URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Submission: On October 21 via api from CH

Summary

This website contacted 43 IPs in 7 countries across 33 domains to perform 177 HTTP transactions. The main IP is 208.74.207.25, located in United States and belongs to NEUSTAR-AS6 - NeuStar, Inc., US. The main domain is forums.juniper.net.
TLS certificate: Issued by DigiCert SHA2 High Assurance Server CA on August 16th 2019. Valid for: a year.
This is the only time forums.juniper.net was scanned on urlscan.io!

urlscan.io Verdict: No classification

Domain & IP information

IP Address AS Autonomous System
5 13 208.74.207.25 19905 (NEUSTAR-AS6)
21 2.18.232.23 16625 (AKAMAI-AS)
4 23.111.9.35 33438 (HIGHWINDS2)
1 2a00:1450:400... 15169 (GOOGLE)
2 2001:4de0:ac1... 20446 (HIGHWINDS3)
10 93.184.220.97 15133 (EDGECAST)
1 10 2a02:26f0:10:... 20940 (AKAMAI-ASN1)
2 93.184.220.41 15133 (EDGECAST)
2 52.30.78.155 16509 (AMAZON-02)
2 13.224.196.121 16509 (AMAZON-02)
1 13.225.78.27 16509 (AMAZON-02)
2 52.49.100.189 16509 (AMAZON-02)
1 1 66.117.28.86 15224 (OMNITURE)
8 2a03:2880:f01... 32934 (FACEBOOK)
1 2a00:1450:400... 15169 (GOOGLE)
4 151.101.112.157 54113 (FASTLY)
1 1 2606:2800:234... 15133 (EDGECAST)
1 1 68.67.153.60 29990 (ASN-APPNEXUS)
2 2 185.33.223.100 29990 (ASN-APPNEXUS)
1 13.225.78.79 16509 (AMAZON-02)
1 2a00:1450:400... 15169 (GOOGLE)
1 66.117.29.3 15224 (OMNITURE)
9 104.244.42.197 13414 (TWITTER)
5 2a03:2880:f11... 32934 (FACEBOOK)
1 65.52.62.25 8075 (MICROSOFT...)
5 18 2a00:1450:400... 15169 (GOOGLE)
3 2a00:1450:400... 15169 (GOOGLE)
1 34.253.43.81 16509 (AMAZON-02)
6 2a00:1450:400... 15169 (GOOGLE)
10 143.204.101.123 16509 (AMAZON-02)
9 104.244.42.67 13414 (TWITTER)
1 95.100.78.166 16625 (AKAMAI-AS)
1 2a00:1450:400... 15169 (GOOGLE)
1 2 172.217.18.102 15169 (GOOGLE)
1 2 216.58.205.230 15169 (GOOGLE)
3 216.58.207.66 15169 (GOOGLE)
4 2a00:1450:400... 15169 (GOOGLE)
4 34.201.194.177 14618 (AMAZON-AES)
2 2 209.167.231.17 7160 (NETDYNAMICS)
1 104.111.241.32 16625 (AKAMAI-AS)
1 2 2a00:1450:400... 15169 (GOOGLE)
10 2a00:1450:400... 15169 (GOOGLE)
3 9 2a00:1450:400... 15169 (GOOGLE)
2 143.204.101.126 16509 (AMAZON-02)
2 2 52.213.193.252 16509 (AMAZON-02)
1 2 54.230.95.207 16509 (AMAZON-02)
2 143.204.101.13 16509 (AMAZON-02)
2 2a05:f500:11:... 14413 (LINKEDIN)
177 43
Apex Domain
Subdomains
Transfer
29 juniper.net
forums.juniper.net
www.juniper.net
research.juniper.net
783 KB
21 google.com
www.google.com
cse.google.com
clients1.google.com
267 KB
21 adobedtm.com
assets.adobedtm.com
107 KB
15 doubleclick.net
5922977.fls.doubleclick.net
3872718.fls.doubleclick.net
stats.g.doubleclick.net
googleads.g.doubleclick.net
15 KB
10 google.de
www.google.de
1 KB
10 rmulus.com
secure.rmulus.com
lookups.rmulus.com
collect.rmulus.com
31 KB
10 twitter.com
platform.twitter.com
analytics.twitter.com
2 KB
10 lithium.com
jnet.i.lithium.com
568 KB
9 t.co
t.co
1 KB
8 facebook.net
connect.facebook.net
391 KB
6 googletagmanager.com
www.googletagmanager.com
187 KB
5 facebook.com
www.facebook.com
246 B
4 company-target.com
api.company-target.com
segments.company-target.com
3 KB
4 google-analytics.com
www.google-analytics.com
18 KB
4 ads-twitter.com
static.ads-twitter.com
8 KB
4 fontawesome.com
use.fontawesome.com
88 KB
3 googleadservices.com
www.googleadservices.com
27 KB
3 omtrdc.net
junipernetworks.d2.sc.omtrdc.net
junipernetworks.tt.omtrdc.net
1 KB
3 demandbase.com
scripts.demandbase.com
api.demandbase.com
19 KB
3 demdex.net
dpm.demdex.net
junipernetworks.demdex.net
2 KB
3 webtype.com
cloud.webtype.com
pls.webtype.com
75 KB
3 googleapis.com
ajax.googleapis.com
fonts.googleapis.com
www.googleapis.com
30 KB
2 linkedin.com
px.ads.linkedin.com
172 B
2 bidr.io
match.prod.bidr.io
752 B
2 eloqua.com
s1229.t.eloqua.com
1 KB
2 adnxs.com
secure.adnxs.com
2 KB
2 bootstrapcdn.com
maxcdn.bootstrapcdn.com
29 KB
1 bluekai.com
tags.bluekai.com
745 B
1 en25.com
img.en25.com
3 KB
1 google.ca
www.google.ca
7 KB
1 ml-api.io
attr.ml-api.io
484 B
1 ml-attr.com
s.ml-attr.com
277 B
1 everesttech.net
cm.everesttech.net
527 B
177 33
Domain Requested by
21 assets.adobedtm.com forums.juniper.net
assets.adobedtm.com
18 www.google.com 5 redirects www.google.ca
cse.google.com
forums.juniper.net
13 forums.juniper.net 5 redirects forums.juniper.net
10 www.google.de forums.juniper.net
10 www.juniper.net 1 redirects forums.juniper.net
10 jnet.i.lithium.com forums.juniper.net
use.fontawesome.com
9 googleads.g.doubleclick.net 3 redirects www.googleadservices.com
9 analytics.twitter.com static.ads-twitter.com
9 t.co forums.juniper.net
static.ads-twitter.com
8 connect.facebook.net assets.adobedtm.com
connect.facebook.net
forums.juniper.net
6 research.juniper.net secure.rmulus.com
research.juniper.net
6 www.googletagmanager.com assets.adobedtm.com
forums.juniper.net
research.juniper.net
5 www.facebook.com forums.juniper.net
connect.facebook.net
4 lookups.rmulus.com secure.rmulus.com
4 www.google-analytics.com forums.juniper.net
4 secure.rmulus.com assets.adobedtm.com
secure.rmulus.com
4 static.ads-twitter.com assets.adobedtm.com
forums.juniper.net
4 use.fontawesome.com forums.juniper.net
use.fontawesome.com
3 www.googleadservices.com www.googletagmanager.com
2 px.ads.linkedin.com research.juniper.net
2 collect.rmulus.com forums.juniper.net
2 segments.company-target.com 1 redirects forums.juniper.net
2 match.prod.bidr.io 2 redirects
2 api.company-target.com scripts.demandbase.com
2 stats.g.doubleclick.net 1 redirects forums.juniper.net
2 s1229.t.eloqua.com 2 redirects
2 3872718.fls.doubleclick.net 1 redirects assets.adobedtm.com
2 5922977.fls.doubleclick.net 1 redirects assets.adobedtm.com
2 cse.google.com forums.juniper.net
www.google.com
2 secure.adnxs.com 2 redirects
2 junipernetworks.d2.sc.omtrdc.net assets.adobedtm.com
forums.juniper.net
2 scripts.demandbase.com assets.adobedtm.com
2 dpm.demdex.net assets.adobedtm.com
forums.juniper.net
2 cloud.webtype.com forums.juniper.net
2 maxcdn.bootstrapcdn.com forums.juniper.net
1 tags.bluekai.com forums.juniper.net
1 clients1.google.com forums.juniper.net
1 www.googleapis.com forums.juniper.net
1 img.en25.com forums.juniper.net
1 junipernetworks.demdex.net assets.adobedtm.com
1 pls.webtype.com forums.juniper.net
1 junipernetworks.tt.omtrdc.net assets.adobedtm.com
1 www.google.ca forums.juniper.net
1 attr.ml-api.io forums.juniper.net
1 s.ml-attr.com 1 redirects
1 platform.twitter.com 1 redirects
1 fonts.googleapis.com forums.juniper.net
1 cm.everesttech.net 1 redirects
1 api.demandbase.com assets.adobedtm.com
1 ajax.googleapis.com forums.juniper.net
177 50
Subject Issuer Validity Valid
secure07.lithium.com
DigiCert SHA2 High Assurance Server CA
2019-08-16 -
2020-09-02
a year crt.sh
assets.adobedtm.com
DigiCert SHA2 High Assurance Server CA
2019-09-27 -
2021-10-01
2 years crt.sh
*.fontawesome.com
DigiCert SHA2 Secure Server CA
2018-09-17 -
2019-11-21
a year crt.sh
*.googleapis.com
GTS CA 1O1
2019-10-03 -
2019-12-26
3 months crt.sh
*.bootstrapcdn.com
Sectigo RSA Domain Validation Secure Server CA
2019-09-14 -
2020-10-13
a year crt.sh
*.i.lithium.com
Go Daddy Secure Certificate Authority - G2
2017-11-28 -
2020-01-28
2 years crt.sh
www.juniper.net
DigiCert SHA2 Secure Server CA
2019-05-17 -
2020-08-15
a year crt.sh
s1.wac.edgecastcdn.net
DigiCert SHA2 Secure Server CA
2018-11-05 -
2020-11-20
2 years crt.sh
*.demdex.net
DigiCert SHA2 High Assurance Server CA
2018-01-09 -
2021-02-12
3 years crt.sh
*.demandbase.com
Go Daddy Secure Certificate Authority - G2
2018-09-20 -
2020-11-19
2 years crt.sh
*.d2.sc.omtrdc.net
DigiCert SHA2 High Assurance Server CA
2019-04-23 -
2020-04-14
a year crt.sh
*.facebook.com
DigiCert SHA2 High Assurance Server CA
2019-09-22 -
2019-12-20
3 months crt.sh
ads-twitter.com
DigiCert SHA2 High Assurance Server CA
2019-08-14 -
2020-08-18
a year crt.sh
*.ml-api.io
Amazon
2019-02-22 -
2020-03-22
a year crt.sh
*.google.com
GTS CA 1O1
2019-10-03 -
2019-12-26
3 months crt.sh
*.tt.omtrdc.net
DigiCert SHA2 High Assurance Server CA
2017-10-19 -
2020-11-25
3 years crt.sh
t.co
DigiCert SHA2 High Assurance Server CA
2019-04-09 -
2020-04-01
a year crt.sh
*.webtype.com
Sectigo RSA Domain Validation Secure Server CA
2019-06-30 -
2021-07-12
2 years crt.sh
www.google.com
GTS CA 1O1
2019-10-03 -
2019-12-26
3 months crt.sh
*.google-analytics.com
GTS CA 1O1
2019-10-03 -
2019-12-26
3 months crt.sh
rmulus.com
Amazon
2019-04-23 -
2020-05-23
a year crt.sh
*.twitter.com
DigiCert SHA2 High Assurance Server CA
2019-04-09 -
2020-04-01
a year crt.sh
*.en25.com
DigiCert SHA2 Secure Server CA
2019-06-21 -
2020-08-19
a year crt.sh
*.doubleclick.net
GTS CA 1O1
2019-10-03 -
2019-12-26
3 months crt.sh
www.googleadservices.com
GTS CA 1O1
2019-10-03 -
2019-12-26
3 months crt.sh
odc-prod-01.oracle.com
DigiCert ECC Secure Server CA
2018-12-10 -
2020-03-10
a year crt.sh
*.g.doubleclick.net
GTS CA 1O1
2019-10-03 -
2019-12-26
3 months crt.sh
www.google.de
GTS CA 1O1
2019-10-03 -
2019-12-26
3 months crt.sh
*.company-target.com
Go Daddy Secure Certificate Authority - G2
2019-06-19 -
2021-08-18
2 years crt.sh
px.ads.linkedin.com
DigiCert SHA2 Secure Server CA
2019-05-29 -
2021-06-29
2 years crt.sh

This page contains 13 frames:

Primary Page: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Frame ID: F6891A4CE00B895A392F08731D396EFF
Requests: 118 HTTP requests in this frame

Frame: https://junipernetworks.demdex.net/dest5.html?d_nsid=0
Frame ID: 7CE4D21AE263921A2E1068FD538511EA
Requests: 1 HTTP requests in this frame

Frame: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5caeb27864746d4fde0010d0.html
Frame ID: 8B9A7E1F597DDE1D8BF1041D053C9BC0
Requests: 1 HTTP requests in this frame

Frame: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5d487bc864746d25bd00073a.html
Frame ID: 489DD825F1621D6B8949E300D6ED35C7
Requests: 1 HTTP requests in this frame

Frame: https://5922977.fls.doubleclick.net/activityi;dc_pre=COPm97S4reUCFdCA3godGKEBlg;src=5922977;type=pageview;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=2656885376668.787
Frame ID: 5B2140BA4129831C3A4E9973238B9C4D
Requests: 1 HTTP requests in this frame

Frame: https://3872718.fls.doubleclick.net/activityi;dc_pre=CJH89rS4reUCFY36dwodplMGuA;src=3872718;type=gojpnet;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=5530350572044.805
Frame ID: 2269561EC1548D577C7E1BC0786EE785
Requests: 1 HTTP requests in this frame

Frame: https://secure.rmulus.com/?_pevId=x6EmWOEL6OyACr3CNgUaa8BgLIQkgHGj-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=enabled&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dpgvw%26_pdataSource%3Dweb%26_pqStr%3Denabled%26jnpr_vID%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=pgvw&_pdataSource=web&jnpr_vID=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pidSource=secure.rmulus.com&_pidName=rmulusId&_pclIp=disabled&_plkpPrfl=disabled
Frame ID: F684D9E3677BD09F9B7CEFA2CF2818F8
Requests: 1 HTTP requests in this frame

Frame: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Frame ID: 32868EAA3AF6A5D695133B75605B4AA7
Requests: 24 HTTP requests in this frame

Frame: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Frame ID: 436DCAFD30ED006267A8A187ACFB431C
Requests: 26 HTTP requests in this frame

Frame: https://www.facebook.com/tr/
Frame ID: 8CEECA65E54EBD1A04C7F9DA32E189C2
Requests: 1 HTTP requests in this frame

Frame: https://www.facebook.com/tr/
Frame ID: 347058D539CA32FB075B843F309E9928
Requests: 1 HTTP requests in this frame

Frame: https://www.facebook.com/tr/
Frame ID: 0C24C247425643CEB6756962DCB4435C
Requests: 1 HTTP requests in this frame

Frame: https://www.facebook.com/tr/
Frame ID: 834603C8448F143F8C2724E5717AA098
Requests: 1 HTTP requests in this frame

Screenshot


Detected technologies

Overall confidence: 100%
Detected patterns
  • html /<link[^>]+?href="[^"]*bootstrap(?:\.min)?\.css/i
  • script /(?:\/([\d.]+))?(?:\/js)?\/bootstrap(?:\.min)?\.js/i

Overall confidence: 100%
Detected patterns
  • headers server /(?:Apache(?:$|\/([\d.]+)|[^\/-])|(?:^|\b)HTTPD)/i

Overall confidence: 100%
Detected patterns
  • script /\/\/assets.adobedtm.com\//i

Overall confidence: 100%
Detected patterns
  • script /\/\/connect\.facebook\.net\/[^\/]*\/[a-z]*\.js/i

Overall confidence: 100%
Detected patterns
  • html /<script[^>]* src=[^>]+fontawesome(?:\.js)?/i

Overall confidence: 100%
Detected patterns
  • script /google-analytics\.com\/(?:ga|urchin|analytics)\.js/i

Overall confidence: 100%
Detected patterns
  • script /\/([\d.]+)\/jquery(?:\.min)?\.js/i
  • script /jquery.*\.js(?:\?ver(?:sion)?=([\d.]+))?/i

Page Statistics

177
Requests

100 %
HTTPS

35 %
IPv6

33
Domains

50
Subdomains

43
IPs

7
Countries

2651 kB
Transfer

9863 kB
Size

2
Cookies

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 10
  • https://www.juniper.net/techpubs/assets/css/style/style.min.css HTTP 301
  • https://www.juniper.net/documentation/assets/css/style/style.min.css
Request Chain 25
  • https://cm.everesttech.net/cm/dd?d_uuid=40611432642373395391657003048716690702 HTTP 302
  • https://dpm.demdex.net/ibs:dpid=411&dpuuid=Xa2wPgAAFBu0Yzx0
Request Chain 31
  • https://platform.twitter.com/oct.js HTTP 301
  • https://static.ads-twitter.com/oct.js
Request Chain 32
  • https://s.ml-attr.com/getuid?https%3a%2f%2fattr.ml-api.io%2f%3fdomain%3djuniper.net%26pId%3d%24UID HTTP 302
  • https://secure.adnxs.com/getuid?https%3a%2f%2fattr.ml-api.io%2f%3fdomain%3djuniper.net%26pId%3d%24UID HTTP 302
  • https://secure.adnxs.com/bounce?%2Fgetuid%3Fhttps%253a%252f%252fattr.ml-api.io%252f%253fdomain%253djuniper.net%2526pId%253d%2524UID HTTP 302
  • https://attr.ml-api.io/?domain=juniper.net&pId=4919953082322347275
Request Chain 47
  • https://forums.juniper.net/assets/scripts/jnpr.min.js HTTP 301
  • https://forums.juniper.net/html/assets/scripts/jnpr.min.js
Request Chain 48
  • https://forums.juniper.net/assets/scripts/footer-injection.js HTTP 301
  • https://forums.juniper.net/html/assets/scripts/footer-injection.js
Request Chain 57
  • https://www.google.com/cse/cse.js?cx=009668004808822005412:yju97b8czpm HTTP 302
  • https://cse.google.com/cse/cse.js?cx=009668004808822005412:yju97b8czpm
Request Chain 64
  • https://forums.juniper.net/assets/svg/png/twitter.png HTTP 301
  • https://forums.juniper.net/html/assets/svg/png/twitter.png
Request Chain 65
  • https://forums.juniper.net/assets/svg/png/youtube.png HTTP 301
  • https://forums.juniper.net/html/assets/svg/png/youtube.png
Request Chain 66
  • https://forums.juniper.net/assets/svg/linkedin-circle.svg HTTP 301
  • https://forums.juniper.net/html/assets/svg/linkedin-circle.svg
Request Chain 98
  • https://5922977.fls.doubleclick.net/activityi;src=5922977;type=pageview;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=2656885376668.787 HTTP 302
  • https://5922977.fls.doubleclick.net/activityi;dc_pre=COPm97S4reUCFdCA3godGKEBlg;src=5922977;type=pageview;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=2656885376668.787
Request Chain 99
  • https://3872718.fls.doubleclick.net/activityi;src=3872718;type=gojpnet;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=5530350572044.805 HTTP 302
  • https://3872718.fls.doubleclick.net/activityi;dc_pre=CJH89rS4reUCFY36dwodplMGuA;src=3872718;type=gojpnet;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=5530350572044.805
Request Chain 104
  • https://s1229.t.eloqua.com/visitor/v200/svrGP?pps=3&siteid=1229&ref2=elqNone&tzo=-60&ms=99&optin=disabled HTTP 302
  • https://s1229.t.eloqua.com/visitor/v200/svrGP.aspx?pps=3&siteid=1229&ref2=elqNone&tzo=-60&ms=99&optin=disabled&elqCookie=1 HTTP 302
  • https://tags.bluekai.com/site/37366?vid=679a745650d24cc085eb77d8965b2862
Request Chain 110
  • https://stats.g.doubleclick.net/r/collect?t=dc&aip=1&_r=3&v=1&_v=j79&tid=UA-2343305-1&cid=1588292560.1571663936&jid=824571634&gjid=1638796004&_gid=1491227351.1571663936&_u=YGDAgEAB~&z=358956172 HTTP 302
  • https://www.google.com/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-2343305-1&cid=1588292560.1571663936&jid=824571634&_v=j79&z=358956172 HTTP 302
  • https://www.google.de/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-2343305-1&cid=1588292560.1571663936&jid=824571634&_v=j79&z=358956172&slf_rd=1&random=1075004916
Request Chain 114
  • https://match.prod.bidr.io/cookie-sync/demandbase HTTP 303
  • https://match.prod.bidr.io/cookie-sync/demandbase?_bee_ppp=1 HTTP 303
  • https://segments.company-target.com/log?vendor=choca&user_id=AAIRN067W2EAAD8-oGx-9g HTTP 303
  • https://segments.company-target.com/validateCookie?vendor=choca&user_id=AAIRN067W2EAAD8-oGx-9g&verifyHash=c98c9f6f68c4dea536d7f502bae74584fd247a32
Request Chain 156
  • https://googleads.g.doubleclick.net/pagead/viewthroughconversion/956680084/?random=1571663937200&cv=9&fst=1571663937200&num=1&fmt=3&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&ig=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1 HTTP 302
  • https://www.google.com/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=3031433607&resp=GooglemKTybQhCsO HTTP 302
  • https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=3031433607&resp=GooglemKTybQhCsO&ipr=y
Request Chain 157
  • https://googleads.g.doubleclick.net/pagead/viewthroughconversion/956680084/?random=1571663937200&cv=9&fst=1571663937200&num=1&fmt=3&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&ig=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts%26_plkpKey%5C%3Djnpr_vId%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts%3B_plkpKey%3Djnpr_vId%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1 HTTP 302
  • https://www.google.com/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts%26_plkpKey%5C%3Djnpr_vId%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts%3B_plkpKey%3Djnpr_vId%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=2817242393&resp=GooglemKTybQhCsO HTTP 302
  • https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts%26_plkpKey%5C%3Djnpr_vId%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts%3B_plkpKey%3Djnpr_vId%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=2817242393&resp=GooglemKTybQhCsO&ipr=y
Request Chain 161
  • https://googleads.g.doubleclick.net/pagead/viewthroughconversion/956680084/?random=1571663937204&cv=9&fst=1571663937204&num=1&fmt=3&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&ig=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1 HTTP 302
  • https://www.google.com/pagead/1p-user-list/956680084/?random=1571663937204&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=3590609516&resp=GooglemKTybQhCsO HTTP 302
  • https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937204&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=3590609516&resp=GooglemKTybQhCsO&ipr=y

