cnmicrosoft ecc", "update secure", "server ca", "cus subject", "stwa lredmond", "omicrosoft c", "resolved ips", "get http", "dns resolutions", "request", "response", "windows nt", "win64", "khtml", "gecko", "defense evasion", "ta0009 command", "impact ta0040", "catalog tree", "analysis ob0001", "analysis ob0002", "ob0007 impact", "ob0012 file", "system oc0001", "process oc0003", "data oc0004", "oc0008", "get https", "vis1", "oid2", "post https", "cjutxg", "base64uidenc", "error https" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 162, "FileHash-SHA1": 28, "FileHash-SHA256": 2459, "domain": 889, "hostname": 1217, "URL": 4326, "FilePath": 1 }, "indicator_count": 9082, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "325 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708e4e9c1be22930c7a9c9", "name": "Hiding in common sight, misplaced attribution as just being AD Fraud", "description": "", "modified": "2023-12-06T15:07:58.810000", "created": "2023-12-06T15:07:58.810000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 525, "domain": 91, "URL": 531, "hostname": 281, "FileHash-MD5": 1 }, "indicator_count": 1429, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "909 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6282747cb32e6183686525ca", "name": "Hiding in common sight, misplaced attribution as just being AD Fraud", "description": "Get ready for the Russians to take over cause while most of cyber has been sleeping thru this chronic abuse just putting it down to common low impact ad fraud your about to find out whats really going on!", "modified": "2022-06-15T00:01:21.489000", "created": "2022-05-16T15:57:48.548000", "tags": [ "found", "iptv", "ad", "click", "fraud", "hiding in common sight", "initial access brokerage", "creds", "dirtying tv traffic", "nefarious domain parking", "enterprise leverage via the average consumer", "analytics abuse", "CNAME cookie abuse", "Cookie abuse", "GDPR might as well not exist" ], "references": [ "Ad/click Fraud disguises much more", "initial access brokers", "http://aka.ms/LearnAboutSenderIdentification Akamai rank: #256\t URL http://aka.ms/LearnAboutSenderIdentification. Akamai rank: #256\t URL http://aka.ms/learnathon Akamai rank: #256\t URL https://aka.ms/atasaguide-recenum Akamai rank: #256\t URL https://aka.ms/cp_r=", "cant complete due to continious freezing" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 281, "URL": 531, "FileHash-SHA256": 525, "domain": 91, "FileHash-MD5": 1 }, "indicator_count": 1429, "is_author": false, "is_subscribing": null, "subscriber_count": 396, "modified_text": "1448 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "cant complete due to continious freezing", "Ad/click Fraud disguises much more", "initial access brokers", "http://aka.ms/LearnAboutSenderIdentification Akamai rank: #256\t URL http://aka.ms/LearnAboutSenderIdentification. Akamai rank: #256\t URL http://aka.ms/learnathon Akamai rank: #256\t URL https://aka.ms/atasaguide-recenum Akamai rank: #256\t URL https://aka.ms/cp_r=" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "684a3719a2708183b1b16d00", "name": "Follow Bot (black-basta_cova_cryptb) affects threat researcher(s)account(s)", "description": "Surprised: \nFollow bot account affects threat researcher(s)account(s). % path , attempts DoS. Threatening account name,. \n\n\n(00285c99b52d41679b1aa3b8a80895b037df8a7500f4ad97ce06068eac4a95b7 | =\nfollow) \n|| {2025-05-20_bf3a6ba6e3421a7214ffbfe97642a578_amadey_black-basta_cova_cryptbot_elex_luca-stealer\nFastCopy5.9.0.exe}\n\nET DNS Query for .cc \n PROTOCOL-ICMP PATH MTU denial of service attempt\nPROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set", "modified": "2025-07-12T01:02:11.925000", "created": "2025-06-12T02:10:33.839000", "tags": [ "gtmkvjvztk", "open threat", "learn", "levelblue", "exchange meta", "tags twitter", "alienvault", "script tags", "iframe tags", "google tag", "html internet", "html document", "ascii text", "ta0004 defense", "evasion ta0005", "command", "control ta0011", "number", "cnmicrosoft ecc", "update secure", "server ca", "cus subject", "stwa lredmond", "omicrosoft c", "resolved ips", "get http", "dns resolutions", "request", "response", "windows nt", "win64", "khtml", "gecko", "defense evasion", "ta0009 command", "impact ta0040", "catalog tree", "analysis ob0001", "analysis ob0002", "ob0007 impact", "ob0012 file", "system oc0001", "process oc0003", "data oc0004", "oc0008", "get https", "vis1", "oid2", "post https", "cjutxg", "base64uidenc", "error https" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 162, "FileHash-SHA1": 28, "FileHash-SHA256": 2459, "domain": 889, "hostname": 1217, "URL": 4326, "FilePath": 1 }, "indicator_count": 9082, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "325 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65708e4e9c1be22930c7a9c9", "name": "Hiding in common sight, misplaced attribution as just being AD Fraud", "description": "", "modified": "2023-12-06T15:07:58.810000", "created": "2023-12-06T15:07:58.810000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 525, "domain": 91, "URL": 531, "hostname": 281, "FileHash-MD5": 1 }, "indicator_count": 1429, "is_author": false, "is_subscribing": null, "subscriber_count": 110, "modified_text": "909 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6282747cb32e6183686525ca", "name": "Hiding in common sight, misplaced attribution as just being AD Fraud", "description": "Get ready for the Russians to take over cause while most of cyber has been sleeping thru this chronic abuse just putting it down to common low impact ad fraud your about to find out whats really going on!", "modified": "2022-06-15T00:01:21.489000", "created": "2022-05-16T15:57:48.548000", "tags": [ "found", "iptv", "ad", "click", "fraud", "hiding in common sight", "initial access brokerage", "creds", "dirtying tv traffic", "nefarious domain parking", "enterprise leverage via the average consumer", "analytics abuse", "CNAME cookie abuse", "Cookie abuse", "GDPR might as well not exist" ], "references": [ "Ad/click Fraud disguises much more", "initial access brokers", "http://aka.ms/LearnAboutSenderIdentification Akamai rank: #256\t URL http://aka.ms/LearnAboutSenderIdentification. Akamai rank: #256\t URL http://aka.ms/learnathon Akamai rank: #256\t URL https://aka.ms/atasaguide-recenum Akamai rank: #256\t URL https://aka.ms/cp_r=", "cant complete due to continious freezing" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dorkingbeauty1", "id": "80137", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 281, "URL": 531, "FileHash-SHA256": 525, "domain": 91, "FileHash-MD5": 1 }, "indicator_count": 1429, "is_author": false, "is_subscribing": null, "subscriber_count": 396, "modified_text": "1448 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "win2888.dev", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "win2888.dev", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780437996.9498363 }