177 HTTP transactions

Resource
Path
Size
x-fer
Type
MIME-Type
Primary Request Cookie set Masad-Stealer-Exfiltrating-using-Telegram
forums.juniper.net/t5/Threat-Research/
65 KB
66 KB
Document
General
Full URL
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
208.74.207.25 , United States, ASN19905 (NEUSTAR-AS6 - NeuStar, Inc., US),
Reverse DNS
jnet.lithium.com
Software
Apache /
Resource Hash
3236d2dc701f583a81401e777323e8026c6342c1e5bb5ac7fb9262f929227b1c
Security Headers
Name Value
Strict-Transport-Security max-age=31536000;includeSubDomains

Request headers

Host
forums.juniper.net
Connection
keep-alive
Pragma
no-cache
Cache-Control
no-cache
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode
navigate
Sec-Fetch-User
?1
Accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site
none
Accept-Encoding
gzip, deflate, br
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode
navigate
Sec-Fetch-User
?1

Response headers

Date
Mon, 21 Oct 2019 13:18:53 GMT
Server
Apache
Strict-Transport-Security
max-age=31536000;includeSubDomains
Set-Cookie
LiSESSIONID=C259BB5C9CBBBF2313D1748661C1D818; Path=/; Secure; HttpOnly LithiumUserInfo=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ LithiumUserSecure=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ LithiumVisitor=~2YWLl8CzxoslPBgdv~tD2x-39eeRDXC2ihZPAzYN7E2fFY-ORgz2n_u4Eic3dgIRxAEdEMBbqYhrkokQCP3ac4Fb0xDl1GoT1WRZOMTQ..; Expires=Thu, 18-Oct-2029 13:18:53 GMT; Path=/; HttpOnly
Pragma
no-cache
Expires
Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control
no-cache, no-store, must-revalidate, private
Connection
close
Transfer-Encoding
chunked
Content-Type
text/html;charset=UTF-8
satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/
216 KB
55 KB
Script
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash
0620feb9ea1ef87a0f1fd0df37a90ef556afb630b3360be72266f4f505dc42b4

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:53 GMT
content-encoding
gzip
last-modified
Thu, 17 Oct 2019 18:01:22 GMT
server
AkamaiNetStorage
etag
"9188a98a6ce424d358bd2e480f5360ce:1571335282.099072"
vary
Accept-Encoding
content-type
application/x-javascript
status
200
cache-control
max-age=3600
accept-ranges
bytes
timing-allow-origin
*
content-length
55978
expires
Mon, 21 Oct 2019 14:18:53 GMT
878544ee83.js
use.fontawesome.com/
9 KB
4 KB
Script
General
Full URL
https://use.fontawesome.com/878544ee83.js
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
23.111.9.35 Phoenix, United States, ASN33438 (HIGHWINDS2 - Highwinds Network Group, Inc., US),
Reverse DNS
Software
NetDNA-cache/2.2 /
Resource Hash
79e16119ceda988947279eb9addd1869b4270af3967b69ec9e09713ae4b6572b

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:53 GMT
content-encoding
gzip
last-modified
Thu, 06 Jul 2017 20:04:23 GMT
server
NetDNA-cache/2.2
x-amz-request-id
0D6A6C1A102791EB
etag
W/"734c7204bf19e6c6fe89c31ce2ed51a6"
x-cache
HIT
content-type
text/javascript
status
200
cache-control
max-age=0, private, must-revalidate
x-amz-id-2
jg4RW35GqIb0JSj/rzJU56zTW1OK3NoDhiaHngE7bDzAnxLFA8xyca81EuYdw+GxW22aCIxf7vM=
jquery.min.js
ajax.googleapis.com/ajax/libs/jquery/2.1.4/
82 KB
29 KB
Script
General
Full URL
https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:820::200a Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
sffe /
Resource Hash
22642f202577f0ba2f22cbe56b6cf291a09374487567cd3563e0d2a29f75c0c5
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Fri, 11 Oct 2019 10:01:17 GMT
content-encoding
gzip
x-content-type-options
nosniff
age
875856
status
200
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
29725
x-xss-protection
0
last-modified
Tue, 20 Dec 2016 18:17:03 GMT
server
sffe
vary
Accept-Encoding
content-type
text/javascript; charset=UTF-8
access-control-allow-origin
*
cache-control
public, max-age=31536000, stale-while-revalidate=2592000
accept-ranges
bytes
timing-allow-origin
*
expires
Sat, 10 Oct 2020 10:01:17 GMT
bootstrap.min.css
maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/
118 KB
19 KB
Stylesheet
General
Full URL
https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2001:4de0:ac19::1:b:2a , Netherlands, ASN20446 (HIGHWINDS3 - Highwinds Network Group, Inc., US),
Reverse DNS
Software
/
Resource Hash
f75e846cc83bd11432f4b1e21a45f31bc85283d11d372f7b19accd1bf6a2635c

Request headers

Sec-Fetch-Mode
cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Origin
https://forums.juniper.net
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:53 GMT
content-encoding
gzip
last-modified
Wed, 12 Dec 2018 18:34:07 GMT
status
200
etag
"1544639647"
vary
Accept-Encoding
x-cache
HIT
content-type
text/css; charset=utf-8
access-control-allow-origin
*
cache-control
public, max-age=31536000
x-hello-human
Say hello back! @getBootstrapCDN on Twitter
accept-ranges
bytes
timing-allow-origin
*
content-length
19740
bootstrap.min.js
maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/
36 KB
10 KB
Script
General
Full URL
https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2001:4de0:ac19::1:b:2a , Netherlands, ASN20446 (HIGHWINDS3 - Highwinds Network Group, Inc., US),
Reverse DNS
Software
/
Resource Hash
53964478a7c634e8dad34ecc303dd8048d00dce4993906de1bacf67f663486ef

Request headers

Sec-Fetch-Mode
cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Origin
https://forums.juniper.net
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:53 GMT
content-encoding
gzip
last-modified
Wed, 12 Dec 2018 18:33:51 GMT
status
200
etag
"1544639631"
vary
Accept-Encoding
x-cache
HIT
content-type
text/javascript; charset=utf-8
access-control-allow-origin
*
cache-control
public, max-age=31536000
x-hello-human
Say hello back! @getBootstrapCDN on Twitter
accept-ranges
bytes
timing-allow-origin
*
content-length
9832
juniperresponsive.css
jnet.i.lithium.com/skins/3844011/78d9481934a9081393f958263d2558df/
2 MB
236 KB
Stylesheet
General
Full URL
https://jnet.i.lithium.com/skins/3844011/78d9481934a9081393f958263d2558df/juniperresponsive.css
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
93.184.220.97 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),
Reverse DNS
Software
ECS (fcn/41D8) /
Resource Hash
d2474340ff2bb92f87a9ff9df68cd9bb04ec042a4af464d42d76ad69d9b2a67d
Security Headers
Name Value
Strict-Transport-Security max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:53 GMT
content-encoding
gzip
last-modified
Sat, 14 Sep 2019 01:41:53 GMT
server
ECS (fcn/41D8)
vary
Accept-Encoding
x-cache
HIT
content-type
text/css;charset=UTF-8
status
200
cache-control
s-maxage=582093
strict-transport-security
max-age=31536000;includeSubDomains
accept-ranges
bytes
content-length
241472
expires
Tue, 20 Oct 2020 13:18:53 GMT
vtoolkit-extras.css
www.juniper.net/us/en/community/css/
4 KB
2 KB
Stylesheet
General
Full URL
https://www.juniper.net/us/en/community/css/vtoolkit-extras.css
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2a02:26f0:10:2a9::720 , Ascension Island, ASN20940 (AKAMAI-ASN1, US),
Reverse DNS
Software
Apache /
Resource Hash
626ef4978a3758ced595afe37b89812432ef49fe3f967d2cd8e1321459b3a9b8
Security Headers
Name Value
Content-Security-Policy upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
Strict-Transport-Security max-age=31536000
X-Xss-Protection 1; mode=block

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

content-security-policy
upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
content-encoding
gzip
vary
Accept-Encoding
status
200
strict-transport-security
max-age=31536000
content-length
1365
x-xss-protection
1; mode=block
x-ua-compatible
IE=edge,chrome=1
last-modified
Tue, 16 Sep 2014 23:06:53 GMT
server
Apache
date
Mon, 21 Oct 2019 13:18:53 GMT
access-control-max-age
1000
access-control-allow-methods
POST, GET, OPTIONS, PUT
content-type
text/css
access-control-allow-origin
*
cache-control
public, max-age=37506
access-control-allow-headers
x-requested-with, Content-Type, origin, authorization, accept, client-security-token
grunticon.loader.js
www.juniper.net/assets/svg/
804 B
1001 B
Script
General
Full URL
https://www.juniper.net/assets/svg/grunticon.loader.js
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2a02:26f0:10:2a9::720 , Ascension Island, ASN20940 (AKAMAI-ASN1, US),
Reverse DNS
Software
Apache /
Resource Hash
b1110f2c7ae9f0a22977c4df6431fdfef92d1e8223f9734713e57aeb2ee96fcf
Security Headers
Name Value
Content-Security-Policy upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
Strict-Transport-Security max-age=31536000
X-Xss-Protection 1; mode=block

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

content-security-policy
upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
content-encoding
gzip
vary
Accept-Encoding
status
200
strict-transport-security
max-age=31536000
content-length
514
x-xss-protection
1; mode=block
x-ua-compatible
IE=edge,chrome=1
last-modified
Mon, 02 Oct 2017 07:57:28 GMT
server
Apache
date
Mon, 21 Oct 2019 13:18:53 GMT
access-control-max-age
1000
access-control-allow-methods
POST, GET, OPTIONS, PUT
content-type
application/javascript
access-control-allow-origin
*
cache-control
public, max-age=83100
accept-ranges
bytes
access-control-allow-headers
x-requested-with, Content-Type, origin, authorization, accept, client-security-token
lib.min.js
www.juniper.net/assets/library/
202 KB
65 KB
Script
General
Full URL
https://www.juniper.net/assets/library/lib.min.js
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2a02:26f0:10:2a9::720 , Ascension Island, ASN20940 (AKAMAI-ASN1, US),
Reverse DNS
Software
Apache/2.4.33 (Unix) OpenSSL/1.0.2k-fips mod_jk/1.2.43 /
Resource Hash
eec3860fdc0bff086a73a04051948c4e76ea29a6b61eaa870083739555b83f64
Security Headers
Name Value
Content-Security-Policy upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
Strict-Transport-Security max-age=31536000
X-Xss-Protection 1; mode=block

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

content-security-policy
upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
content-encoding
gzip
vary
Accept-Encoding
status
200
strict-transport-security
max-age=31536000
content-length
66076
x-xss-protection
1; mode=block
x-ua-compatible
IE=edge,chrome=1
last-modified
Mon, 02 Oct 2017 07:57:27 GMT
server
Apache/2.4.33 (Unix) OpenSSL/1.0.2k-fips mod_jk/1.2.43
date
Mon, 21 Oct 2019 13:18:53 GMT
access-control-max-age
1000
access-control-allow-methods
POST, GET, OPTIONS, PUT
content-type
application/javascript
access-control-allow-origin
*
cache-control
public, max-age=160920
accept-ranges
bytes
access-control-allow-headers
x-requested-with, Content-Type, origin, authorization, accept, client-security-token
jnpr.min.js
www.juniper.net/assets/scripts/
339 KB
103 KB
Script
General
Full URL
https://www.juniper.net/assets/scripts/jnpr.min.js
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2a02:26f0:10:2a9::720 , Ascension Island, ASN20940 (AKAMAI-ASN1, US),
Reverse DNS
Software
Apache/2.4.33 (Unix) OpenSSL/1.0.2k-fips mod_jk/1.2.43 /
Resource Hash
2c9f1c57bc31c65cdb84a1c44c0c91fc88799512fd87c5bc6e52b21f69abd5d0
Security Headers
Name Value
Content-Security-Policy upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
Strict-Transport-Security max-age=31536000
X-Xss-Protection 1; mode=block

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

content-security-policy
upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
content-encoding
gzip
vary
Accept-Encoding
status
200
strict-transport-security
max-age=31536000
content-length
104943
x-xss-protection
1; mode=block
x-ua-compatible
IE=edge,chrome=1
last-modified
Fri, 09 Nov 2018 18:57:29 GMT
server
Apache/2.4.33 (Unix) OpenSSL/1.0.2k-fips mod_jk/1.2.43
date
Mon, 21 Oct 2019 13:18:53 GMT
access-control-max-age
1000
access-control-allow-methods
POST, GET, OPTIONS, PUT
content-type
application/javascript
access-control-allow-origin
*
cache-control
public, max-age=66828
accept-ranges
bytes
access-control-allow-headers
x-requested-with, Content-Type, origin, authorization, accept, client-security-token
style.min.css
www.juniper.net/documentation/assets/css/style/
Redirect Chain
  • https://www.juniper.net/techpubs/assets/css/style/style.min.css
  • https://www.juniper.net/documentation/assets/css/style/style.min.css
2 MB
405 KB
Stylesheet
General
Full URL
https://www.juniper.net/documentation/assets/css/style/style.min.css
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2a02:26f0:10:2a9::720 , Ascension Island, ASN20940 (AKAMAI-ASN1, US),
Reverse DNS
Software
Apache /
Resource Hash
79340c32d5422c3331db60c78f9854b0d9c0a9bd0f9c454b7398734c1b990658
Security Headers
Name Value
Content-Security-Policy upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
Strict-Transport-Security max-age=31536000
X-Xss-Protection 1; mode=block

Request headers

Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

content-security-policy
upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
content-encoding
gzip
vary
Accept-Encoding
status
200
strict-transport-security
max-age=31536000
x-xss-protection
1; mode=block
x-ua-compatible
IE=edge,chrome=1
last-modified
Mon, 17 Oct 2016 23:30:57 GMT
server
Apache
date
Mon, 21 Oct 2019 13:18:54 GMT
access-control-max-age
1000
access-control-allow-methods
POST, GET, OPTIONS, PUT
content-type
text/css
access-control-allow-origin
*
cache-control
max-age=259200, public
access-control-allow-headers
x-requested-with, Content-Type, origin, authorization, accept, client-security-token

Redirect headers

content-security-policy
upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
access-control-allow-origin
*
status
301
strict-transport-security
max-age=31536000
content-length
275
x-xss-protection
1; mode=block
x-ua-compatible
IE=edge,chrome=1
server
Apache
date
Mon, 21 Oct 2019 13:18:54 GMT
access-control-max-age
1000
access-control-allow-methods
POST, GET, OPTIONS, PUT
content-type
text/html; charset=iso-8859-1
location
https://www.juniper.net/documentation/assets/css/style/style.min.css
cache-control
max-age=5
accept-ranges
bytes
access-control-allow-headers
x-requested-with, Content-Type, origin, authorization, accept, client-security-token
expires
Mon, 21 Oct 2019 13:18:58 GMT
05cb80fc-3221-476f-983d-76dfa0b1370c.css
cloud.webtype.com/css/
38 KB
9 KB
Stylesheet
General
Full URL
https://cloud.webtype.com/css/05cb80fc-3221-476f-983d-76dfa0b1370c.css
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
93.184.220.41 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),
Reverse DNS
Software
ECS (fcn/418E) /
Resource Hash
3eadffc329fb1c32ee10e809962cb4114a71d92b0f30db0b9ba9bef6abc91015

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:59 GMT
content-encoding
gzip
last-modified
Wed, 31 Jan 2018 08:43:22 GMT
server
ECS (fcn/418E)
status
200
etag
"870837579"
vary
Accept-Encoding
x-cache
HIT
content-type
text/css
access-control-allow-origin
*
cache-control
max-age=604800
accept-ranges
bytes
content-length
8995
expires
Mon, 28 Oct 2019 13:18:59 GMT
id
dpm.demdex.net/
374 B
1 KB
XHR
General
Full URL
https://dpm.demdex.net/id?d_visid_ver=3.1.2&d_fieldgroup=MC&d_rtbd=json&d_ver=2&d_orgid=D206123F524450F50A490D45%40AdobeOrg&d_nsid=0&ts=1571663933960
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
52.30.78.155 Dublin, Ireland, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
ec2-52-30-78-155.eu-west-1.compute.amazonaws.com
Software
/
Resource Hash
0eb2263b102275bbff7847e76a3668c516c2db3d2f6523b94259525ab8124a4b
Security Headers
Name Value
Strict-Transport-Security max-age=31536000; includeSubDomains

Request headers

Sec-Fetch-Mode
cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Type
application/x-www-form-urlencoded

Response headers

DCS
dcs-prod-irl1-v048-090367e9c.edge-irl1.demdex.com 5.61.0.20191015084456 2ms (+0ms)
Pragma
no-cache
Strict-Transport-Security
max-age=31536000; includeSubDomains
Content-Encoding
gzip
X-TID
ViWKxQ6WTVQ=
Vary
Origin, Accept-Encoding, User-Agent
P3P
policyref="/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa PSAa PSDa OUR SAMa BUS PUR COM NAV INT"
Access-Control-Allow-Origin
https://forums.juniper.net
Cache-Control
no-cache,no-store,must-revalidate,max-age=0,proxy-revalidate,no-transform,private
Access-Control-Allow-Credentials
true
Connection
keep-alive
Content-Type
application/json;charset=utf-8
Content-Length
310
Expires
Thu, 01 Jan 1970 00:00:00 GMT
mbox-contents-ba151bac91f2b7214d881fb194e167b525fadece.js
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/
74 KB
27 KB
Script
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/mbox-contents-ba151bac91f2b7214d881fb194e167b525fadece.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash
9912c03b52a7cb0fc11bde58e200010eca671219552929b31be4c2e26c0e10c3

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Intervention
<https://www.chromestatus.com/feature/5718547946799104>; level="warning"

Response headers

date
Mon, 21 Oct 2019 13:18:53 GMT
content-encoding
gzip
last-modified
Wed, 16 Oct 2019 15:57:41 GMT
server
AkamaiNetStorage
etag
"b8f6521187f987f1e079c5d7031aabec:1571241461.429591"
vary
Accept-Encoding
content-type
application/x-javascript
status
200
cache-control
max-age=3600
accept-ranges
bytes
timing-allow-origin
*
content-length
27369
expires
Mon, 21 Oct 2019 14:18:53 GMT
satellite-57b12a8364746d4d41000291.js
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/
3 KB
1 KB
Script
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-57b12a8364746d4d41000291.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash
e8a8cd48f7f93a8c8d708eda1f3f9c6ddd886c3f6c38eee67aeac98897b09510

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Intervention
<https://www.chromestatus.com/feature/5718547946799104>; level="warning"

Response headers

date
Mon, 21 Oct 2019 13:18:53 GMT
content-encoding
gzip
last-modified
Thu, 17 Oct 2019 18:01:28 GMT
server
AkamaiNetStorage
etag
"3b522f8dca2496b57a53408a29d518bb:1571335288.312743"
vary
Accept-Encoding
content-type
application/x-javascript
status
200
cache-control
max-age=3600
accept-ranges
bytes
timing-allow-origin
*
content-length
984
expires
Mon, 21 Oct 2019 14:18:53 GMT
wRPiG49f.min.js
scripts.demandbase.com/adobeanalytics/
5 KB
2 KB
Script
General
Full URL
https://scripts.demandbase.com/adobeanalytics/wRPiG49f.min.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
13.224.196.121 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
server-13-224-196-121.fra2.r.cloudfront.net
Software
AmazonS3 /
Resource Hash
640ab2801ebaaac35a628d23dfe09caac3ba92b4ad30519a876620e1e8505b7b

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

x-amz-version-id
urW4QnYue10YN_dcWsUElf7M0TP7x_nm
content-encoding
gzip
last-modified
Mon, 14 Oct 2019 21:05:25 GMT
server
AmazonS3
age
8033
date
Mon, 21 Oct 2019 11:05:01 GMT
vary
Accept-Encoding
x-cache
Hit from cloudfront
content-type
application/javascript
status
200
x-amz-cf-pop
FRA2-C1
x-amz-cf-id
SbCmSgPPBpLQcD0wncmzs8RUT4_W1DMDwcltw4FmpUfSGl4mQ5yWCg==
via
1.1 172e63b20fb363ed969de28ae3937e21.cloudfront.net (CloudFront)
ip.json
api.demandbase.com/api/v2/
445 B
885 B
Script
General
Full URL
https://api.demandbase.com/api/v2/ip.json?key=364bbfa27ca300ef9638e9d163c1fb03&callback=Dmdbase_CDC.callback
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
13.225.78.27 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
server-13-225-78-27.fra2.r.cloudfront.net
Software
nginx /
Resource Hash
2381b47f8892f725ff4cc6758375a338efbea0fc9178e18c8c97ee4d8d1d290c

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date
Mon, 21 Oct 2019 13:18:54 GMT
Content-Encoding
gzip
X-Amz-Cf-Pop
FRA2-C2
X-Cache
Miss from cloudfront
Connection
keep-alive
Request-ID
dad73653-ed19-4e0a-b5dc-9d7b325aec2e
Content-Length
246
Pragma
no-cache
Server
nginx
Vary
Accept-Encoding, Origin
Content-Type
application/javascript;charset=utf-8
Via
1.1 1e498d046330e15095a1a2a958463bf5.cloudfront.net (CloudFront)
Cache-Control
no-cache, no-store, max-age=0, must-revalidate
Identification-Source
CENTRAL
Api-Version
v2
X-Amz-Cf-Id
-ppVotJFgeVrQDS96DSCzcu3BC1ml1i3N2HtAxagZtoiLAV5ThHHRQ==
Expires
Sun, 20 Oct 2019 13:18:54 GMT
satellite-5bd31e9364746d6b860045a0.js
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/
883 B
679 B
Script
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5bd31e9364746d6b860045a0.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash
179f42988ae4cab77687b27656fc69ab3fa07efbcf6279ac1bef85ac0688e69d

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Intervention
<https://www.chromestatus.com/feature/5718547946799104>; level="warning"

Response headers

date
Mon, 21 Oct 2019 13:18:53 GMT
content-encoding
gzip
last-modified
Thu, 17 Oct 2019 18:01:25 GMT
server
AkamaiNetStorage
etag
"b3998ca07afe5ed1d91aa042d31218db:1571335285.266836"
vary
Accept-Encoding
content-type
application/x-javascript
status
200
cache-control
max-age=3600
accept-ranges
bytes
timing-allow-origin
*
content-length
434
expires
Mon, 21 Oct 2019 14:18:53 GMT
satellite-57d9c57464746d4d3e010a86.js
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/
2 KB
1001 B
Script
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-57d9c57464746d4d3e010a86.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash
7ee39e6b76207efc841a6882a2af5241490e1a2161c4e13790f78fb4dbfdde28

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Intervention
<https://www.chromestatus.com/feature/5718547946799104>; level="warning"

Response headers

date
Mon, 21 Oct 2019 13:18:53 GMT
content-encoding
gzip
last-modified
Thu, 17 Oct 2019 18:01:24 GMT
server
AkamaiNetStorage
etag
"458ad1cb95d004fd440d76d56ca277df:1571335284.729373"
vary
Accept-Encoding
content-type
application/x-javascript
status
200
cache-control
max-age=3600
accept-ranges
bytes
timing-allow-origin
*
content-length
755
expires
Mon, 21 Oct 2019 14:18:53 GMT
satellite-58a48a3864746d025c00d79f.js
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/
156 B
373 B
Script
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-58a48a3864746d025c00d79f.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash
7da66ec546c027bfe5b9ca59aa2225cfaa5f0d68f96801f31186878c0fa853f8

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Intervention
<https://www.chromestatus.com/feature/5718547946799104>; level="warning"

Response headers

date
Mon, 21 Oct 2019 13:18:53 GMT
content-encoding
gzip
last-modified
Thu, 17 Oct 2019 18:01:24 GMT
server
AkamaiNetStorage
etag
"bbf4e24515459a70357a852ca14861ff:1571335284.953002"
vary
Accept-Encoding
content-type
application/x-javascript
status
200
cache-control
max-age=3600
accept-ranges
bytes
timing-allow-origin
*
content-length
129
expires
Mon, 21 Oct 2019 14:18:53 GMT
satellite-5cb8c2a664746d2308000a38.js
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/
628 B
673 B
Script
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5cb8c2a664746d2308000a38.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash
c74679537a89890b260d93e19aad5f4cc95a230623a945ffcc3d981fc13a1adf

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
content-encoding
gzip
last-modified
Thu, 17 Oct 2019 18:01:23 GMT
server
AkamaiNetStorage
etag
"d0c9f868e386e1a9e35ae77ce39994c4:1571335283.733684"
vary
Accept-Encoding
content-type
application/x-javascript
status
200
cache-control
max-age=3600
accept-ranges
bytes
timing-allow-origin
*
content-length
427
expires
Mon, 21 Oct 2019 14:18:54 GMT
satellite-5ced369c64746d5ad2000705.js
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/
802 B
663 B
Script
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5ced369c64746d5ad2000705.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash
3e84bcc6469e170029339c0b60b522671ca5d4298578308ec882df95f7badd9c

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
content-encoding
gzip
last-modified
Thu, 17 Oct 2019 18:01:23 GMT
server
AkamaiNetStorage
etag
"95e1885cf743f564cb30ce957416ea37:1571335283.968406"
vary
Accept-Encoding
content-type
application/x-javascript
status
200
cache-control
max-age=3600
accept-ranges
bytes
timing-allow-origin
*
content-length
417
expires
Mon, 21 Oct 2019 14:18:54 GMT
satellite-5da0c41564746d1a08001540.js
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/
421 B
515 B
Script
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5da0c41564746d1a08001540.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash
e28195ef556c2e1f2d22ff939f487f10a32e608255bbd541be3eda5883b414c3

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
content-encoding
gzip
last-modified
Thu, 17 Oct 2019 18:01:24 GMT
server
AkamaiNetStorage
etag
"c6bf9762b7fcef23638a4087e99a0057:1571335284.374693"
vary
Accept-Encoding
content-type
application/x-javascript
status
200
cache-control
max-age=3600
accept-ranges
bytes
timing-allow-origin
*
content-length
270
expires
Mon, 21 Oct 2019 14:18:54 GMT
lia-scripts-head-min.js
jnet.i.lithium.com/t5/scripts/572EC0AEEDB9258EC5107B121EC8036F/
12 KB
4 KB
Script
General
Full URL
https://jnet.i.lithium.com/t5/scripts/572EC0AEEDB9258EC5107B121EC8036F/lia-scripts-head-min.js
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
93.184.220.97 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),
Reverse DNS
Software
Apache /
Resource Hash
1bc61ec53e5af2299b45821748c5d3984ed56fa406cd1c49531ef1d25bdc30ce
Security Headers
Name Value
Strict-Transport-Security max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
content-encoding
gzip
last-modified
Fri, 20 Sep 2019 20:35:44 GMT
server
Apache
vary
Accept-Encoding
x-cache
HIT
content-type
text/javascript;charset=UTF-8
status
200
cache-control
s-maxage=18
strict-transport-security
max-age=31536000;includeSubDomains
accept-ranges
bytes
content-length
4088
expires
Sat, 19 Sep 2020 20:37:21 GMT
id
junipernetworks.d2.sc.omtrdc.net/
3 B
311 B
XHR
General
Full URL
https://junipernetworks.d2.sc.omtrdc.net/id?d_visid_ver=3.1.2&d_fieldgroup=A&mcorgid=D206123F524450F50A490D45%40AdobeOrg&mid=35836098749383461002240898189079157993&ts=1571663934002
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
52.49.100.189 Dublin, Ireland, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
ec2-52-49-100-189.eu-west-1.compute.amazonaws.com
Software
jag /
Resource Hash
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 1; mode=block

Request headers

Sec-Fetch-Mode
cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Type
application/x-www-form-urlencoded

Response headers

status
200
date
Mon, 21 Oct 2019 13:18:53 GMT
x-content-type-options
nosniff
server
jag
xserver
anedge-64d5676c7b-7x6j4
vary
Origin
x-c
master-1047.I1d1c81.M0-302
p3p
CP="This is not a P3P policy"
access-control-allow-origin
https://forums.juniper.net
cache-control
no-cache, no-store, max-age=0, no-transform, private
access-control-allow-credentials
true
content-type
application/x-javascript
content-length
3
x-xss-protection
1; mode=block
ibs:dpid=411&dpuuid=Xa2wPgAAFBu0Yzx0
dpm.demdex.net/
Redirect Chain
  • https://cm.everesttech.net/cm/dd?d_uuid=40611432642373395391657003048716690702
  • https://dpm.demdex.net/ibs:dpid=411&dpuuid=Xa2wPgAAFBu0Yzx0
42 B
840 B
Image
General
Full URL
https://dpm.demdex.net/ibs:dpid=411&dpuuid=Xa2wPgAAFBu0Yzx0
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
52.30.78.155 Dublin, Ireland, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
ec2-52-30-78-155.eu-west-1.compute.amazonaws.com
Software
/
Resource Hash
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
Security Headers
Name Value
Strict-Transport-Security max-age=31536000; includeSubDomains

Request headers

Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

DCS
dcs-prod-irl1-v048-08ea54992.edge-irl1.demdex.com 5.61.0.20191015084456 2ms (+1ms)
Pragma
no-cache
Strict-Transport-Security
max-age=31536000; includeSubDomains
X-TID
ulkwp4K0Sds=
P3P
policyref="/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa PSAa PSDa OUR SAMa BUS PUR COM NAV INT"
Cache-Control
no-cache,no-store,must-revalidate,max-age=0,proxy-revalidate,no-transform,private
Connection
keep-alive
Content-Type
image/gif
Content-Length
42
Expires
Thu, 01 Jan 1970 00:00:00 GMT

Redirect headers

Date
Mon, 21 Oct 2019 13:18:53 GMT
Server
AMO-cookiemap/1.1
P3P
CP="NOI NID DEVa PSAa PSDa OUR IND PUR COM NAV INT DEM"
Location
https://dpm.demdex.net/ibs:dpid=411&dpuuid=Xa2wPgAAFBu0Yzx0
Cache-Control
no-cache
Connection
Keep-Alive
Keep-Alive
timeout=15,max=100
Content-Length
0
fbevents.js
connect.facebook.net/en_US/
103 KB
22 KB
Script
General
Full URL
https://connect.facebook.net/en_US/fbevents.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5cb8c2a664746d2308000a38.js
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a03:2880:f01c:8012:face:b00c:0:3 , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),
Reverse DNS
Software
/
Resource Hash
9404cee30e4489a7ed4d6de2dd92aa8e4386fd5ff1c81ebcea77f581952eac31
Security Headers
Name Value
Content-Security-Policy default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
Strict-Transport-Security max-age=31536000; preload; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

strict-transport-security
max-age=31536000; preload; includeSubDomains
content-encoding
gzip
x-content-type-options
nosniff
status
200
alt-svc
h3-23=":443"; ma=3600
content-length
22458
x-xss-protection
0
pragma
public
x-fb-debug
9LbhJYzqUafrwz9qmZ4HDRNhb8q7fXt1MM5ApUMTvvWp3Z9QWj/E8lrNHMBcR5YK5sgLb/VAFeVgDSTd9xFQ7g==
x-fb-trip-id
1850256238
x-frame-options
DENY
date
Mon, 21 Oct 2019 13:18:54 GMT
vary
Accept-Encoding
content-type
application/x-javascript; charset=utf-8
cache-control
public, max-age=1200
content-security-policy
default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
expires
Sat, 01 Jan 2000 00:00:00 GMT
878544ee83.css
use.fontawesome.com/
1 KB
684 B
Stylesheet
General
Full URL
https://use.fontawesome.com/878544ee83.css
Requested by
Host: use.fontawesome.com
URL: https://use.fontawesome.com/878544ee83.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
23.111.9.35 Phoenix, United States, ASN33438 (HIGHWINDS2 - Highwinds Network Group, Inc., US),
Reverse DNS
Software
NetDNA-cache/2.2 /
Resource Hash
9e5b8d4ced66c172dc84f16051eee4bac1e0fc60781c1ea05d73072b3cc7ddf1

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
content-encoding
gzip
last-modified
Thu, 06 Jul 2017 20:04:23 GMT
server
NetDNA-cache/2.2
x-amz-request-id
A344FC7528604F7C
etag
W/"44b78b10e53fb4ffb2d9c54f11d4eb0f"
x-cache
HIT
content-type
text/css
status
200
cache-control
max-age=0, private, must-revalidate
x-amz-id-2
2O2jLjyz2hoYGjr/0Qq7Vz15Mi0dqmJQ0l9ESseCYTzubqtko+p55qm02Zu3fRHhKSQAZJBSlpo=
font-awesome-css.min.css
use.fontawesome.com/releases/v4.7.0/css/
30 KB
8 KB
Stylesheet
General
Full URL
https://use.fontawesome.com/releases/v4.7.0/css/font-awesome-css.min.css
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
23.111.9.35 Phoenix, United States, ASN33438 (HIGHWINDS2 - Highwinds Network Group, Inc., US),
Reverse DNS
Software
NetDNA-cache/2.2 /
Resource Hash
5b9573e1023da775390e9284ec0eb1c606df9b468a28980055b4a6aa804f4350

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
content-encoding
gzip
last-modified
Tue, 25 Oct 2016 17:21:58 GMT
server
NetDNA-cache/2.2
status
200
etag
W/"36082410df2ef7f83932219089dc1443"
vary
Origin, Access-Control-Request-Headers, Access-Control-Request-Method, Accept-Encoding
access-control-allow-methods
GET
content-type
text/css
access-control-allow-origin
*
access-control-max-age
3000
cache-control
max-age=31556926
x-cache
HIT
css
fonts.googleapis.com/
2 KB
504 B
Stylesheet
General
Full URL
https://fonts.googleapis.com/css?family=Lato:300,400,700
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:81e::200a Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
ESF /
Resource Hash
f7d6b1c8e88874fb2696fc3128ea91fc6f47915466ea9f566ab2c39fcebffbd6
Security Headers
Name Value
Strict-Transport-Security max-age=31536000
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

strict-transport-security
max-age=31536000
content-encoding
br
last-modified
Mon, 21 Oct 2019 13:18:54 GMT
server
ESF
link
<https://fonts.gstatic.com>; rel=preconnect; crossorigin
status
200
date
Mon, 21 Oct 2019 13:18:54 GMT
x-frame-options
SAMEORIGIN
content-type
text/css; charset=utf-8
access-control-allow-origin
*
cache-control
private, max-age=86400, stale-while-revalidate=604800
timing-allow-origin
*
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
x-xss-protection
0
expires
Mon, 21 Oct 2019 13:18:54 GMT
uwt.js
static.ads-twitter.com/
5 KB
2 KB
Script
General
Full URL
https://static.ads-twitter.com/uwt.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5ced369c64746d5ad2000705.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
151.101.112.157 Frankfurt am Main, Germany, ASN54113 (FASTLY - Fastly, US),
Reverse DNS
Software
/
Resource Hash
319949c8c08b86e9c35ea542c0dc0c30cedaa9b8d3d3c3327a36c91aefbd8af5

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
content-encoding
gzip
age
18361
x-cache
HIT
p3p
CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status
200
content-length
1954
x-served-by
cache-hhn4065-HHN
last-modified
Tue, 23 Jan 2018 20:09:00 GMT
x-timer
S1571663934.245293,VS0,VE0
etag
"b7b33882a4f3ffd5cbf07434f3137166+gzip"
vary
Accept-Encoding,Host
content-type
application/javascript; charset=utf-8
via
1.1 varnish
cache-control
no-cache
accept-ranges
bytes
oct.js
static.ads-twitter.com/
Redirect Chain
  • https://platform.twitter.com/oct.js
  • https://static.ads-twitter.com/oct.js
5 KB
2 KB
Script
General
Full URL
https://static.ads-twitter.com/oct.js
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
151.101.112.157 Frankfurt am Main, Germany, ASN54113 (FASTLY - Fastly, US),
Reverse DNS
Software
/
Resource Hash
319949c8c08b86e9c35ea542c0dc0c30cedaa9b8d3d3c3327a36c91aefbd8af5

Request headers

Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
content-encoding
gzip
age
18359
x-cache
HIT
p3p
CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status
200
content-length
1954
x-served-by
cache-hhn4065-HHN
last-modified
Tue, 23 Jan 2018 20:09:00 GMT
x-timer
S1571663934.263571,VS0,VE0
etag
"b7b33882a4f3ffd5cbf07434f3137166+gzip"
vary
Accept-Encoding,Host
content-type
application/javascript; charset=utf-8
via
1.1 varnish
cache-control
no-cache
accept-ranges
bytes

Redirect headers

Access-Control-Allow-Origin
*
Date
Mon, 21 Oct 2019 13:18:54 GMT
Server
ECS (fcn/41AD)
Content-Length
0
Location
https://static.ads-twitter.com/oct.js
Access-Control-Allow-Methods
GET
P3P
CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
/
attr.ml-api.io/
Redirect Chain
  • https://s.ml-attr.com/getuid?https%3a%2f%2fattr.ml-api.io%2f%3fdomain%3djuniper.net%26pId%3d%24UID
  • https://secure.adnxs.com/getuid?https%3a%2f%2fattr.ml-api.io%2f%3fdomain%3djuniper.net%26pId%3d%24UID
  • https://secure.adnxs.com/bounce?%2Fgetuid%3Fhttps%253a%252f%252fattr.ml-api.io%252f%253fdomain%253djuniper.net%2526pId%253d%2524UID
  • https://attr.ml-api.io/?domain=juniper.net&pId=4919953082322347275
4 B
484 B
Image
General
Full URL
https://attr.ml-api.io/?domain=juniper.net&pId=4919953082322347275
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
13.225.78.79 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
server-13-225-78-79.fra2.r.cloudfront.net
Software
/
Resource Hash
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date
Mon, 21 Oct 2019 13:18:55 GMT
Via
1.1 c7015d60d4f8f2170aaaa75e69e40618.cloudfront.net (CloudFront)
X-Amz-Cf-Pop
FRA2-C2
x-amzn-RequestId
32bafaa7-baa8-4566-b363-87057195e495
X-Cache
Miss from cloudfront
Content-Type
image/jpeg
X-Amzn-Trace-Id
Root=1-5dadb03e-a23a03ed7aad77c38e87bb77;Sampled=0
Connection
keep-alive
x-amz-apigw-id
B6h51GQJoAMFccw=
Content-Length
4
X-Amz-Cf-Id
gYhHvl36Ij5UA0DtALAeyQapFJiskv-eNscBEpTYi56yjoAb02pCgQ==

Redirect headers

Pragma
no-cache
Date
Mon, 21 Oct 2019 13:18:56 GMT
X-Proxy-Origin
144.76.109.30; 144.76.109.30; 373.bm-nginx-loadbalancer.mgmt.ams1; *.adnxs.com; 185.33.220.102:80
AN-X-Request-Uuid
12e23b4f-a19c-4081-b111-dfe96fa32da5
Server
nginx/1.13.4
Access-Control-Allow-Origin
*
P3P
policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Location
https://attr.ml-api.io/?domain=juniper.net&pId=4919953082322347275
Cache-Control
no-store, no-cache, private
Access-Control-Allow-Credentials
true
Connection
keep-alive
Content-Type
text/html; charset=utf-8
Content-Length
0
X-XSS-Protection
0
Expires
Sat, 15 Nov 2008 16:00:00 GMT
lia-scripts-head-min.js
jnet.i.lithium.com/t5/scripts/211F6EC4D6F385A1FE3DDCF161E416CD/
4 KB
2 KB
Script
General
Full URL
https://jnet.i.lithium.com/t5/scripts/211F6EC4D6F385A1FE3DDCF161E416CD/lia-scripts-head-min.js
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
93.184.220.97 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),
Reverse DNS
Software
ECS (fcn/418B) /
Resource Hash
8febd8b0e9b817a31d401574d8f8aaeb5003d76c2c1afa9da932fa0990685b53
Security Headers
Name Value
Strict-Transport-Security max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
content-encoding
gzip
last-modified
Fri, 20 Sep 2019 20:34:31 GMT
server
ECS (fcn/418B)
vary
Accept-Encoding
x-cache
HIT
content-type
text/javascript;charset=UTF-8
status
200
cache-control
s-maxage=12655
strict-transport-security
max-age=31536000;includeSubDomains
content-length
1464
expires
Sun, 20 Sep 2020 15:32:30 GMT
jsapi
www.google.ca/
26 KB
7 KB
Script
General
Full URL
https://www.google.ca/jsapi
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:81b::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
GSE /
Resource Hash
04cc38228e78bcd321b02a1db468d35e557f12251aae38a9b2f1814f2761b9b4
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 1; mode=block

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
content-encoding
gzip
x-content-type-options
nosniff
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
server
GSE
x-frame-options
SAMEORIGIN
content-type
text/javascript; charset=utf-8
status
200
cache-control
private, max-age=3600, must-revalidate
vary
Accept-Encoding
content-length
6425
x-xss-protection
1; mode=block
expires
Mon, 21 Oct 2019 13:18:54 GMT
437764526963678
connect.facebook.net/signals/config/
281 KB
65 KB
Script
General
Full URL
https://connect.facebook.net/signals/config/437764526963678?v=2.9.5&r=stable
Requested by
Host: connect.facebook.net
URL: https://connect.facebook.net/en_US/fbevents.js
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a03:2880:f01c:8012:face:b00c:0:3 , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),
Reverse DNS
Software
/
Resource Hash
711484d0904f76b29c4cbf14e3e7d11c818545fdf95c19112c2ef1bd3e0680b8
Security Headers
Name Value
Strict-Transport-Security max-age=31536000; preload; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

strict-transport-security
max-age=31536000; preload; includeSubDomains
content-encoding
gzip
x-content-type-options
nosniff
status
200
alt-svc
h3-23=":443"; ma=3600
content-length
66280
x-xss-protection
0
pragma
public
x-fb-debug
pZGS4bnavCzec4DHVgpYFP8wBaDZBN2CpeyktdImSa4dtsBLo7y7nBaB47gPrhj16L/LKZbFI04oYBfiIMFitw==
x-fb-trip-id
1850256238
x-frame-options
DENY
date
Mon, 21 Oct 2019 13:18:54 GMT
vary
Accept-Encoding
content-type
application/x-javascript; charset=utf-8
cache-control
public, max-age=1200
expires
Sat, 01 Jan 2000 00:00:00 GMT
fontawesome-webfont.woff2
use.fontawesome.com/releases/v4.7.0/fonts/
75 KB
76 KB
Font
General
Full URL
https://use.fontawesome.com/releases/v4.7.0/fonts/fontawesome-webfont.woff2
Requested by
Host: use.fontawesome.com
URL: https://use.fontawesome.com/878544ee83.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
23.111.9.35 Phoenix, United States, ASN33438 (HIGHWINDS2 - Highwinds Network Group, Inc., US),
Reverse DNS
Software
NetDNA-cache/2.2 /
Resource Hash
2adefcbc041e7d18fcf2d417879dc5a09997aa64d675b7a3c4b6ce33da13f3fe

Request headers

Sec-Fetch-Mode
cors
Referer
https://use.fontawesome.com/878544ee83.css
Origin
https://forums.juniper.net
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
last-modified
Mon, 17 Jul 2017 16:24:59 GMT
server
NetDNA-cache/2.2
status
200
etag
"af7ae505a9eed503f8b8e6982036873e"
vary
Origin, Access-Control-Request-Headers, Access-Control-Request-Method, Accept-Encoding
access-control-allow-methods
GET
content-type
application/font-woff2
access-control-allow-origin
*
access-control-max-age
3000
cache-control
max-age=31556926
x-cache
HIT
accept-ranges
bytes
content-length
77160
fontawesome-webfont.woff2
jnet.i.lithium.com/html/assets/fonts/
55 KB
56 KB
Font
General
Full URL
https://jnet.i.lithium.com/html/assets/fonts/fontawesome-webfont.woff2?v=4.3.0
Requested by
Host: use.fontawesome.com
URL: https://use.fontawesome.com/878544ee83.js
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
93.184.220.97 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),
Reverse DNS
Software
ECS (fcn/40D8) /
Resource Hash
aadc3580d2b64ff5a7e6f1425587db4e8b033efcbf8f5c332ca52a5ed580c87c
Security Headers
Name Value
Strict-Transport-Security max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode
cors
Referer
https://jnet.i.lithium.com/skins/3844011/78d9481934a9081393f958263d2558df/juniperresponsive.css
Origin
https://forums.juniper.net
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
last-modified
Fri, 20 Sep 2019 20:27:50 GMT
server
ECS (fcn/40D8)
status
200
etag
W/"56780-1569011270000"
strict-transport-security
max-age=31536000;includeSubDomains
x-cache
HIT
content-type
application/octet-stream
access-control-allow-origin
*
accept-ranges
bytes
content-length
56780
fontawesome.woff
jnet.i.lithium.com/skins/3844011/fonts/
0
0
Font
General
Full URL
https://jnet.i.lithium.com/skins/3844011/fonts/fontawesome.woff
Requested by
Host: use.fontawesome.com
URL: https://use.fontawesome.com/878544ee83.js
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
93.184.220.97 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),
Reverse DNS
Software
Apache /
Resource Hash
Security Headers
Name Value
Strict-Transport-Security max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode
cors
Referer
https://jnet.i.lithium.com/skins/3844011/78d9481934a9081393f958263d2558df/juniperresponsive.css
Origin
https://forums.juniper.net
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

status
404
date
Mon, 21 Oct 2019 13:18:54 GMT
server
Apache
access-control-allow-origin
*
content-length
866
strict-transport-security
max-age=31536000;includeSubDomains
content-type
text/html;charset=utf-8
json
junipernetworks.tt.omtrdc.net/m2/junipernetworks/mbox/
537 B
799 B
XHR
General
Full URL
https://junipernetworks.tt.omtrdc.net/m2/junipernetworks/mbox/json?mbox=target-global-mbox&mboxSession=cf70bd4818734394a6bc3507976b0df0&mboxPC=&mboxPage=beccad6e12614607999378cf5963b927&mboxRid=9d51e88b837d4d3c8222d00ff507f34d&mboxVersion=1.6.2&mboxCount=1&mboxTime=1571671134191&mboxHost=forums.juniper.net&mboxURL=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&mboxReferrer=&browserHeight=1200&browserWidth=1600&browserTimeOffset=120&screenHeight=1200&screenWidth=1600&colorDepth=24&devicePixelRatio=1&screenOrientation=landscape&profile.isp=true&profile.audience=Bot&profile.audience_segment=&at_property=731b0e75-98c0-3152-d94c-88331af4fd48&mboxMCSDID=526E1CAC99412436-0A4138FF57CADCDD&vst.trk=junipernetworks.d2.sc.omtrdc.net&vst.trks=junipernetworks.d2.sc.omtrdc.net&mboxMCGVID=35836098749383461002240898189079157993&mboxAAMB=6G1ynYcLPuiQxYZrsz_pkqfLG9yMXBpb2zX5dvJdYQJzPXImdj0y&mboxMCGLH=6
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/mbox-contents-ba151bac91f2b7214d881fb194e167b525fadece.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
66.117.29.3 , United States, ASN15224 (OMNITURE - Adobe Systems Inc., US),
Reverse DNS
Software
/
Resource Hash
ffa161118fe5c86651a1086172071bfe65d3c22968af6e2cfdfc450b8051770d

Request headers

Sec-Fetch-Mode
cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:53 GMT
status
200
vary
Origin, Access-Control-Request-Method, Access-Control-Request-Headers
content-type
application/json;charset=UTF-8
access-control-allow-origin
https://forums.juniper.net
cache-control
no-cache
access-control-allow-credentials
true
timing-allow-origin
*
content-length
537
x-request-id
9d51e88b837d4d3c8222d00ff507f34d
adsct
t.co/i/
43 B
449 B
Image
General
Full URL
https://t.co/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o1lnh&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
104.244.42.197 , United States, ASN13414 (TWITTER - Twitter Inc., US),
Reverse DNS
Software
tsa_o /
Resource Hash
ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957
Security Headers
Name Value
Strict-Transport-Security max-age=0
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
content-encoding
gzip
x-content-type-options
nosniff
status
200, 200 OK
x-twitter-response-tags
BouncerCompliant
content-length
65
x-xss-protection
0
x-response-time
121
pragma
no-cache
last-modified
Mon, 21 Oct 2019 13:18:54 GMT
server
tsa_o
x-frame-options
SAMEORIGIN
strict-transport-security
max-age=0
content-type
image/gif;charset=utf-8
cache-control
no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash
c8d0b280c8bbf40823452698b765fc70
x-transaction
0046b239008d7604
expires
Tue, 31 Mar 1981 05:00:00 GMT
adsct
t.co/i/
43 B
124 B
Image
General
Full URL
https://t.co/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o1oeb&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
104.244.42.197 , United States, ASN13414 (TWITTER - Twitter Inc., US),
Reverse DNS
Software
tsa_o /
Resource Hash
ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957
Security Headers
Name Value
Strict-Transport-Security max-age=0
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
content-encoding
gzip
x-content-type-options
nosniff
status
200, 200 OK
x-twitter-response-tags
BouncerCompliant
content-length
65
x-xss-protection
0
x-response-time
108
pragma
no-cache
last-modified
Mon, 21 Oct 2019 13:18:54 GMT
server
tsa_o
x-frame-options
SAMEORIGIN
strict-transport-security
max-age=0
content-type
image/gif;charset=utf-8
cache-control
no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash
c8d0b280c8bbf40823452698b765fc70
x-transaction
008fcf3c002ecfe8
expires
Tue, 31 Mar 1981 05:00:00 GMT
adsct
t.co/i/
43 B
125 B
Image
General
Full URL
https://t.co/i/adsct?p_id=Twitter&p_user_id=0&txn_id=nvrg6&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
104.244.42.197 , United States, ASN13414 (TWITTER - Twitter Inc., US),
Reverse DNS
Software
tsa_o /
Resource Hash
ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957
Security Headers
Name Value
Strict-Transport-Security max-age=0
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
content-encoding
gzip
x-content-type-options
nosniff
status
200, 200 OK
x-twitter-response-tags
BouncerCompliant
content-length
65
x-xss-protection
0
x-response-time
115
pragma
no-cache
last-modified
Mon, 21 Oct 2019 13:18:54 GMT
server
tsa_o
x-frame-options
SAMEORIGIN
strict-transport-security
max-age=0
content-type
image/gif;charset=utf-8
cache-control
no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash
c8d0b280c8bbf40823452698b765fc70
x-transaction
0097975300546c75
expires
Tue, 31 Mar 1981 05:00:00 GMT
adsct
t.co/i/
43 B
124 B
Image
General
Full URL
https://t.co/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o29di&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
104.244.42.197 , United States, ASN13414 (TWITTER - Twitter Inc., US),
Reverse DNS
Software
tsa_o /
Resource Hash
ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957
Security Headers
Name Value
Strict-Transport-Security max-age=0
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
content-encoding
gzip
x-content-type-options
nosniff
status
200, 200 OK
x-twitter-response-tags
BouncerCompliant
content-length
65
x-xss-protection
0
x-response-time
110
pragma
no-cache
last-modified
Mon, 21 Oct 2019 13:18:54 GMT
server
tsa_o
x-frame-options
SAMEORIGIN
strict-transport-security
max-age=0
content-type
image/gif;charset=utf-8
cache-control
no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash
c8d0b280c8bbf40823452698b765fc70
x-transaction
00147ea200551856
expires
Tue, 31 Mar 1981 05:00:00 GMT
adsct
t.co/i/
43 B
119 B
Image
General
Full URL
https://t.co/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o2i9x&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
104.244.42.197 , United States, ASN13414 (TWITTER - Twitter Inc., US),
Reverse DNS
Software
tsa_o /
Resource Hash
ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957
Security Headers
Name Value
Strict-Transport-Security max-age=0
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
content-encoding
gzip
x-content-type-options
nosniff
status
200, 200 OK
x-twitter-response-tags
BouncerCompliant
content-length
65
x-xss-protection
0
x-response-time
110
pragma
no-cache
last-modified
Mon, 21 Oct 2019 13:18:54 GMT
server
tsa_o
x-frame-options
SAMEORIGIN
strict-transport-security
max-age=0
content-type
image/gif;charset=utf-8
cache-control
no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash
c8d0b280c8bbf40823452698b765fc70
x-transaction
00927b2d00fb33c2
expires
Tue, 31 Mar 1981 05:00:00 GMT
/
www.facebook.com/tr/
44 B
246 B
Image
General
Full URL
https://www.facebook.com/tr/?id=437764526963678&ev=PageView&dl=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&rl=&if=false&ts=1571663934302&cd[jnpr_vId]=gxUxgn1A2amUgo3KlIV32HqHtyKywD8Y-1571663934&sw=1600&sh=1200&v=2.9.5&r=stable&ec=0&o=29&fbp=fb.1.1571663934301.918616283&it=1571663934145&coo=false&rqm=GET
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a03:2880:f11c:8183:face:b00c:0:25de , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),
Reverse DNS
Software
proxygen-bolt /
Resource Hash
10d8d42d73a02ddb877101e72fbfa15a0ec820224d97cedee4cf92d571be5caa
Security Headers
Name Value
Strict-Transport-Security max-age=31536000; includeSubDomains

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
last-modified
Fri, 21 Dec 2012 00:00:01 GMT
server
proxygen-bolt
strict-transport-security
max-age=31536000; includeSubDomains
content-type
image/gif
status
200
cache-control
no-cache, must-revalidate, max-age=0
alt-svc
h3-23=":443"; ma=3600
content-length
44
expires
Mon, 21 Oct 2019 13:18:54 GMT
button_lithium_logo.png
jnet.i.lithium.com/skins/images/DD51985ABEA4648409E8F4747DB8C33F/responsive_peak/images/
2 KB
2 KB
Image
General
Full URL
https://jnet.i.lithium.com/skins/images/DD51985ABEA4648409E8F4747DB8C33F/responsive_peak/images/button_lithium_logo.png
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
93.184.220.97 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),
Reverse DNS
Software
ECS (fcn/40DA) /
Resource Hash
06999de90eb62434c9e26cc7b0b70c3db1602e5b3ebea36b7dd6cb9e4ebbd784
Security Headers
Name Value
Strict-Transport-Security max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
last-modified
Fri, 20 Sep 2019 20:27:43 GMT
server
ECS (fcn/40DA)
strict-transport-security
max-age=31536000;includeSubDomains
x-cache
HIT
content-type
image/png;charset=UTF-8
status
200
cache-control
s-maxage=452705
accept-ranges
bytes
content-length
1707
expires
Tue, 20 Oct 2020 13:18:54 GMT
jnpr.min.js
forums.juniper.net/html/assets/scripts/
Redirect Chain
  • https://forums.juniper.net/assets/scripts/jnpr.min.js
  • https://forums.juniper.net/html/assets/scripts/jnpr.min.js
0
0
Script
General
Full URL
https://forums.juniper.net/html/assets/scripts/jnpr.min.js
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
208.74.207.25 , United States, ASN19905 (NEUSTAR-AS6 - NeuStar, Inc., US),
Reverse DNS
jnet.lithium.com
Software
Apache /
Resource Hash
Security Headers
Name Value
Strict-Transport-Security max-age=31536000;includeSubDomains

Request headers

Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date
Mon, 21 Oct 2019 13:18:55 GMT
Vary
Origin,Access-Control-Request-Headers,Access-Control-Request-Method,Access-Control-Allow-Credentials,Access-Control-Max-Age
Server
Apache
Connection
close
Content-Length
930
Strict-Transport-Security
max-age=31536000;includeSubDomains
Content-Type
text/html;charset=utf-8

Redirect headers

Location
https://forums.juniper.net/html/assets/scripts/jnpr.min.js
Date
Mon, 21 Oct 2019 13:18:54 GMT
Server
Apache
Connection
close
Content-Length
266
Strict-Transport-Security
max-age=31536000;includeSubDomains
Content-Type
text/html; charset=iso-8859-1
footer-injection.js
forums.juniper.net/html/assets/scripts/
Redirect Chain
  • https://forums.juniper.net/assets/scripts/footer-injection.js
  • https://forums.juniper.net/html/assets/scripts/footer-injection.js
0
0
Script
General
Full URL
https://forums.juniper.net/html/assets/scripts/footer-injection.js
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
208.74.207.25 , United States, ASN19905 (NEUSTAR-AS6 - NeuStar, Inc., US),
Reverse DNS
jnet.lithium.com
Software
Apache /
Resource Hash
Security Headers
Name Value
Strict-Transport-Security max-age=31536000;includeSubDomains

Request headers

Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date
Mon, 21 Oct 2019 13:18:55 GMT
Vary
Origin,Access-Control-Request-Headers,Access-Control-Request-Method,Access-Control-Allow-Credentials,Access-Control-Max-Age
Server
Apache
Connection
close
Content-Length
946
Strict-Transport-Security
max-age=31536000;includeSubDomains
Content-Type
text/html;charset=utf-8

Redirect headers

Location
https://forums.juniper.net/html/assets/scripts/footer-injection.js
Date
Mon, 21 Oct 2019 13:18:55 GMT
Server
Apache
Connection
close
Content-Length
274
Strict-Transport-Security
max-age=31536000;includeSubDomains
Content-Type
text/html; charset=iso-8859-1
lia-scripts-common-min.js
jnet.i.lithium.com/t5/scripts/BE8CB1DF7619C9CB31E35C81CB4C0EC0/
329 KB
89 KB
Script
General
Full URL
https://jnet.i.lithium.com/t5/scripts/BE8CB1DF7619C9CB31E35C81CB4C0EC0/lia-scripts-common-min.js
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
93.184.220.97 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),
Reverse DNS
Software
Apache /
Resource Hash
081de2455a7c07a455ae28fec0acf0db473c515d1d38b49fda402724febc6da7
Security Headers
Name Value
Strict-Transport-Security max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:55 GMT
content-encoding
gzip
last-modified
Fri, 20 Sep 2019 20:26:56 GMT
server
Apache
vary
Accept-Encoding
x-cache
HIT
content-type
text/javascript;charset=UTF-8
status
200
cache-control
s-maxage=82
strict-transport-security
max-age=31536000;includeSubDomains
accept-ranges
bytes
content-length
91306
expires
Sat, 19 Sep 2020 20:33:48 GMT
lia-scripts-body-min.js
jnet.i.lithium.com/t5/scripts/2E0711A75768E4784ED602DBD284206F/
1 KB
600 B
Script
General
Full URL
https://jnet.i.lithium.com/t5/scripts/2E0711A75768E4784ED602DBD284206F/lia-scripts-body-min.js
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
93.184.220.97 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),
Reverse DNS
Software
ECS (fcn/41A8) /
Resource Hash
18a02257219987458dc60f3fc2284ce0ceba4affa260c51d66d0b6e815e0a90f
Security Headers
Name Value
Strict-Transport-Security max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
content-encoding
gzip
last-modified
Fri, 20 Sep 2019 20:37:55 GMT
server
ECS (fcn/41A8)
vary
Accept-Encoding
x-cache
HIT
content-type
text/javascript;charset=UTF-8
status
200
cache-control
s-maxage=457382
strict-transport-security
max-age=31536000;includeSubDomains
accept-ranges
bytes
content-length
516
expires
Tue, 20 Oct 2020 13:18:54 GMT
fontawesome.ttf
jnet.i.lithium.com/skins/3844011/fonts/
0
0
Font
General
Full URL
https://jnet.i.lithium.com/skins/3844011/fonts/fontawesome.ttf
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
93.184.220.97 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),
Reverse DNS
Software
Apache /
Resource Hash
Security Headers
Name Value
Strict-Transport-Security max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode
cors
Referer
https://jnet.i.lithium.com/skins/3844011/78d9481934a9081393f958263d2558df/juniperresponsive.css
Origin
https://forums.juniper.net
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

status
404
date
Mon, 21 Oct 2019 13:18:54 GMT
server
Apache
access-control-allow-origin
*
content-length
866
strict-transport-security
max-age=31536000;includeSubDomains
content-type
text/html;charset=utf-8
nav-search.svg
www.juniper.net/assets/svg/
604 B
744 B
Image
General
Full URL
https://www.juniper.net/assets/svg/nav-search.svg
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2a02:26f0:10:2a9::720 , Ascension Island, ASN20940 (AKAMAI-ASN1, US),
Reverse DNS
Software
Apache /
Resource Hash
513a1cdd025b3086aa57881e2c801d57b76154c11975cc9283a9a3b480650722
Security Headers
Name Value
X-Frame-Options SAMEORIGIN

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://www.juniper.net/documentation/assets/css/style/style.min.css
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
content-encoding
gzip
vary
Accept-Encoding
status
200
content-length
361
x-ua-compatible
IE=edge,chrome=1
last-modified
Wed, 20 Jul 2016 17:19:39 GMT
server
Apache
x-frame-options
SAMEORIGIN
access-control-max-age
1000
access-control-allow-methods
POST, GET, OPTIONS, DELETE, PUT
content-type
image/svg+xml
access-control-allow-origin
https://partners.juniper.net
cache-control
public, max-age=160930
accept-ranges
bytes
access-control-allow-headers
x-requested-with, Content-Type, origin, authorization, accept, client-security-token
nav-search-white.svg
www.juniper.net/assets/svg/
1 KB
1 KB
Image
General
Full URL
https://www.juniper.net/assets/svg/nav-search-white.svg
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2a02:26f0:10:2a9::720 , Ascension Island, ASN20940 (AKAMAI-ASN1, US),
Reverse DNS
Software
Apache/2.4.33 (Unix) OpenSSL/1.0.2k-fips mod_jk/1.2.43 /
Resource Hash
690217dd4ebde7d6750b11980ac97780557184aa636e8ae5ca6a53aadfbce5b8
Security Headers
Name Value
Content-Security-Policy upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
Strict-Transport-Security max-age=31536000
X-Xss-Protection 1; mode=block

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://www.juniper.net/documentation/assets/css/style/style.min.css
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

content-security-policy
upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
content-encoding
gzip
vary
Accept-Encoding
status
200
strict-transport-security
max-age=31536000
content-length
657
x-xss-protection
1; mode=block
x-ua-compatible
IE=edge,chrome=1
last-modified
Wed, 20 Jul 2016 17:19:39 GMT
server
Apache/2.4.33 (Unix) OpenSSL/1.0.2k-fips mod_jk/1.2.43
date
Mon, 21 Oct 2019 13:18:54 GMT
access-control-max-age
1000
access-control-allow-methods
POST, GET, OPTIONS, PUT
content-type
image/svg+xml
access-control-allow-origin
*
cache-control
public, max-age=143067
accept-ranges
bytes
access-control-allow-headers
x-requested-with, Content-Type, origin, authorization, accept, client-security-token
v.gif
pls.webtype.com/
807 B
1 KB
Image
General
Full URL
https://pls.webtype.com/v.gif?ct=182296,182293,182299,182294,182298,182295,182297,182293,182294,182298,182295,182297,182299,182296,182299,182298,182293,182296,182295,182294,182297,182296,182297,182295,182294,182298,182293,182299&r=71911&p=68690&h=Hzc0I5MIWElYX3SnOIHSGw%3d%3d
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_CBC
Server
65.52.62.25 Chicago, United States, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation, US),
Reverse DNS
Software
Microsoft-IIS/8.5 / ASP.NET
Resource Hash
3ca19e57c9a2465ae4df271316ba4d29e7ff7f113a2a2c5297780c0b7a0ac09d

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://cloud.webtype.com/css/05cb80fc-3221-476f-983d-76dfa0b1370c.css
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Pragma
no-cache
Date
Mon, 21 Oct 2019 13:18:54 GMT
Server
Microsoft-IIS/8.5
X-AspNet-Version
4.0.30319
X-Powered-By
ASP.NET
Content-Type
image/gif
Cache-Control
no-cache
Content-Length
807
Expires
-1
8dede187-f539-4e89-8e5d-d76f5d0095ae
cloud.webtype.com/webtype/ff2/3/
65 KB
65 KB
Font
General
Full URL
https://cloud.webtype.com/webtype/ff2/3/8dede187-f539-4e89-8e5d-d76f5d0095ae?ec_token=8f7c4c4997246fd7fa920371cd943b561cc1376e933e830d08e6b0683939639d404785f456ee325751018e71943647ae782803b571f76a4f99f7a69ad60de620815d74f862eece7f227ffe36b6f147fa2b31f695cc15970eca36239817181a29ea965395e032cd50d8bcc8b099a1626213eb724dfd4684b9557a15c5e2021686a30eae0c2d0ea656970a0c0c4ce2ae2c712caf2dc5f9c018ecb5745d83293ecd895dc071daf39dd538d429fffa183b83b31c38c8abaeb7ec5e8e3b0ac0f33e82655a5bf4fb9401a18e2abf64fec6a5945249a755e2098321fce89fbe6ab4cd2eec3ef0c1337e8a3d20160631b99ac177110468caa17059&ec_token=8f7c4c4997246fd7fa920376cc943b5654522473d8a897cacca97149c4e47f6f58194b50d81812299938889f52af0c1606db01f5be73b0deef52167fa79f12b243aff40a15ac84109f59783d30e511148a6dae4a711358f22b6206a2f996042606d5449df7366ee850657c2e998ae60e1825a00958d3ce1c5e7085a3d6eb82a8614189a4023ff9c5bdd7b05a25fe732e7b1b66d3387e3b492e8886adbde3cfee77939e8d1f63817ab735b2504ec31754c9241fa74730508eca7af76aeb3c0a684994a21e0356e79ee6b3bb4ab55048106ca56cd7bb487524c384b9adf60e1944e2450c73f7e1b30ae197ac26
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
93.184.220.41 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),
Reverse DNS
Software
ECS (fcn/40B6) /
Resource Hash
c85e7ce68f3a78005c8c4603e3312b48ab1465bfdc86b397941295aa75299f2e

Request headers

Sec-Fetch-Mode
cors
Referer
https://cloud.webtype.com/css/05cb80fc-3221-476f-983d-76dfa0b1370c.css
Origin
https://forums.juniper.net
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
last-modified
Fri, 23 Oct 2015 21:29:02 GMT
server
ECS (fcn/40B6)
etag
"2872188931"
status
200
x-cache
HIT
content-type
application/octet-stream
access-control-allow-origin
*
cache-control
max-age=604800
accept-ranges
bytes
content-length
66108
expires
Mon, 28 Oct 2019 13:18:54 GMT
Lato-Regular.woff2
jnet.i.lithium.com/html/assets/
178 KB
179 KB
Font
General
Full URL
https://jnet.i.lithium.com/html/assets/Lato-Regular.woff2
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_256_GCM
Server
93.184.220.97 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),
Reverse DNS
Software
ECS (fcn/41AE) /
Resource Hash
983b0caf336e8542214fc17019a4fc5e0360864b92806ca14d55c1fc1c2c5a0f
Security Headers
Name Value
Strict-Transport-Security max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode
cors
Referer
https://jnet.i.lithium.com/skins/3844011/78d9481934a9081393f958263d2558df/juniperresponsive.css
Origin
https://forums.juniper.net
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
last-modified
Tue, 25 Sep 2018 18:37:35 GMT
server
ECS (fcn/41AE)
status
200
etag
W/"182708-1537900655000"
strict-transport-security
max-age=31536000;includeSubDomains
x-cache
HIT
content-type
application/octet-stream
access-control-allow-origin
*
accept-ranges
bytes
content-length
182708
cse.js
cse.google.com/cse/
Redirect Chain
  • https://www.google.com/cse/cse.js?cx=009668004808822005412:yju97b8czpm
  • https://cse.google.com/cse/cse.js?cx=009668004808822005412:yju97b8czpm
11 KB
4 KB
Script
General
Full URL
https://cse.google.com/cse/cse.js?cx=009668004808822005412:yju97b8czpm
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:800::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
gws /
Resource Hash
1e76b665a6f0a9668df5358d69d8e88e82e602cbb5d5eb7acb4ea7daa5d5190d
Security Headers
Name Value
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
content-encoding
br
server
gws
x-frame-options
SAMEORIGIN
p3p
CP="This is not a P3P policy! See g.co/p3phelp for more info."
status
200
cache-control
private
content-disposition
attachment; filename="f.txt"
content-type
text/javascript; charset=UTF-8
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
3497
x-xss-protection
0
expires
Mon, 21 Oct 2019 13:18:54 GMT

Redirect headers

date
Mon, 21 Oct 2019 13:18:54 GMT
x-content-type-options
nosniff
server
sffe
status
302
content-type
text/html; charset=UTF-8
location
https://cse.google.com/cse/cse.js?cx=009668004808822005412:yju97b8czpm
cache-control
private
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
267
x-xss-protection
0
/
www.google.com/uds/
607 B
448 B
Script
General
Full URL
https://www.google.com/uds/?file=search&v=1
Requested by
Host: www.google.ca
URL: https://www.google.ca/jsapi
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
GSE /
Resource Hash
18640403461461c763056c71c9d16db51cfaf8bd64473e8746b7692e25200e12
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 1; mode=block

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Intervention
<https://www.chromestatus.com/feature/5718547946799104>; level="warning"

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
content-encoding
gzip
x-content-type-options
nosniff
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
server
GSE
x-frame-options
SAMEORIGIN
content-type
text/javascript; charset=utf-8
status
200
cache-control
private, max-age=3600, must-revalidate
vary
Accept-Encoding
content-length
286
x-xss-protection
1; mode=block
expires
Mon, 21 Oct 2019 13:18:54 GMT
default+en.css
www.google.com/uds/api/search/1.0/bb26211819c995bb58c0620c726c7b45/
45 KB
10 KB
Stylesheet
General
Full URL
https://www.google.com/uds/api/search/1.0/bb26211819c995bb58c0620c726c7b45/default+en.css
Requested by
Host: www.google.ca
URL: https://www.google.ca/jsapi
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
GSE /
Resource Hash
be411113a7cc410c17ca7c311a35166e012b630b56da83341cbed129f6abd6bd
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 1; mode=block

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Fri, 11 Oct 2019 07:25:05 GMT
content-encoding
gzip
x-content-type-options
nosniff
server
GSE
age
885229
x-frame-options
SAMEORIGIN
content-type
text/css; charset=UTF-8
status
200
vary
Accept-Encoding
cache-control
public, max-age=31536000
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
10257
x-xss-protection
1; mode=block
expires
Sat, 10 Oct 2020 07:25:05 GMT
default+en.I.js
www.google.com/uds/api/search/1.0/bb26211819c995bb58c0620c726c7b45/
315 KB
92 KB
Script
General
Full URL
https://www.google.com/uds/api/search/1.0/bb26211819c995bb58c0620c726c7b45/default+en.I.js
Requested by
Host: www.google.ca
URL: https://www.google.ca/jsapi
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
GSE /
Resource Hash
24b74951479c73418c6486173931f2c1b9f56142776dda0a7dc19a9e9884b8a9
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 1; mode=block

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Intervention
<https://www.chromestatus.com/feature/5718547946799104>; level="warning"

Response headers

date
Fri, 18 Oct 2019 15:25:32 GMT
content-encoding
gzip
x-content-type-options
nosniff
server
GSE
age
251602
x-frame-options
SAMEORIGIN
content-type
application/x-javascript; charset=UTF-8
status
200
vary
Accept-Encoding
cache-control
public, max-age=31536000
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
94503
x-xss-protection
1; mode=block
expires
Sat, 17 Oct 2020 15:25:32 GMT
Cookie set dest5.html
junipernetworks.demdex.net/ Frame 7CE4
0
0
Document
General
Full URL
https://junipernetworks.demdex.net/dest5.html?d_nsid=0
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
34.253.43.81 Dublin, Ireland, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
ec2-34-253-43-81.eu-west-1.compute.amazonaws.com
Software
/
Resource Hash
Security Headers
Name Value
Strict-Transport-Security max-age=31536000; includeSubDomains

Request headers

Host
junipernetworks.demdex.net
Connection
keep-alive
Pragma
no-cache
Cache-Control
no-cache
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode
nested-navigate
Accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site
cross-site
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Accept-Encoding
gzip, deflate, br
Cookie
demdex=40611432642373395391657003048716690702
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode
nested-navigate
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Response headers

Accept-Ranges
bytes
Cache-Control
max-age=21600
Content-Encoding
gzip
Content-Type
text/html
Expires
Thu, 01 Jan 1970 00:00:00 GMT
Last-Modified
Wed, 16 Oct 2019 08:54:45 GMT
P3P
policyref="/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa PSAa PSDa OUR SAMa BUS PUR COM NAV INT"
Pragma
no-cache
Set-Cookie
demdex=40611432642373395391657003048716690702;Path=/;Domain=.demdex.net;Expires=Sat, 18-Apr-2020 13:18:54 GMT;Max-Age=15552000
Strict-Transport-Security
max-age=31536000; includeSubDomains
Vary
Accept-Encoding, User-Agent
X-TID
Qdg7+75HRkQ=
Content-Length
2764
Connection
keep-alive
logo.svg
www.juniper.net/assets/svg/
5 KB
2 KB
Image
General
Full URL
https://www.juniper.net/assets/svg/logo.svg
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2a02:26f0:10:2a9::720 , Ascension Island, ASN20940 (AKAMAI-ASN1, US),
Reverse DNS
Software
Apache /
Resource Hash
2099c9be1d977088b3fa5f862474b7ed87e34c8988f6eaf1a20b15787c9998b6
Security Headers
Name Value
X-Frame-Options SAMEORIGIN

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://www.juniper.net/documentation/assets/css/style/style.min.css
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:54 GMT
content-encoding
gzip
vary
Accept-Encoding
status
200
content-length
2118
x-ua-compatible
IE=edge,chrome=1
last-modified
Wed, 20 Jul 2016 17:19:37 GMT
server
Apache
x-frame-options
SAMEORIGIN
access-control-max-age
1000
access-control-allow-methods
POST, GET, OPTIONS, DELETE, PUT
content-type
image/svg+xml
access-control-allow-origin
https://partners.juniper.net
cache-control
public, max-age=104734
accept-ranges
bytes
access-control-allow-headers
x-requested-with, Content-Type, origin, authorization, accept, client-security-token
J-Nethome.jpg
forums.juniper.net/html/assets/
918 B
918 B
Image
General
Full URL
https://forums.juniper.net/html/assets/J-Nethome.jpg
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
208.74.207.25 , United States, ASN19905 (NEUSTAR-AS6 - NeuStar, Inc., US),
Reverse DNS
jnet.lithium.com
Software
Apache /
Resource Hash
2aec599bb34eb6dc9628239d56d39f8b9fbf6cea0d7b4272d3a6c18c6ab81e05
Security Headers
Name Value
Strict-Transport-Security max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date
Mon, 21 Oct 2019 13:18:55 GMT
Vary
Origin,Access-Control-Request-Headers,Access-Control-Request-Method,Access-Control-Allow-Credentials,Access-Control-Max-Age
Server
Apache
Connection
close
Content-Length
918
Strict-Transport-Security
max-age=31536000;includeSubDomains
Content-Type
text/html;charset=utf-8
twitter.png
forums.juniper.net/html/assets/svg/png/
Redirect Chain
  • https://forums.juniper.net/assets/svg/png/twitter.png
  • https://forums.juniper.net/html/assets/svg/png/twitter.png
930 B
930 B
Image
General
Full URL
https://forums.juniper.net/html/assets/svg/png/twitter.png
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
208.74.207.25 , United States, ASN19905 (NEUSTAR-AS6 - NeuStar, Inc., US),
Reverse DNS
jnet.lithium.com
Software
Apache /
Resource Hash
9b8a69e995564719ea29e03b8593d8d18d03c3c8411a0eba1d714afec595d848
Security Headers
Name Value
Strict-Transport-Security max-age=31536000;includeSubDomains

Request headers

Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date
Mon, 21 Oct 2019 13:18:55 GMT
Vary
Origin,Access-Control-Request-Headers,Access-Control-Request-Method,Access-Control-Allow-Credentials,Access-Control-Max-Age
Server
Apache
Connection
close
Content-Length
930
Strict-Transport-Security
max-age=31536000;includeSubDomains
Content-Type
text/html;charset=utf-8

Redirect headers

Location
https://forums.juniper.net/html/assets/svg/png/twitter.png
Date
Mon, 21 Oct 2019 13:18:55 GMT
Server
Apache
Connection
close
Content-Length
266
Strict-Transport-Security
max-age=31536000;includeSubDomains
Content-Type
text/html; charset=iso-8859-1
youtube.png
forums.juniper.net/html/assets/svg/png/
Redirect Chain
  • https://forums.juniper.net/assets/svg/png/youtube.png
  • https://forums.juniper.net/html/assets/svg/png/youtube.png
930 B
930 B
Image
General
Full URL
https://forums.juniper.net/html/assets/svg/png/youtube.png
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
208.74.207.25 , United States, ASN19905 (NEUSTAR-AS6 - NeuStar, Inc., US),
Reverse DNS
jnet.lithium.com
Software
Apache /
Resource Hash
925ce3258ea45dd475bffbdc02c278e08d6bc4667c685b18c43b8dd0cb8bee5a
Security Headers
Name Value
Strict-Transport-Security max-age=31536000;includeSubDomains

Request headers

Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date
Mon, 21 Oct 2019 13:18:55 GMT
Vary
Origin,Access-Control-Request-Headers,Access-Control-Request-Method,Access-Control-Allow-Credentials,Access-Control-Max-Age
Server
Apache
Connection
close
Content-Length
930
Strict-Transport-Security
max-age=31536000;includeSubDomains
Content-Type
text/html;charset=utf-8

Redirect headers

Location
https://forums.juniper.net/html/assets/svg/png/youtube.png
Date
Mon, 21 Oct 2019 13:18:55 GMT
Server
Apache
Connection
close
Content-Length
266
Strict-Transport-Security
max-age=31536000;includeSubDomains
Content-Type
text/html; charset=iso-8859-1
linkedin-circle.svg
forums.juniper.net/html/assets/svg/
Redirect Chain
  • https://forums.juniper.net/assets/svg/linkedin-circle.svg
  • https://forums.juniper.net/html/assets/svg/linkedin-circle.svg
938 B
938 B
Image
General
Full URL
https://forums.juniper.net/html/assets/svg/linkedin-circle.svg
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
208.74.207.25 , United States, ASN19905 (NEUSTAR-AS6 - NeuStar, Inc., US),
Reverse DNS
jnet.lithium.com
Software
Apache /
Resource Hash
78a8202e2d22f37c9ed73bb52845944b2776d14a59bd21bd44dca6ca11795495
Security Headers
Name Value
Strict-Transport-Security max-age=31536000;includeSubDomains

Request headers

Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date
Mon, 21 Oct 2019 13:18:55 GMT
Server
Apache
Vary
Origin,Access-Control-Request-Headers,Access-Control-Request-Method,Access-Control-Allow-Credentials,Access-Control-Max-Age
Content-Type
text/html;charset=utf-8
Access-Control-Allow-Origin
*
Connection
close
Strict-Transport-Security
max-age=31536000;includeSubDomains
Content-Length
938

Redirect headers

Location
https://forums.juniper.net/html/assets/svg/linkedin-circle.svg
Date
Mon, 21 Oct 2019 13:18:55 GMT
Server
Apache
Connection
close
Content-Length
270
Strict-Transport-Security
max-age=31536000;includeSubDomains
Content-Type
text/html; charset=iso-8859-1
select-down.svg
www.juniper.net/assets/svg/
626 B
934 B
Image
General
Full URL
https://www.juniper.net/assets/svg/select-down.svg
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2a02:26f0:10:2a9::720 , Ascension Island, ASN20940 (AKAMAI-ASN1, US),
Reverse DNS
Software
Apache/2.4.33 (Unix) OpenSSL/1.0.2k-fips mod_jk/1.2.43 /
Resource Hash
066d654e9fdae411ba75229bf293bb54156406111dd0f69f789f97a8a8a6502b
Security Headers
Name Value
Content-Security-Policy upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
Strict-Transport-Security max-age=31536000
X-Xss-Protection 1; mode=block

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://www.juniper.net/documentation/assets/css/style/style.min.css
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

content-security-policy
upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
content-encoding
gzip
vary
Accept-Encoding
status
200
strict-transport-security
max-age=31536000
content-length
416
x-xss-protection
1; mode=block
x-ua-compatible
IE=edge,chrome=1
last-modified
Wed, 20 Jul 2016 17:19:47 GMT
server
Apache/2.4.33 (Unix) OpenSSL/1.0.2k-fips mod_jk/1.2.43
date
Mon, 21 Oct 2019 13:18:54 GMT
access-control-max-age
1000
access-control-allow-methods
POST, GET, OPTIONS, PUT
content-type
image/svg+xml
access-control-allow-origin
*
cache-control
public, max-age=152540
accept-ranges
bytes
access-control-allow-headers
x-requested-with, Content-Type, origin, authorization, accept, client-security-token
cse_element__en.js
www.google.com/cse/static/element/b5752d27691147d6/
256 KB
85 KB
Script
General
Full URL
https://www.google.com/cse/static/element/b5752d27691147d6/cse_element__en.js?usqp=CAI%3D
Requested by
Host: cse.google.com
URL: https://cse.google.com/cse/cse.js?cx=009668004808822005412:yju97b8czpm
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
sffe /
Resource Hash
f50798458e958d44022e68ed50eaf58ee47256a163f3022681fe1c899139d612
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 12:20:46 GMT
content-encoding
gzip
x-content-type-options
nosniff
last-modified
Fri, 20 Sep 2019 16:22:21 GMT
server
sffe
age
3488
vary
Accept-Encoding
content-type
text/javascript
status
200
cache-control
public, max-age=31536000
accept-ranges
bytes
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
86564
x-xss-protection
0
expires
Tue, 20 Oct 2020 12:20:46 GMT
default+en.css
www.google.com/cse/static/element/b5752d27691147d6/
40 KB
9 KB
Stylesheet
General
Full URL
https://www.google.com/cse/static/element/b5752d27691147d6/default+en.css
Requested by
Host: cse.google.com
URL: https://cse.google.com/cse/cse.js?cx=009668004808822005412:yju97b8czpm
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
sffe /
Resource Hash
40a20291f9b526cba58796a4bbd0256d5663313e02c9d5ab5a842476562b3108
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 12:20:43 GMT
content-encoding
gzip
x-content-type-options
nosniff
last-modified
Fri, 20 Sep 2019 16:22:21 GMT
server
sffe
age
3491
vary
Accept-Encoding
content-type
text/css
status
200
cache-control
public, max-age=31536000
accept-ranges
bytes
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
9042
x-xss-protection
0
expires
Tue, 20 Oct 2020 12:20:43 GMT
default.css
www.google.com/cse/static/style/look/v3/
12 KB
3 KB
Stylesheet
General
Full URL
https://www.google.com/cse/static/style/look/v3/default.css
Requested by
Host: cse.google.com
URL: https://cse.google.com/cse/cse.js?cx=009668004808822005412:yju97b8czpm
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
sffe /
Resource Hash
8c5519ff6e93dfefc21c8b9c586ceef2060b2161e6be946d5b704341456ef053
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:10:41 GMT
content-encoding
gzip
x-content-type-options
nosniff
last-modified
Tue, 07 May 2019 14:00:00 GMT
server
sffe
age
493
vary
Accept-Encoding
content-type
text/css
status
200
cache-control
public, max-age=3000
accept-ranges
bytes
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
2805
x-xss-protection
0
expires
Mon, 21 Oct 2019 14:00:41 GMT
satellite-5c4d601564746d128d00351a.js
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/
2 KB
1 KB
Script
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5c4d601564746d128d00351a.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash
775babc192dd84c190b44f9612ad8a9de10a522c9a178e7f37a623b13974582b

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:55 GMT
content-encoding
gzip
last-modified
Thu, 17 Oct 2019 18:01:33 GMT
server
AkamaiNetStorage
etag
"79d2fab98e026e15277357ab3735e2ec:1571335293.959717"
vary
Accept-Encoding
content-type
application/x-javascript
status
200
cache-control
max-age=3600
accept-ranges
bytes
timing-allow-origin
*
content-length
843
expires
Mon, 21 Oct 2019 14:18:55 GMT
satellite-5c86baad64746d44c9006139.js
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/
2 KB
1 KB
Script
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5c86baad64746d44c9006139.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash
9093f80f7653038c751be64d054f6159875ac0f6f99935c4008bf3f705abdbee

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:55 GMT
content-encoding
gzip
last-modified
Thu, 17 Oct 2019 18:01:34 GMT
server
AkamaiNetStorage
etag
"5d575cbc07dd1ec8409e5003819443cb:1571335294.197582"
vary
Accept-Encoding
content-type
application/x-javascript
status
200
cache-control
max-age=3600
accept-ranges
bytes
timing-allow-origin
*
content-length
856
expires
Mon, 21 Oct 2019 14:18:55 GMT
js
www.googletagmanager.com/gtag/
74 KB
28 KB
Script
General
Full URL
https://www.googletagmanager.com/gtag/js?id=AW-956680084
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:814::2008 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
Google Tag Manager /
Resource Hash
656e1fb71a24f4d230a9ce9ff572e6c7e52382d7bbe666dafb10c12fc2799210
Security Headers
Name Value
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:55 GMT
content-encoding
br
last-modified
Mon, 21 Oct 2019 12:00:00 GMT
server
Google Tag Manager
access-control-allow-headers
Cache-Control
status
200
vary
Accept-Encoding
content-type
application/javascript; charset=UTF-8
access-control-allow-origin
http://www.googletagmanager.com
cache-control
private, max-age=900
access-control-allow-credentials
true
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
28467
x-xss-protection
0
expires
Mon, 21 Oct 2019 13:18:55 GMT
satellite-5a1c307e64746d671f007214.js
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/
970 B
739 B
Script
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5a1c307e64746d671f007214.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash
db0031471b3f9181ff21d83674674ac3dd7c128531fae90bc274ad0e17c58c37

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:55 GMT
content-encoding
gzip
last-modified
Thu, 17 Oct 2019 18:01:33 GMT
server
AkamaiNetStorage
etag
"e98792ce8e8b853475368de93200623c:1571335293.681528"
vary
Accept-Encoding
content-type
application/x-javascript
status
200
cache-control
max-age=3600
accept-ranges
bytes
timing-allow-origin
*
content-length
493
expires
Mon, 21 Oct 2019 14:18:55 GMT
satellite-57ae0e9e64746d5a2c001384.js
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/
756 B
610 B
Script
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-57ae0e9e64746d5a2c001384.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash
4c891889ca55d5cadf9e960d2e40f31f50ac0b6252417a9be7414ff2f26a3880

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:55 GMT
content-encoding
gzip
last-modified
Thu, 17 Oct 2019 18:01:30 GMT
server
AkamaiNetStorage
etag
"32b2fa1768d41f11552b05c7f7bc9543:1571335290.212682"
vary
Accept-Encoding
content-type
application/x-javascript
status
200
cache-control
max-age=3600
accept-ranges
bytes
timing-allow-origin
*
content-length
365
expires
Mon, 21 Oct 2019 14:18:55 GMT
satellite-57b12af264746d361f00027e.js
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/
148 B
392 B
Script
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-57b12af264746d361f00027e.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash
b8eea75e456823a6e0eebfa1e4f27b56395485fff2bbf27e0344f7bf4fa8e509

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:55 GMT
content-encoding
gzip
last-modified
Thu, 17 Oct 2019 18:01:28 GMT
server
AkamaiNetStorage
etag
"a29c925184c82cbaaeea213863aa74d1:1571335288.030434"
vary
Accept-Encoding
content-type
application/x-javascript
status
200
cache-control
max-age=3600
accept-ranges
bytes
timing-allow-origin
*
content-length
147
expires
Mon, 21 Oct 2019 14:18:55 GMT
s-code-contents-aa1e4404cdb04849f2f22e6dd3789ac4f10a9afd.js
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/
35 KB
13 KB
Script
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/s-code-contents-aa1e4404cdb04849f2f22e6dd3789ac4f10a9afd.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash
e931faaef092c8d98a58ac536216378f58e2a17a4833bbe5f9a29e5bbed849f6

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:55 GMT
content-encoding
gzip
last-modified
Thu, 17 Oct 2019 18:01:22 GMT
server
AkamaiNetStorage
etag
"0c13f2b0bfa3779da7f5bdb2ff4d1d29:1571335282.412724"
vary
Accept-Encoding
content-type
application/x-javascript
status
200
cache-control
max-age=3600
accept-ranges
bytes
timing-allow-origin
*
content-length
13480
expires
Mon, 21 Oct 2019 14:18:55 GMT
gtm.js
www.googletagmanager.com/
248 KB
48 KB
Script
General
Full URL
https://www.googletagmanager.com/gtm.js?id=GTM-MHNPL3
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:814::2008 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
Google Tag Manager /
Resource Hash
2e4f5dd09499f2da4d8350e694d389f5837bc9a97addae7785a708a1867551a2
Security Headers
Name Value
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:55 GMT
content-encoding
br
last-modified
Mon, 21 Oct 2019 12:00:00 GMT
server
Google Tag Manager
access-control-allow-headers
Cache-Control
status
200
vary
Accept-Encoding
content-type
application/javascript; charset=UTF-8
access-control-allow-origin
http://www.googletagmanager.com
cache-control
private, max-age=900
access-control-allow-credentials
true
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
48762
x-xss-protection
0
expires
Mon, 21 Oct 2019 13:18:55 GMT
pntheon.min.js
secure.rmulus.com/
9 KB
9 KB
Script
General
Full URL
https://secure.rmulus.com/pntheon.min.js?_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pqStr=enabled&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=active&_pclIp=active&_pqStr=active&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb|nvrg6&_pfbAids=340159566928684|437764526963678&_pliPids=1318724|4751&_pawAids=AW-819694878|AW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5c4d601564746d128d00351a.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
143.204.101.123 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
server-143-204-101-123.fra50.r.cloudfront.net
Software
AmazonS3 /
Resource Hash
8c785b78817298c70c27829e6903d75fac181ed591e3260c4b1fec35f0cd03c0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:04:39 GMT
via
1.1 1b73451818d2dd47a574604c0b84f692.cloudfront.net (CloudFront)
last-modified
Mon, 11 Mar 2019 19:34:03 GMT
server
AmazonS3
age
857
etag
"0e3d80db82062b64ac3e71d661e18282"
x-cache
Hit from cloudfront
content-type
application/javascript
status
200
cache-control
max-age=3600
x-amz-cf-pop
FRA50-C1
accept-ranges
bytes
content-length
9338
x-amz-cf-id
RU7TcYHwdg5UnfP2dMMKZscgCzCZ1_qxWrhzhOJGCZfwiCBWfIdYkQ==
162880915395_1571663933734.gif
forums.juniper.net/beacon/
0
385 B
Image
General
Full URL
https://forums.juniper.net/beacon/162880915395_1571663933734.gif
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
208.74.207.25 , United States, ASN19905 (NEUSTAR-AS6 - NeuStar, Inc., US),
Reverse DNS
jnet.lithium.com
Software
Apache /
Resource Hash
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Security Headers
Name Value
Strict-Transport-Security max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Pragma
no-cache
Date
Mon, 21 Oct 2019 13:18:56 GMT
Last-Modified
Fri, 02 Nov 2007 00:36:01 GMT
Server
Apache
Strict-Transport-Security
max-age=31536000;includeSubDomains
Content-Type
image/gif
Cache-Control
private, no-cache, no-cache="Set-Cookie", proxy-revalidate
Connection
close
Content-Length
0
Expires
Thu, 22 Jan 1976 08:28:00 GMT
satellite-5955f42064746d6e6f0053bb.js
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/
378 B
529 B
Script
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5955f42064746d6e6f0053bb.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash
7b08b6c86fb4d51c3e96dd3f06ed35c02b7f0662404fb6b14b9b2b0425a9e28a

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:55 GMT
content-encoding
gzip
last-modified
Thu, 17 Oct 2019 18:01:26 GMT
server
AkamaiNetStorage
etag
"3b6d86978dcd31eae399835883bb4dfa:1571335286.733543"
vary
Accept-Encoding
content-type
application/x-javascript
status
200
cache-control
max-age=3600
accept-ranges
bytes
timing-allow-origin
*
content-length
283
expires
Mon, 21 Oct 2019 14:18:55 GMT
satellite-5caeb27864746d4fde0010d0.html
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/ Frame 8B9A
0
0
Document
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5caeb27864746d4fde0010d0.html
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash

Request headers

:method
GET
:authority
assets.adobedtm.com
:scheme
https
:path
/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5caeb27864746d4fde0010d0.html
pragma
no-cache
cache-control
no-cache
upgrade-insecure-requests
1
user-agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode
nested-navigate
accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site
cross-site
referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
accept-encoding
gzip, deflate, br
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode
nested-navigate
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Response headers

status
200
accept-ranges
bytes
content-type
text/html
etag
"99efb13f2ce40bcc3d8c60d4557d2185:1571241462.172506"
last-modified
Wed, 16 Oct 2019 15:57:42 GMT
server
AkamaiNetStorage
vary
Accept-Encoding
content-encoding
gzip
content-length
810
cache-control
max-age=3600
expires
Mon, 21 Oct 2019 14:18:55 GMT
date
Mon, 21 Oct 2019 13:18:55 GMT
timing-allow-origin
*
satellite-5d487bc864746d25bd00073a.html
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/ Frame 489D
0
0
Document
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5d487bc864746d25bd00073a.html
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash

Request headers

:method
GET
:authority
assets.adobedtm.com
:scheme
https
:path
/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5d487bc864746d25bd00073a.html
pragma
no-cache
cache-control
no-cache
upgrade-insecure-requests
1
user-agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode
nested-navigate
accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site
cross-site
referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
accept-encoding
gzip, deflate, br
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode
nested-navigate
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Response headers

status
200
accept-ranges
bytes
content-type
text/html
etag
"6f794f7bf8d2cbee9f48532e60fe0435:1571335284.152642"
last-modified
Thu, 17 Oct 2019 18:01:24 GMT
server
AkamaiNetStorage
vary
Accept-Encoding
content-encoding
gzip
cache-control
max-age=3600
expires
Mon, 21 Oct 2019 14:18:55 GMT
date
Mon, 21 Oct 2019 13:18:55 GMT
content-length
654
timing-allow-origin
*
adsct
analytics.twitter.com/i/
31 B
221 B
Script
General
Full URL
https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o1lnh&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0&tpx_cb=twttr.conversion.loadPixels&tw_document_href=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram
Requested by
Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
104.244.42.67 , United States, ASN13414 (TWITTER - Twitter Inc., US),
Reverse DNS
Software
tsa_o /
Resource Hash
df3e003cc30e9bdd0313100e8ee5d468070b4b34d11ad355f276a356d4b9c7bf
Security Headers
Name Value
Strict-Transport-Security max-age=631138519
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:56 GMT
content-encoding
gzip
x-content-type-options
nosniff
p3p
CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status
200, 200 OK
x-twitter-response-tags
BouncerCompliant
strict-transport-security
max-age=631138519
content-length
57
x-xss-protection
0
x-response-time
125
pragma
no-cache
last-modified
Mon, 21 Oct 2019 13:18:56 GMT
server
tsa_o
x-frame-options
SAMEORIGIN
content-type
application/javascript;charset=utf-8
cache-control
no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash
b72d2a40f7abbe035d79f11461ece10a
x-transaction
007645c700485450
expires
Tue, 31 Mar 1981 05:00:00 GMT
adsct
analytics.twitter.com/i/
31 B
221 B
Script
General
Full URL
https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o1oeb&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0&tpx_cb=twttr.conversion.loadPixels&tw_document_href=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram
Requested by
Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
104.244.42.67 , United States, ASN13414 (TWITTER - Twitter Inc., US),
Reverse DNS
Software
tsa_o /
Resource Hash
df3e003cc30e9bdd0313100e8ee5d468070b4b34d11ad355f276a356d4b9c7bf
Security Headers
Name Value
Strict-Transport-Security max-age=631138519
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:56 GMT
content-encoding
gzip
x-content-type-options
nosniff
p3p
CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status
200, 200 OK
x-twitter-response-tags
BouncerCompliant
strict-transport-security
max-age=631138519
content-length
57
x-xss-protection
0
x-response-time
123
pragma
no-cache
last-modified
Mon, 21 Oct 2019 13:18:56 GMT
server
tsa_o
x-frame-options
SAMEORIGIN
content-type
application/javascript;charset=utf-8
cache-control
no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash
b72d2a40f7abbe035d79f11461ece10a
x-transaction
0037964200d30515
expires
Tue, 31 Mar 1981 05:00:00 GMT
adsct
analytics.twitter.com/i/
31 B
633 B
Script
General
Full URL
https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=nvrg6&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0&tpx_cb=twttr.conversion.loadPixels&tw_document_href=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram
Requested by
Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
104.244.42.67 , United States, ASN13414 (TWITTER - Twitter Inc., US),
Reverse DNS
Software
tsa_o /
Resource Hash
df3e003cc30e9bdd0313100e8ee5d468070b4b34d11ad355f276a356d4b9c7bf
Security Headers
Name Value
Strict-Transport-Security max-age=631138519
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:56 GMT
content-encoding
gzip
x-content-type-options
nosniff
p3p
CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status
200, 200 OK
x-twitter-response-tags
BouncerCompliant
strict-transport-security
max-age=631138519
content-length
57
x-xss-protection
0
x-response-time
117
pragma
no-cache
last-modified
Mon, 21 Oct 2019 13:18:56 GMT
server
tsa_o
x-frame-options
SAMEORIGIN
content-type
application/javascript;charset=utf-8
cache-control
no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash
b72d2a40f7abbe035d79f11461ece10a
x-transaction
0020f90800e6dd6a
expires
Tue, 31 Mar 1981 05:00:00 GMT
adsct
analytics.twitter.com/i/
31 B
220 B
Script
General
Full URL
https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o29di&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0&tpx_cb=twttr.conversion.loadPixels&tw_document_href=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram
Requested by
Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
104.244.42.67 , United States, ASN13414 (TWITTER - Twitter Inc., US),
Reverse DNS
Software
tsa_o /
Resource Hash
df3e003cc30e9bdd0313100e8ee5d468070b4b34d11ad355f276a356d4b9c7bf
Security Headers
Name Value
Strict-Transport-Security max-age=631138519
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:56 GMT
content-encoding
gzip
x-content-type-options
nosniff
p3p
CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status
200, 200 OK
x-twitter-response-tags
BouncerCompliant
strict-transport-security
max-age=631138519
content-length
57
x-xss-protection
0
x-response-time
126
pragma
no-cache
last-modified
Mon, 21 Oct 2019 13:18:56 GMT
server
tsa_o
x-frame-options
SAMEORIGIN
content-type
application/javascript;charset=utf-8
cache-control
no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash
b72d2a40f7abbe035d79f11461ece10a
x-transaction
0000b98e00e61af4
expires
Tue, 31 Mar 1981 05:00:00 GMT
adsct
analytics.twitter.com/i/
31 B
220 B
Script
General
Full URL
https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o2i9x&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0&tpx_cb=twttr.conversion.loadPixels&tw_document_href=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram
Requested by
Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
104.244.42.67 , United States, ASN13414 (TWITTER - Twitter Inc., US),
Reverse DNS
Software
tsa_o /
Resource Hash
df3e003cc30e9bdd0313100e8ee5d468070b4b34d11ad355f276a356d4b9c7bf
Security Headers
Name Value
Strict-Transport-Security max-age=631138519
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:56 GMT
content-encoding
gzip
x-content-type-options
nosniff
p3p
CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status
200, 200 OK
x-twitter-response-tags
BouncerCompliant
strict-transport-security
max-age=631138519
content-length
57
x-xss-protection
0
x-response-time
119
pragma
no-cache
last-modified
Mon, 21 Oct 2019 13:18:56 GMT
server
tsa_o
x-frame-options
SAMEORIGIN
content-type
application/javascript;charset=utf-8
cache-control
no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash
b72d2a40f7abbe035d79f11461ece10a
x-transaction
00b8592f00501d1b
expires
Tue, 31 Mar 1981 05:00:00 GMT
truncated
/
667 B
0
Image
General
Full URL
data:truncated
Protocol
DATA
Server
-, , ASN (),
Reverse DNS
Software
/
Resource Hash
edd8db5c29b96b7a290a5e266d426dca85541b7cd7a62b180e5ec89dc635f05f

Request headers

User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Content-Type
image/jpeg
elqCfg.min.js
img.en25.com/i/
6 KB
3 KB
Script
General
Full URL
https://img.en25.com/i/elqCfg.min.js
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
95.100.78.166 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a95-100-78-166.deploy.static.akamaitechnologies.com
Software
/ ASP.NET
Resource Hash
6b4ebd6049c806e3eef1bd770b2d8b4fdd75803861ead3584ee753e41988efae
Security Headers
Name Value
Strict-Transport-Security max-age=31536000; includeSubDomains
X-Content-Type-Options nosniff

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Strict-Transport-Security
max-age=31536000; includeSubDomains
Content-Encoding
gzip
X-Content-Type-Options
nosniff
X-Powered-By
ASP.NET
P3P
CP="IDC DSP COR DEVa TAIa OUR BUS PHY ONL UNI COM NAV CNT STA",
Connection
keep-alive
Content-Length
2115
ETag
"12d7dac15842d51:0"
Pragma
no-cache
Last-Modified
Wed, 24 Jul 2019 19:48:25 GMT
Date
Mon, 21 Oct 2019 13:18:55 GMT
Vary
Accept-Encoding
Content-Type
application/x-javascript
Cache-Control
no-cache, no-store
Accept-Ranges
bytes
Expires
Mon, 21 Oct 2019 13:18:55 GMT
async-ads.js
cse.google.com/adsense/search/
165 KB
57 KB
Script
General
Full URL
https://cse.google.com/adsense/search/async-ads.js
Requested by
Host: www.google.com
URL: https://www.google.com/cse/static/element/b5752d27691147d6/cse_element__en.js?usqp=CAI%3D
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:800::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
sffe /
Resource Hash
b6b12491bd3384604967dba5b6d0d4430484097b7982a988bf78aae31bf9ff76
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:55 GMT
content-encoding
gzip
x-content-type-options
nosniff
server
sffe
etag
"10003670776107828456"
vary
Accept-Encoding
content-type
text/javascript; charset=UTF-8
status
200
cache-control
private, max-age=3600
accept-ranges
bytes
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
x-xss-protection
0
expires
Mon, 21 Oct 2019 13:18:55 GMT
generate_204
www.googleapis.com/
0
143 B
Image
General
Full URL
https://www.googleapis.com/generate_204
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:81c::200a Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
/
Resource Hash
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

status
204
date
Mon, 21 Oct 2019 13:18:56 GMT
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
0
googlelogo_grey_46x15dp.png
www.google.com/cse/static/images/1x/
919 B
1 KB
Image
General
Full URL
https://www.google.com/cse/static/images/1x/googlelogo_grey_46x15dp.png
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
sffe /
Resource Hash
a844cdc48c7591822e45128a138f1dbba5753a3ca9992bd71c36758d51d0b68e
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Fri, 11 Oct 2019 07:09:42 GMT
x-content-type-options
nosniff
last-modified
Tue, 13 Dec 2016 15:00:00 GMT
server
sffe
age
886153
content-type
image/png
status
200
cache-control
public, max-age=31536000
accept-ranges
bytes
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
919
x-xss-protection
0
expires
Sat, 10 Oct 2020 07:09:42 GMT
generate_204
clients1.google.com/
0
42 B
Image
General
Full URL
https://clients1.google.com/generate_204
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:800::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
/
Resource Hash
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

status
204
date
Mon, 21 Oct 2019 13:18:55 GMT
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
0
pntheon.min.js
secure.rmulus.com/
9 KB
9 KB
Script
General
Full URL
https://secure.rmulus.com/pntheon.min.js?_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pqStr=enabled&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=active&_pclIp=active&_pqStr=active&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb|nvrg6&_pfbAids=340159566928684|437764526963678&_pliPids=1318724|4751&_pawAids=AW-819694878|AW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5c86baad64746d44c9006139.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
143.204.101.123 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
server-143-204-101-123.fra50.r.cloudfront.net
Software
AmazonS3 /
Resource Hash
8c785b78817298c70c27829e6903d75fac181ed591e3260c4b1fec35f0cd03c0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 02:54:44 GMT
via
1.1 1b73451818d2dd47a574604c0b84f692.cloudfront.net (CloudFront)
last-modified
Mon, 11 Mar 2019 19:34:03 GMT
server
AmazonS3
x-amz-cf-pop
FRA50-C1
etag
"0e3d80db82062b64ac3e71d661e18282"
x-cache
Hit from cloudfront
content-type
application/javascript
status
200
cache-control
max-age=3600
accept-ranges
bytes
content-length
9338
x-amz-cf-id
SrcIVxm58Di946dD9L0ZzAYKk2XN6_Im0InmDC7vUnBQqvvjIHYzGg==
s4364113760050
junipernetworks.d2.sc.omtrdc.net/b/ss/jnprod/1/JS-2.12.0-D7QN/
43 B
244 B
Image
General
Full URL
https://junipernetworks.d2.sc.omtrdc.net/b/ss/jnprod/1/JS-2.12.0-D7QN/s4364113760050?AQB=1&ndh=1&pf=1&t=21%2F9%2F2019%2015%3A18%3A55%201%20-120&sdid=526E1CAC99412436-0A4138FF57CADCDD&D=D%3D&mid=35836098749383461002240898189079157993&aamlh=6&ce=UTF-8&pageName=forums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&g=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&aamb=6G1ynYcLPuiQxYZrsz_pkqfLG9yMXBpb2zX5dvJdYQJzPXImdj0y&c1=forums.juniper.net&v5=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&v15=D%3DpageName&v30=ISP%20Visitor&v31=ISP%20Visitor&v32=ISP%20Visitor&v33=ISP%20Visitor&v34=ISP%20Visitor&v35=ISP%20Visitor&v36=ISP%20Visitor&v37=ISP%20Visitor&v38=ISP%20Visitor&v39=ISP%20Visitor&v40=ISP%20Visitor&v41=ISP%20Visitor&v42=ISP%20Visitor&v43=ISP%20Visitor&v44=ISP%20Visitor&v45=Bot&v46=ISP%20Visitor&v84=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&s=1600x1200&c=24&j=1.6&v=N&k=Y&bw=1600&bh=1200&mcorgid=D206123F524450F50A490D45%40AdobeOrg&AQE=1
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
52.49.100.189 Dublin, Ireland, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
ec2-52-49-100-189.eu-west-1.compute.amazonaws.com
Software
jag /
Resource Hash
a1ecbaed793a1f564c49c671f2dd0ce36f858534ef6d26b55783a06b884cc506
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 1; mode=block

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:55 GMT
x-content-type-options
nosniff
x-c
master-1047.I1d1c81.M0-302
p3p
CP="This is not a P3P policy"
status
200
content-length
43
x-xss-protection
1; mode=block
pragma
no-cache
last-modified
Tue, 22 Oct 2019 13:18:56 GMT
server
jag
xserver
anedge-64d5676c7b-d6dbt
etag
3375122602796613632-4614826555019093777
vary
*
content-type
image/gif;charset=utf-8
access-control-allow-origin
*
cache-control
no-cache, no-store, max-age=0, no-transform, private
expires
Sun, 20 Oct 2019 13:18:56 GMT
pntheon.min.js
secure.rmulus.com/
9 KB
9 KB
Script
General
Full URL
https://secure.rmulus.com/pntheon.min.js?_pclientId=jnpr&_peventName=pgvw&_pdataSource=web&_pqStr=enabled&jnpr_vID=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5a1c307e64746d671f007214.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
143.204.101.123 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
server-143-204-101-123.fra50.r.cloudfront.net
Software
AmazonS3 /
Resource Hash
8c785b78817298c70c27829e6903d75fac181ed591e3260c4b1fec35f0cd03c0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:55 GMT
via
1.1 1b73451818d2dd47a574604c0b84f692.cloudfront.net (CloudFront)
last-modified
Mon, 11 Mar 2019 19:34:03 GMT
server
AmazonS3
age
858
etag
"0e3d80db82062b64ac3e71d661e18282"
x-cache
Hit from cloudfront
content-type
application/javascript
status
200
cache-control
max-age=3600
x-amz-cf-pop
FRA50-C1
accept-ranges
bytes
content-length
9338
x-amz-cf-id
v4dZz83a117tSBKBjOHBZ8tSsy9o0lOMr8oydjSgCVZCnhpUSbiWXA==
activityi;dc_pre=COPm97S4reUCFdCA3godGKEBlg;src=5922977;type=pageview;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-St...
5922977.fls.doubleclick.net/ Frame 5B21
Redirect Chain
  • https://5922977.fls.doubleclick.net/activityi;src=5922977;type=pageview;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-...
  • https://5922977.fls.doubleclick.net/activityi;dc_pre=COPm97S4reUCFdCA3godGKEBlg;src=5922977;type=pageview;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.n...
0
0
Document
General
Full URL
https://5922977.fls.doubleclick.net/activityi;dc_pre=COPm97S4reUCFdCA3godGKEBlg;src=5922977;type=pageview;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=2656885376668.787?
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-57b12a8364746d4d41000291.js
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
172.217.18.102 , United States, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
fra16s42-in-f6.1e100.net
Software
cafe /
Resource Hash
Security Headers
Name Value
Strict-Transport-Security max-age=21600
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

:method
GET
:authority
5922977.fls.doubleclick.net
:scheme
https
:path
/activityi;dc_pre=COPm97S4reUCFdCA3godGKEBlg;src=5922977;type=pageview;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=2656885376668.787?
pragma
no-cache
cache-control
no-cache
upgrade-insecure-requests
1
user-agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode
nested-navigate
accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site
cross-site
referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
accept-encoding
gzip, deflate, br
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode
nested-navigate
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Response headers

status
200
p3p
policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
timing-allow-origin
*
date
Mon, 21 Oct 2019 13:18:56 GMT
expires
Fri, 01 Jan 1990 00:00:00 GMT
cache-control
no-cache, must-revalidate
strict-transport-security
max-age=21600
content-type
text/html; charset=UTF-8
pragma
no-cache
x-content-type-options
nosniff
content-encoding
gzip
server
cafe
content-length
496
x-xss-protection
0
set-cookie
test_cookie=CheckForPermission; expires=Mon, 21-Oct-2019 13:33:56 GMT; path=/; domain=.doubleclick.net
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000

Redirect headers

status
302
p3p
policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
timing-allow-origin
*
date
Mon, 21 Oct 2019 13:18:56 GMT
pragma
no-cache
expires
Fri, 01 Jan 1990 00:00:00 GMT
cache-control
no-cache, must-revalidate
follow-only-when-prerender-shown
1
strict-transport-security
max-age=21600
location
https://5922977.fls.doubleclick.net/activityi;dc_pre=COPm97S4reUCFdCA3godGKEBlg;src=5922977;type=pageview;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=2656885376668.787?
content-type
text/html; charset=UTF-8
x-content-type-options
nosniff
server
cafe
content-length
0
x-xss-protection
0
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
activityi;dc_pre=CJH89rS4reUCFY36dwodplMGuA;src=3872718;type=gojpnet;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Ste...
3872718.fls.doubleclick.net/ Frame 2269
Redirect Chain
  • https://3872718.fls.doubleclick.net/activityi;src=3872718;type=gojpnet;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-S...
  • https://3872718.fls.doubleclick.net/activityi;dc_pre=CJH89rS4reUCFY36dwodplMGuA;src=3872718;type=gojpnet;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.ne...
0
0
Document
General
Full URL
https://3872718.fls.doubleclick.net/activityi;dc_pre=CJH89rS4reUCFY36dwodplMGuA;src=3872718;type=gojpnet;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=5530350572044.805?
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-57b12a8364746d4d41000291.js
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
216.58.205.230 Mountain View, United States, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
fra15s24-in-f230.1e100.net
Software
cafe /
Resource Hash
Security Headers
Name Value
Strict-Transport-Security max-age=21600
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

:method
GET
:authority
3872718.fls.doubleclick.net
:scheme
https
:path
/activityi;dc_pre=CJH89rS4reUCFY36dwodplMGuA;src=3872718;type=gojpnet;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=5530350572044.805?
pragma
no-cache
cache-control
no-cache
upgrade-insecure-requests
1
user-agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode
nested-navigate
accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site
cross-site
referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
accept-encoding
gzip, deflate, br
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode
nested-navigate
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Response headers

status
200
p3p
policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
timing-allow-origin
*
date
Mon, 21 Oct 2019 13:18:56 GMT
expires
Fri, 01 Jan 1990 00:00:00 GMT
cache-control
no-cache, must-revalidate
strict-transport-security
max-age=21600
content-type
text/html; charset=UTF-8
pragma
no-cache
x-content-type-options
nosniff
content-encoding
gzip
server
cafe
content-length
497
x-xss-protection
0
set-cookie
test_cookie=CheckForPermission; expires=Mon, 21-Oct-2019 13:33:56 GMT; path=/; domain=.doubleclick.net
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000

Redirect headers

status
302
p3p
policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
timing-allow-origin
*
date
Mon, 21 Oct 2019 13:18:56 GMT
pragma
no-cache
expires
Fri, 01 Jan 1990 00:00:00 GMT
cache-control
no-cache, must-revalidate
follow-only-when-prerender-shown
1
strict-transport-security
max-age=21600
location
https://3872718.fls.doubleclick.net/activityi;dc_pre=CJH89rS4reUCFY36dwodplMGuA;src=3872718;type=gojpnet;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=5530350572044.805?
content-type
text/html; charset=UTF-8
x-content-type-options
nosniff
server
cafe
content-length
0
x-xss-protection
0
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
conversion_async.js
www.googleadservices.com/pagead/
24 KB
9 KB
Script
General
Full URL
https://www.googleadservices.com/pagead/conversion_async.js
Requested by
Host: www.googletagmanager.com
URL: https://www.googletagmanager.com/gtag/js?id=AW-956680084
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
216.58.207.66 Mountain View, United States, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
fra16s25-in-f2.1e100.net
Software
cafe /
Resource Hash
04cc99186aa1ed2c9e0989ad7f6a2e180508c8656caef8cd2b153fa8dbba9038
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:56 GMT
content-encoding
gzip
x-content-type-options
nosniff
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
200
content-disposition
attachment; filename="f.txt"
alt-svc
quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
9198
x-xss-protection
0
server
cafe
etag
4566352449703540938
vary
Accept-Encoding
content-type
text/javascript; charset=UTF-8
cache-control
private, max-age=3600
timing-allow-origin
*
expires
Mon, 21 Oct 2019 13:18:56 GMT
analytics.js
www.google-analytics.com/
43 KB
17 KB
Script
General
Full URL
https://www.google-analytics.com/analytics.js
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:814::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
Golfe2 /
Resource Hash
dbb67c620eaabf6679a314db18d3ae43037aef71ab27422e6feec08ee987cc0a
Security Headers
Name Value
Strict-Transport-Security max-age=10886400; includeSubDomains; preload
X-Content-Type-Options nosniff

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

strict-transport-security
max-age=10886400; includeSubDomains; preload
content-encoding
gzip
x-content-type-options
nosniff
last-modified
Mon, 19 Aug 2019 17:22:41 GMT
server
Golfe2
age
5087
date
Mon, 21 Oct 2019 11:54:09 GMT
vary
Accept-Encoding
content-type
text/javascript
status
200
cache-control
public, max-age=7200
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
17803
expires
Mon, 21 Oct 2019 13:54:09 GMT
wRPiG49f.min.js
scripts.demandbase.com/
57 KB
15 KB
Script
General
Full URL
https://scripts.demandbase.com/wRPiG49f.min.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5955f42064746d6e6f0053bb.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
13.224.196.121 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
server-13-224-196-121.fra2.r.cloudfront.net
Software
AmazonS3 /
Resource Hash
994f862399526907874323d0bf282947d8c1b6e01c2ef047da2b5521e88eba5b

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

x-amz-version-id
A.YxmHS1afpEPfcAb8JPNPnT_ezOR3oU
content-encoding
gzip
last-modified
Tue, 15 Oct 2019 15:25:03 GMT
server
AmazonS3
age
596
date
Mon, 21 Oct 2019 13:09:01 GMT
vary
Accept-Encoding
x-cache
Hit from cloudfront
content-type
application/javascript
status
200
cache-control
public, max-age=3600
x-amz-cf-pop
FRA2-C1
x-amz-cf-id
76coy_bpIwzNt8MH96da5yYNozrmP-jCNA1XXvMEuFIrWjQOJK3kQw==
via
1.1 172e63b20fb363ed969de28ae3937e21.cloudfront.net (CloudFront)
jnpr
lookups.rmulus.com/pntheon/ip/
408 B
597 B
XHR
General
Full URL
https://lookups.rmulus.com/pntheon/ip/jnpr
Requested by
Host: secure.rmulus.com
URL: https://secure.rmulus.com/pntheon.min.js?_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pqStr=enabled&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=active&_pclIp=active&_pqStr=active&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb|nvrg6&_pfbAids=340159566928684|437764526963678&_pliPids=1318724|4751&_pawAids=AW-819694878|AW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
34.201.194.177 Ashburn, United States, ASN14618 (AMAZON-AES - Amazon.com, Inc., US),
Reverse DNS
ec2-34-201-194-177.compute-1.amazonaws.com
Software
Apache /
Resource Hash
2e982e3c73e6f28505203e3efd647293555d1b34940f19626bd054bd6f2efc57

Request headers

Sec-Fetch-Mode
cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Access-Control-Allow-Origin
*
Date
Mon, 21 Oct 2019 13:18:56 GMT
Server
Apache
Connection
keep-alive
Content-Length
408
Content-Type
text/html; charset=UTF-8
37366
tags.bluekai.com/site/
Redirect Chain
  • https://s1229.t.eloqua.com/visitor/v200/svrGP?pps=3&siteid=1229&ref2=elqNone&tzo=-60&ms=99&optin=disabled
  • https://s1229.t.eloqua.com/visitor/v200/svrGP.aspx?pps=3&siteid=1229&ref2=elqNone&tzo=-60&ms=99&optin=disabled&elqCookie=1
  • https://tags.bluekai.com/site/37366?vid=679a745650d24cc085eb77d8965b2862
62 B
745 B
Image
General
Full URL
https://tags.bluekai.com/site/37366?vid=679a745650d24cc085eb77d8965b2862
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_ECDSA, AES_256_GCM
Server
104.111.241.32 , Netherlands, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a104-111-241-32.deploy.static.akamaitechnologies.com
Software
/
Resource Hash
0af3aae90b7de9fdceee2ab421378ea2f54c74be81ef43fc6c1790a032755d80

Request headers

Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date
Mon, 21 Oct 2019 13:18:56 GMT
Connection
keep-alive
P3P
CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml"
Content-Length
62
BK-Server
20d6
Content-Type
image/gif

Redirect headers

Pragma
no-cache
Strict-Transport-Security
max-age=31536000;
X-Content-Type-Options
nosniff
Date
Mon, 21 Oct 2019 13:18:57 GMT
P3P
CP="IDC DSP COR DEVa TAIa OUR BUS PHY ONL UNI COM NAV CNT STA",
Location
//tags.bluekai.com/site/37366?vid=679a745650d24cc085eb77d8965b2862
Cache-Control
private,no-cache, no-store
Content-Type
text/html; charset=utf-8
Content-Length
183
Expires
-1
jnpr
lookups.rmulus.com/pntheon/ip/
408 B
597 B
XHR
General
Full URL
https://lookups.rmulus.com/pntheon/ip/jnpr
Requested by
Host: secure.rmulus.com
URL: https://secure.rmulus.com/pntheon.min.js?_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pqStr=enabled&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=active&_pclIp=active&_pqStr=active&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb|nvrg6&_pfbAids=340159566928684|437764526963678&_pliPids=1318724|4751&_pawAids=AW-819694878|AW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
34.201.194.177 Ashburn, United States, ASN14618 (AMAZON-AES - Amazon.com, Inc., US),
Reverse DNS
ec2-34-201-194-177.compute-1.amazonaws.com
Software
Apache /
Resource Hash
2e982e3c73e6f28505203e3efd647293555d1b34940f19626bd054bd6f2efc57

Request headers

Sec-Fetch-Mode
cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Access-Control-Allow-Origin
*
Date
Mon, 21 Oct 2019 13:18:56 GMT
Server
Apache
Connection
keep-alive
Content-Length
408
Content-Type
text/html; charset=UTF-8
/
secure.rmulus.com/ Frame F684
0
0
Document
General
Full URL
https://secure.rmulus.com/?_pevId=x6EmWOEL6OyACr3CNgUaa8BgLIQkgHGj-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=enabled&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dpgvw%26_pdataSource%3Dweb%26_pqStr%3Denabled%26jnpr_vID%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=pgvw&_pdataSource=web&jnpr_vID=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pidSource=secure.rmulus.com&_pidName=rmulusId&_pclIp=disabled&_plkpPrfl=disabled
Requested by
Host: secure.rmulus.com
URL: https://secure.rmulus.com/pntheon.min.js?_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pqStr=enabled&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=active&_pclIp=active&_pqStr=active&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb|nvrg6&_pfbAids=340159566928684|437764526963678&_pliPids=1318724|4751&_pawAids=AW-819694878|AW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
143.204.101.123 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
server-143-204-101-123.fra50.r.cloudfront.net
Software
AmazonS3 /
Resource Hash

Request headers

:method
GET
:authority
secure.rmulus.com
:scheme
https
:path
/?_pevId=x6EmWOEL6OyACr3CNgUaa8BgLIQkgHGj-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=enabled&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dpgvw%26_pdataSource%3Dweb%26_pqStr%3Denabled%26jnpr_vID%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=pgvw&_pdataSource=web&jnpr_vID=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pidSource=secure.rmulus.com&_pidName=rmulusId&_pclIp=disabled&_plkpPrfl=disabled
pragma
no-cache
cache-control
no-cache
upgrade-insecure-requests
1
user-agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode
nested-navigate
accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site
cross-site
referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
accept-encoding
gzip, deflate, br
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode
nested-navigate
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Response headers

status
200
content-type
text/html
content-length
10988
last-modified
Tue, 17 Sep 2019 20:54:41 GMT
accept-ranges
bytes
server
AmazonS3
date
Mon, 21 Oct 2019 13:16:42 GMT
etag
"08de75273b3f0e392260aff0b5943cb6"
cache-control
max-age=3600
x-cache
Hit from cloudfront
via
1.1 1b73451818d2dd47a574604c0b84f692.cloudfront.net (CloudFront)
x-amz-cf-pop
FRA50-C1
x-amz-cf-id
2jrto8ItF_S9ARYXEHeWUckLFjMDKWrpTegqzWCfAjSyDwftLYHUng==
age
135
collect
www.google-analytics.com/
35 B
99 B
Image
General
Full URL
https://www.google-analytics.com/collect?v=1&_v=j79&a=997604986&t=pageview&_s=1&dl=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&ul=en-us&de=UTF-8&dt=Page%20not%20found%20-%20J-Net%20Community&sd=24-bit&sr=1600x1200&vp=1600x1200&je=0&_u=YGDAgEAB~&jid=2105878077&gjid=1782864985&cid=1588292560.1571663936&tid=UA-2343305-4&_gid=1491227351.1571663936&z=1031613913
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:814::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
Golfe2 /
Resource Hash
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015
Security Headers
Name Value
X-Content-Type-Options nosniff

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Fri, 11 Oct 2019 14:20:40 GMT
x-content-type-options
nosniff
last-modified
Sun, 17 May 1998 03:00:00 GMT
server
Golfe2
age
860296
status
200
content-type
image/gif
access-control-allow-origin
*
cache-control
no-cache, no-store, must-revalidate
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
35
expires
Mon, 01 Jan 1990 00:00:00 GMT
collect
stats.g.doubleclick.net/r/
35 B
102 B
Image
General
Full URL
https://stats.g.doubleclick.net/r/collect?t=dc&aip=1&_r=3&v=1&_v=j79&tid=UA-2343305-4&cid=1588292560.1571663936&jid=2105878077&gjid=1782864985&_gid=1491227351.1571663936&_u=YGDAgEAB~&z=570881387
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:400c:c00::9a Brussels, Belgium, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
Golfe2 /
Resource Hash
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015
Security Headers
Name Value
Strict-Transport-Security max-age=10886400; includeSubDomains; preload
X-Content-Type-Options nosniff

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
strict-transport-security
max-age=10886400; includeSubDomains; preload
x-content-type-options
nosniff
last-modified
Sun, 17 May 1998 03:00:00 GMT
server
Golfe2
date
Mon, 21 Oct 2019 13:18:56 GMT
status
200
content-type
image/gif
access-control-allow-origin
*
cache-control
no-cache, no-store, must-revalidate
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
35
expires
Fri, 01 Jan 1990 00:00:00 GMT
collect
www.google-analytics.com/
35 B
93 B
Image
General
Full URL
https://www.google-analytics.com/collect?v=1&_v=j79&a=997604986&t=pageview&_s=1&dl=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&ul=en-us&de=UTF-8&dt=Page%20not%20found%20-%20J-Net%20Community&sd=24-bit&sr=1600x1200&vp=1600x1200&je=0&_u=YGDAgEAB~&jid=824571634&gjid=1638796004&cid=1588292560.1571663936&tid=UA-2343305-1&_gid=1491227351.1571663936&cd5=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&cd19=gtm%20%2B%20dtm&z=717810465
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:814::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
Golfe2 /
Resource Hash
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015
Security Headers
Name Value
X-Content-Type-Options nosniff

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Fri, 11 Oct 2019 14:20:40 GMT
x-content-type-options
nosniff
last-modified
Sun, 17 May 1998 03:00:00 GMT
server
Golfe2
age
860296
status
200
content-type
image/gif
access-control-allow-origin
*
cache-control
no-cache, no-store, must-revalidate
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
35
expires
Mon, 01 Jan 1990 00:00:00 GMT
ga-audiences
www.google.de/ads/
Redirect Chain
  • https://stats.g.doubleclick.net/r/collect?t=dc&aip=1&_r=3&v=1&_v=j79&tid=UA-2343305-1&cid=1588292560.1571663936&jid=824571634&gjid=1638796004&_gid=1491227351.1571663936&_u=YGDAgEAB~&z=358956172
  • https://www.google.com/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-2343305-1&cid=1588292560.1571663936&jid=824571634&_v=j79&z=358956172
  • https://www.google.de/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-2343305-1&cid=1588292560.1571663936&jid=824571634&_v=j79&z=358956172&slf_rd=1&random=1075004916
42 B
109 B
Image
General
Full URL
https://www.google.de/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-2343305-1&cid=1588292560.1571663936&jid=824571634&_v=j79&z=358956172&slf_rd=1&random=1075004916
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:56 GMT
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
200
cache-control
no-cache, no-store, must-revalidate
content-type
image/gif
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
42
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT

Redirect headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:56 GMT
x-content-type-options
nosniff
server
cafe
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
302
content-type
text/html; charset=UTF-8
location
https://www.google.de/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-2343305-1&cid=1588292560.1571663936&jid=824571634&_v=j79&z=358956172&slf_rd=1&random=1075004916
cache-control
no-cache, no-store, must-revalidate
timing-allow-origin
*
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
0
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
/
googleads.g.doubleclick.net/pagead/viewthroughconversion/956680084/
2 KB
1 KB
Script
General
Full URL
https://googleads.g.doubleclick.net/pagead/viewthroughconversion/956680084/?random=1571663936175&cv=9&fst=1571663936175&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&ig=1&data=event%3Dgtag.config&frm=0&url=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&tiba=Page%20not%20found%20-%20J-Net%20Community&async=1&rfmt=3&fmt=4
Requested by
Host: www.googleadservices.com
URL: https://www.googleadservices.com/pagead/conversion_async.js
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:818::2002 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
7bde86f22329283dc816191116fb2c332cfdb506928e6551cae7273356d8d238
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:56 GMT
content-encoding
gzip
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
status
200
cache-control
no-cache, must-revalidate
content-disposition
attachment; filename="f.txt"
content-type
text/javascript; charset=UTF-8
alt-svc
quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
1011
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
ip.json
api.company-target.com/api/v2/
423 B
926 B
XHR
General
Full URL
https://api.company-target.com/api/v2/ip.json?referrer=&page=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&page_title=Page%20not%20found%20-%20J-Net%20Community&key=b04729caf27be3d1f33d91242883c6cd22de73c9&src=tag
Requested by
Host: scripts.demandbase.com
URL: https://scripts.demandbase.com/wRPiG49f.min.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
143.204.101.126 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
server-143-204-101-126.fra50.r.cloudfront.net
Software
nginx /
Resource Hash
5b4f7ddf2cbd5ef8611f5fd90529a7c0b42bedb4c6f5a8f08d1c328b55043372

Request headers

Sec-Fetch-Mode
cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:56 GMT
content-encoding
gzip
x-amz-cf-pop
FRA50-C1
x-cache
Miss from cloudfront
status
200
access-control-max-age
1728000
request-id
6f08852f-6bd2-4dac-acb4-2210f34a3f1c
x-amz-cf-id
JmrDMf5AcCUJxs6tAgm06sGZRGbBBJoR8CzauiFaRjd6UTsTErs8PA==
pragma
no-cache
access-control-allow-origin
https://forums.juniper.net
server
nginx
vary
Accept-Encoding, Origin
access-control-allow-methods
GET, POST, OPTIONS
content-type
application/json;charset=utf-8
via
1.1 d55780b776b171387055eca956ae29a9.cloudfront.net (CloudFront)
access-control-expose-headers
cache-control
no-cache, no-store, max-age=0, must-revalidate
access-control-allow-credentials
true
api-version
v2
access-control-allow-headers
DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
identification-source
CENTRAL
expires
Sun, 20 Oct 2019 13:18:56 GMT
ip.json
api.company-target.com/api/v2/
423 B
927 B
XHR
General
Full URL
https://api.company-target.com/api/v2/ip.json?referrer=&page=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&page_title=Page%20not%20found%20-%20J-Net%20Community&key=2f583737f4267c258cb4cda0abb7f0add09816ce&src=tag
Requested by
Host: scripts.demandbase.com
URL: https://scripts.demandbase.com/wRPiG49f.min.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
143.204.101.126 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
server-143-204-101-126.fra50.r.cloudfront.net
Software
nginx /
Resource Hash
5b4f7ddf2cbd5ef8611f5fd90529a7c0b42bedb4c6f5a8f08d1c328b55043372

Request headers

Sec-Fetch-Mode
cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:56 GMT
content-encoding
gzip
x-amz-cf-pop
FRA50-C1
x-cache
Miss from cloudfront
status
200
access-control-max-age
1728000
request-id
7bf7097f-4065-45e8-9e2a-d1cae60cc3c7
x-amz-cf-id
nooeqNMj4VasaG3WO2FWCDAgEJliYSwkA3RpfZQ5nI6nbpBAkeOZAA==
pragma
no-cache
access-control-allow-origin
https://forums.juniper.net
server
nginx
vary
Accept-Encoding, Origin
access-control-allow-methods
GET, POST, OPTIONS
content-type
application/json;charset=utf-8
via
1.1 d55780b776b171387055eca956ae29a9.cloudfront.net (CloudFront)
access-control-expose-headers
cache-control
no-cache, no-store, max-age=0, must-revalidate
access-control-allow-credentials
true
api-version
v2
access-control-allow-headers
DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
identification-source
CENTRAL
expires
Sun, 20 Oct 2019 13:18:56 GMT
validateCookie
segments.company-target.com/
Redirect Chain
  • https://match.prod.bidr.io/cookie-sync/demandbase
  • https://match.prod.bidr.io/cookie-sync/demandbase?_bee_ppp=1
  • https://segments.company-target.com/log?vendor=choca&user_id=AAIRN067W2EAAD8-oGx-9g
  • https://segments.company-target.com/validateCookie?vendor=choca&user_id=AAIRN067W2EAAD8-oGx-9g&verifyHash=c98c9f6f68c4dea536d7f502bae74584fd247a32
26 B
405 B
Image
General
Full URL
https://segments.company-target.com/validateCookie?vendor=choca&user_id=AAIRN067W2EAAD8-oGx-9g&verifyHash=c98c9f6f68c4dea536d7f502bae74584fd247a32
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
54.230.95.207 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
server-54-230-95-207.fra2.r.cloudfront.net
Software
/
Resource Hash
3b7b8a4b411ddf8db9bacc2f3aabf406f8e4c0c087829b336ca331c40adfdff1

Request headers

Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date
Mon, 21 Oct 2019 13:18:56 GMT
Via
1.1 7e6ac12144acebd1fc302708f2ecfad6.cloudfront.net (CloudFront)
X-Amz-Cf-Pop
FRA2
Vary
Origin
X-Cache
Miss from cloudfront
Content-Type
image/gif
Transfer-Encoding
chunked
Connection
keep-alive
trace-id
41753079f94b2a42
X-Amz-Cf-Id
z9c-stADGr14aQrVNH14t5kfVKwrJmoQC_0WWR0uvSOYKRmpNsJItg==

Redirect headers

Date
Mon, 21 Oct 2019 13:18:56 GMT
Via
1.1 7e6ac12144acebd1fc302708f2ecfad6.cloudfront.net (CloudFront)
X-Amz-Cf-Pop
FRA2
Vary
Origin
X-Cache
Miss from cloudfront
Location
/validateCookie?vendor=choca&user_id=AAIRN067W2EAAD8-oGx-9g&verifyHash=c98c9f6f68c4dea536d7f502bae74584fd247a32
Connection
keep-alive
trace-id
03e766abe7d405a1
Content-Length
0
X-Amz-Cf-Id
iZi25IPojJaCCaTAI6LoM6g4CzJbVs773axEX3g5DPCfq-r9dpeHTg==
collect
www.google-analytics.com/
35 B
93 B
Image
General
Full URL
https://www.google-analytics.com/collect?v=1&_v=j79&a=997604986&t=event&ni=1&_s=2&dl=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&ul=en-us&de=UTF-8&dt=Page%20not%20found%20-%20J-Net%20Community&sd=24-bit&sr=1600x1200&vp=1600x1200&je=0&ec=Demandbase&ea=API%20Resolution&el=IP%20API&_u=aGDAgEAB~&jid=&gjid=&cid=1588292560.1571663936&tid=UA-2343305-1&_gid=1491227351.1571663936&cd5=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&cd19=gtm%20%2B%20dtm&cd6=(Non-Company%20Visitor)&cd7=(Non-Company%20Visitor)&cd8=(Non-Company%20Visitor)&cd9=Bot&cd10=(Non-Company%20Visitor)&cd11=(Non-Company%20Visitor)&cd12=(Non-Company%20Visitor)&cd13=(Non-Company%20Visitor)&cd14=(Non-Company%20Visitor)&cd15=(Non-Company%20Visitor)&cd16=(Non-Company%20Visitor)&cd17=(Non-Company%20Visitor)&cd18=Germany&z=205781812
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:814::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
Golfe2 /
Resource Hash
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015
Security Headers
Name Value
X-Content-Type-Options nosniff

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Fri, 11 Oct 2019 14:20:40 GMT
x-content-type-options
nosniff
last-modified
Sun, 17 May 1998 03:00:00 GMT
server
Golfe2
age
860296
status
200
content-type
image/gif
access-control-allow-origin
*
cache-control
no-cache, no-store, must-revalidate
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
35
expires
Mon, 01 Jan 1990 00:00:00 GMT
/
www.google.com/pagead/1p-user-list/956680084/
42 B
122 B
Image
General
Full URL
https://www.google.com/pagead/1p-user-list/956680084/?random=1571663936175&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=0&url=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&tiba=Page%20not%20found%20-%20J-Net%20Community&async=1&fmt=3&is_vtc=1&random=4165226488&resp=GooglemKTybQhCsO&rmt_tld=0&ipr=y
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
Security Headers
Name Value
Content-Security-Policy script-src 'none'; object-src 'none'
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:56 GMT
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
200
cache-control
no-cache, no-store, must-revalidate
content-security-policy
script-src 'none'; object-src 'none'
content-type
image/gif
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
42
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
/
www.google.de/pagead/1p-user-list/956680084/
42 B
110 B
Image
General
Full URL
https://www.google.de/pagead/1p-user-list/956680084/?random=1571663936175&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=0&url=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&tiba=Page%20not%20found%20-%20J-Net%20Community&async=1&fmt=3&is_vtc=1&random=4165226488&resp=GooglemKTybQhCsO&rmt_tld=1&ipr=y
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
Security Headers
Name Value
Content-Security-Policy script-src 'none'; object-src 'none'
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:56 GMT
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
200
cache-control
no-cache, no-store, must-revalidate
content-security-policy
script-src 'none'; object-src 'none'
content-type
image/gif
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
42
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
profiler
lookups.rmulus.com/pntheon/profiles/
25 B
205 B
XHR
General
Full URL
https://lookups.rmulus.com/pntheon/profiles/profiler?_pclientId=jnpr&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vid&_plkpPrfl=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Requested by
Host: secure.rmulus.com
URL: https://secure.rmulus.com/pntheon.min.js?_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pqStr=enabled&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=active&_pclIp=active&_pqStr=active&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb|nvrg6&_pfbAids=340159566928684|437764526963678&_pliPids=1318724|4751&_pawAids=AW-819694878|AW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
34.201.194.177 Ashburn, United States, ASN14618 (AMAZON-AES - Amazon.com, Inc., US),
Reverse DNS
ec2-34-201-194-177.compute-1.amazonaws.com
Software
Apache /
Resource Hash
851bd834d24a84c0f4780789e868a65f9db8d9655a7a0cac039dbf3b65ad873f

Request headers

Sec-Fetch-Mode
cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Access-Control-Allow-Origin
*
Date
Mon, 21 Oct 2019 13:18:56 GMT
Server
Apache
Connection
keep-alive
Content-Length
25
Content-Type
application/json
profiler
lookups.rmulus.com/pntheon/profiles/
25 B
205 B
XHR
General
Full URL
https://lookups.rmulus.com/pntheon/profiles/profiler?_pclientId=jnpr&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pmatchedip&_plkpPrfl=144.76.109.30
Requested by
Host: secure.rmulus.com
URL: https://secure.rmulus.com/pntheon.min.js?_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pqStr=enabled&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=active&_pclIp=active&_pqStr=active&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb|nvrg6&_pfbAids=340159566928684|437764526963678&_pliPids=1318724|4751&_pawAids=AW-819694878|AW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol
HTTP/1.1
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
34.201.194.177 Ashburn, United States, ASN14618 (AMAZON-AES - Amazon.com, Inc., US),
Reverse DNS
ec2-34-201-194-177.compute-1.amazonaws.com
Software
Apache /
Resource Hash
851bd834d24a84c0f4780789e868a65f9db8d9655a7a0cac039dbf3b65ad873f

Request headers

Sec-Fetch-Mode
cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Access-Control-Allow-Origin
*
Date
Mon, 21 Oct 2019 13:18:56 GMT
Server
Apache
Connection
keep-alive
Content-Length
25
Content-Type
application/json
/
research.juniper.net/ Frame 3286
11 KB
11 KB
Document
General
Full URL
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Requested by
Host: secure.rmulus.com
URL: https://secure.rmulus.com/pntheon.min.js?_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pqStr=enabled&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=active&_pclIp=active&_pqStr=active&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb|nvrg6&_pfbAids=340159566928684|437764526963678&_pliPids=1318724|4751&_pawAids=AW-819694878|AW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
143.204.101.123 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
server-143-204-101-123.fra50.r.cloudfront.net
Software
AmazonS3 /
Resource Hash
39d48454cc249ca68918b13d93558d1027516393b06df1c104557532da1bc02e

Request headers

:method
GET
:authority
research.juniper.net
:scheme
https
:path
/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
pragma
no-cache
cache-control
no-cache
upgrade-insecure-requests
1
user-agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode
nested-navigate
accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site
same-site
referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
accept-encoding
gzip, deflate, br
cookie
jnpr_vID=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936; s_cc=true; _gcl_au=1.1.1602773843.1571663936; _ga=GA1.2.1588292560.1571663936; _gid=GA1.2.1491227351.1571663936; _gat_b=1; _gat_jn=1
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode
nested-navigate
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Response headers

status
200
content-type
text/html
content-length
10988
last-modified
Tue, 17 Sep 2019 20:54:41 GMT
accept-ranges
bytes
server
AmazonS3
date
Mon, 21 Oct 2019 13:17:01 GMT
etag
"08de75273b3f0e392260aff0b5943cb6"
cache-control
max-age=3600
x-cache
Hit from cloudfront
via
1.1 1b73451818d2dd47a574604c0b84f692.cloudfront.net (CloudFront)
x-amz-cf-pop
FRA50-C1
x-amz-cf-id
2d2lmLW8oZ-4x09mO5l6DadVbpFyjCOpHkGawp23Y0NYWGbX2f5ORA==
age
907
/
research.juniper.net/ Frame 436D
11 KB
11 KB
Document
General
Full URL
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Requested by
Host: secure.rmulus.com
URL: https://secure.rmulus.com/pntheon.min.js?_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pqStr=enabled&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=active&_pclIp=active&_pqStr=active&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb|nvrg6&_pfbAids=340159566928684|437764526963678&_pliPids=1318724|4751&_pawAids=AW-819694878|AW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
143.204.101.123 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
server-143-204-101-123.fra50.r.cloudfront.net
Software
AmazonS3 /
Resource Hash
39d48454cc249ca68918b13d93558d1027516393b06df1c104557532da1bc02e

Request headers

:method
GET
:authority
research.juniper.net
:scheme
https
:path
/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
pragma
no-cache
cache-control
no-cache
upgrade-insecure-requests
1
user-agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode
nested-navigate
accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site
same-site
referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
accept-encoding
gzip, deflate, br
cookie
jnpr_vID=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936; s_cc=true; _gcl_au=1.1.1602773843.1571663936; _ga=GA1.2.1588292560.1571663936; _gid=GA1.2.1491227351.1571663936; _gat_b=1; _gat_jn=1
Upgrade-Insecure-Requests
1
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode
nested-navigate
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Response headers

status
200
content-type
text/html
content-length
10988
last-modified
Tue, 17 Sep 2019 20:54:41 GMT
accept-ranges
bytes
server
AmazonS3
date
Mon, 21 Oct 2019 13:17:01 GMT
etag
"08de75273b3f0e392260aff0b5943cb6"
cache-control
max-age=3600
x-cache
Hit from cloudfront
via
1.1 1b73451818d2dd47a574604c0b84f692.cloudfront.net (CloudFront)
x-amz-cf-pop
FRA50-C1
x-amz-cf-id
r8V80_1Fd2VXhtraiFYFS7mfO5Ir5PGtMh2vzl3pI8XgbCvRP7hnkQ==
age
907
_pclPrint.min.js
research.juniper.net/ Frame 3286
38 KB
39 KB
Script
General
Full URL
https://research.juniper.net/_pclPrint.min.js
Requested by
Host: research.juniper.net
URL: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
143.204.101.123 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
server-143-204-101-123.fra50.r.cloudfront.net
Software
AmazonS3 /
Resource Hash
c5aff3477022f781ee765989cdf6abbdd986f331064c59f5655fab8c6f9796c7

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 12:31:24 GMT
via
1.1 1b73451818d2dd47a574604c0b84f692.cloudfront.net (CloudFront)
last-modified
Tue, 23 Jul 2019 21:53:49 GMT
server
AmazonS3
age
2853
etag
"2b2becfbac440238e8ca3a6f7a3b2c50"
x-cache
Hit from cloudfront
content-type
application/javascript
status
200
cache-control
max-age=3600
x-amz-cf-pop
FRA50-C1
accept-ranges
bytes
content-length
39179
x-amz-cf-id
qmVCQPG8LmUjQCxWs9c7gBRZRN0wgevndJvmfS_14t1d7d-SajtFPQ==
_pclPrint.min.js
research.juniper.net/ Frame 436D
38 KB
39 KB
Script
General
Full URL
https://research.juniper.net/_pclPrint.min.js
Requested by
Host: research.juniper.net
URL: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
143.204.101.123 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
server-143-204-101-123.fra50.r.cloudfront.net
Software
AmazonS3 /
Resource Hash
c5aff3477022f781ee765989cdf6abbdd986f331064c59f5655fab8c6f9796c7

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 12:31:24 GMT
via
1.1 1b73451818d2dd47a574604c0b84f692.cloudfront.net (CloudFront)
last-modified
Tue, 23 Jul 2019 21:53:49 GMT
server
AmazonS3
age
2853
etag
"2b2becfbac440238e8ca3a6f7a3b2c50"
x-cache
Hit from cloudfront
content-type
application/javascript
status
200
cache-control
max-age=3600
x-amz-cf-pop
FRA50-C1
accept-ranges
bytes
content-length
39179
x-amz-cf-id
66ZzXLQDG_K-H2WZk-ISIzG3RNRf7YsDYKjokfDeOCoFpXMcivCv6A==
js
www.googletagmanager.com/gtag/ Frame 3286
74 KB
28 KB
Script
General
Full URL
https://www.googletagmanager.com/gtag/js?id=AW-819694878
Requested by
Host: research.juniper.net
URL: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:814::2008 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
Google Tag Manager /
Resource Hash
acbde4a5a6ca3a99092c40c7d64b1e6a3c170a991a1ae98dd28b590cec53a7c0
Security Headers
Name Value
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
br
last-modified
Mon, 21 Oct 2019 12:00:00 GMT
server
Google Tag Manager
access-control-allow-headers
Cache-Control
status
200
vary
Accept-Encoding
content-type
application/javascript; charset=UTF-8
access-control-allow-origin
http://www.googletagmanager.com
cache-control
private, max-age=900
access-control-allow-credentials
true
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
28466
x-xss-protection
0
expires
Mon, 21 Oct 2019 13:18:57 GMT
js
www.googletagmanager.com/gtag/ Frame 3286
74 KB
28 KB
Script
General
Full URL
https://www.googletagmanager.com/gtag/js?id=AW-956680084
Requested by
Host: research.juniper.net
URL: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:814::2008 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
Google Tag Manager /
Resource Hash
656e1fb71a24f4d230a9ce9ff572e6c7e52382d7bbe666dafb10c12fc2799210
Security Headers
Name Value
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
br
last-modified
Mon, 21 Oct 2019 12:00:00 GMT
server
Google Tag Manager
access-control-allow-headers
Cache-Control
status
200
vary
Accept-Encoding
content-type
application/javascript; charset=UTF-8
access-control-allow-origin
http://www.googletagmanager.com
cache-control
private, max-age=900
access-control-allow-credentials
true
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
28467
x-xss-protection
0
expires
Mon, 21 Oct 2019 13:18:57 GMT
insight.min.js
research.juniper.net/ Frame 3286
15 KB
15 KB
Script
General
Full URL
https://research.juniper.net/insight.min.js
Requested by
Host: research.juniper.net
URL: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
143.204.101.123 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
server-143-204-101-123.fra50.r.cloudfront.net
Software
AmazonS3 /
Resource Hash
c0f533082d6b784c7f939ad3fbcafc2faa6a88d96f0b076f7a0e28b431995bff

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 12:19:38 GMT
via
1.1 1b73451818d2dd47a574604c0b84f692.cloudfront.net (CloudFront)
last-modified
Fri, 26 Jul 2019 18:43:20 GMT
server
AmazonS3
age
3560
etag
"5b837d1dc3da4d22567332e2fe693e12"
x-cache
Hit from cloudfront
content-type
application/javascript
status
200
cache-control
max-age=3600
x-amz-cf-pop
FRA50-C1
accept-ranges
bytes
content-length
15282
x-amz-cf-id
wEjxZ0RV4Z7eyUaHn_kG-YO_svjNZN8yxGPucO0G4cVsoihg0V2D6g==
fbevents.js
connect.facebook.net/en_US/ Frame 3286
103 KB
22 KB
Script
General
Full URL
https://connect.facebook.net/en_US/fbevents.js
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a03:2880:f01c:8012:face:b00c:0:3 , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),
Reverse DNS
Software
/
Resource Hash
9404cee30e4489a7ed4d6de2dd92aa8e4386fd5ff1c81ebcea77f581952eac31
Security Headers
Name Value
Content-Security-Policy default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
Strict-Transport-Security max-age=31536000; preload; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

strict-transport-security
max-age=31536000; preload; includeSubDomains
content-encoding
gzip
x-content-type-options
nosniff
status
200
alt-svc
h3-23=":443"; ma=3600
content-length
22458
x-xss-protection
0
pragma
public
x-fb-debug
9LbhJYzqUafrwz9qmZ4HDRNhb8q7fXt1MM5ApUMTvvWp3Z9QWj/E8lrNHMBcR5YK5sgLb/VAFeVgDSTd9xFQ7g==
x-fb-trip-id
1850256238
x-frame-options
DENY
date
Mon, 21 Oct 2019 13:18:57 GMT
vary
Accept-Encoding
content-type
application/x-javascript; charset=utf-8
cache-control
public, max-age=1200
content-security-policy
default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
expires
Sat, 01 Jan 2000 00:00:00 GMT
uwt.js
static.ads-twitter.com/ Frame 3286
5 KB
2 KB
Script
General
Full URL
https://static.ads-twitter.com/uwt.js
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
151.101.112.157 Frankfurt am Main, Germany, ASN54113 (FASTLY - Fastly, US),
Reverse DNS
Software
/
Resource Hash
319949c8c08b86e9c35ea542c0dc0c30cedaa9b8d3d3c3327a36c91aefbd8af5

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
age
18364
x-cache
HIT
p3p
CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status
200
content-length
1954
x-served-by
cache-hhn4065-HHN
last-modified
Tue, 23 Jan 2018 20:09:00 GMT
x-timer
S1571663937.066284,VS0,VE0
etag
"b7b33882a4f3ffd5cbf07434f3137166+gzip"
vary
Accept-Encoding,Host
content-type
application/javascript; charset=utf-8
via
1.1 varnish
cache-control
no-cache
accept-ranges
bytes
/
collect.rmulus.com/ Frame 3286
43 B
367 B
Image
General
Full URL
https://collect.rmulus.com/?_pclId=3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937&_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=4c8a59ab63a77a27026bf4490e98a2f1&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&cachebuster=26710060
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
143.204.101.13 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
server-143-204-101-13.fra50.r.cloudfront.net
Software
AmazonS3 /
Resource Hash
cf4724b2f736ed1a0ae6bc28f1ead963d9cd2c1fd87b6ef32e7799fc1c5c8bda

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Fri, 18 Oct 2019 15:35:22 GMT
via
1.1 c6702f5f3b6e77da6f394e67ef1a6aab.cloudfront.net (CloudFront)
last-modified
Mon, 16 Jan 2017 04:49:32 GMT
server
AmazonS3
age
77937
etag
"ad4b0f606e0f8465bc4c4c170b37e1a3"
x-cache
Hit from cloudfront
content-type
image/gif
status
200
x-amz-cf-pop
FRA50-C1
accept-ranges
bytes
content-length
43
x-amz-cf-id
kL6Cr30P63m5mFrJwMR-kI16Le_Zoa5E4zV_pB8WQAioMJgUVj3GOw==
js
www.googletagmanager.com/gtag/ Frame 436D
74 KB
28 KB
Script
General
Full URL
https://www.googletagmanager.com/gtag/js?id=AW-819694878
Requested by
Host: research.juniper.net
URL: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:814::2008 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
Google Tag Manager /
Resource Hash
acbde4a5a6ca3a99092c40c7d64b1e6a3c170a991a1ae98dd28b590cec53a7c0
Security Headers
Name Value
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
br
last-modified
Mon, 21 Oct 2019 12:00:00 GMT
server
Google Tag Manager
access-control-allow-headers
Cache-Control
status
200
vary
Accept-Encoding
content-type
application/javascript; charset=UTF-8
access-control-allow-origin
http://www.googletagmanager.com
cache-control
private, max-age=900
access-control-allow-credentials
true
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
28466
x-xss-protection
0
expires
Mon, 21 Oct 2019 13:18:57 GMT
js
www.googletagmanager.com/gtag/ Frame 436D
74 KB
28 KB
Script
General
Full URL
https://www.googletagmanager.com/gtag/js?id=AW-956680084
Requested by
Host: research.juniper.net
URL: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:814::2008 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
Google Tag Manager /
Resource Hash
656e1fb71a24f4d230a9ce9ff572e6c7e52382d7bbe666dafb10c12fc2799210
Security Headers
Name Value
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
br
last-modified
Mon, 21 Oct 2019 12:00:00 GMT
server
Google Tag Manager
access-control-allow-headers
Cache-Control
status
200
vary
Accept-Encoding
content-type
application/javascript; charset=UTF-8
access-control-allow-origin
http://www.googletagmanager.com
cache-control
private, max-age=900
access-control-allow-credentials
true
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
28467
x-xss-protection
0
expires
Mon, 21 Oct 2019 13:18:57 GMT
insight.min.js
research.juniper.net/ Frame 436D
15 KB
15 KB
Script
General
Full URL
https://research.juniper.net/insight.min.js
Requested by
Host: research.juniper.net
URL: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
143.204.101.123 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
server-143-204-101-123.fra50.r.cloudfront.net
Software
AmazonS3 /
Resource Hash
c0f533082d6b784c7f939ad3fbcafc2faa6a88d96f0b076f7a0e28b431995bff

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 12:19:38 GMT
via
1.1 1b73451818d2dd47a574604c0b84f692.cloudfront.net (CloudFront)
last-modified
Fri, 26 Jul 2019 18:43:20 GMT
server
AmazonS3
age
3560
etag
"5b837d1dc3da4d22567332e2fe693e12"
x-cache
Hit from cloudfront
content-type
application/javascript
status
200
cache-control
max-age=3600
x-amz-cf-pop
FRA50-C1
accept-ranges
bytes
content-length
15282
x-amz-cf-id
gR1ZjtFjfZ4YkwHsTrje_r2kXtufZ0BFhW4_5kdUWqXcw9rjztMb5A==
fbevents.js
connect.facebook.net/en_US/ Frame 436D
103 KB
22 KB
Script
General
Full URL
https://connect.facebook.net/en_US/fbevents.js
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a03:2880:f01c:8012:face:b00c:0:3 , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),
Reverse DNS
Software
/
Resource Hash
9404cee30e4489a7ed4d6de2dd92aa8e4386fd5ff1c81ebcea77f581952eac31
Security Headers
Name Value
Content-Security-Policy default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
Strict-Transport-Security max-age=31536000; preload; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

strict-transport-security
max-age=31536000; preload; includeSubDomains
content-encoding
gzip
x-content-type-options
nosniff
status
200
alt-svc
h3-23=":443"; ma=3600
content-length
22458
x-xss-protection
0
pragma
public
x-fb-debug
9LbhJYzqUafrwz9qmZ4HDRNhb8q7fXt1MM5ApUMTvvWp3Z9QWj/E8lrNHMBcR5YK5sgLb/VAFeVgDSTd9xFQ7g==
x-fb-trip-id
1850256238
x-frame-options
DENY
date
Mon, 21 Oct 2019 13:18:57 GMT
vary
Accept-Encoding
content-type
application/x-javascript; charset=utf-8
cache-control
public, max-age=1200
content-security-policy
default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
expires
Sat, 01 Jan 2000 00:00:00 GMT
uwt.js
static.ads-twitter.com/ Frame 436D
5 KB
2 KB
Script
General
Full URL
https://static.ads-twitter.com/uwt.js
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
151.101.112.157 Frankfurt am Main, Germany, ASN54113 (FASTLY - Fastly, US),
Reverse DNS
Software
/
Resource Hash
319949c8c08b86e9c35ea542c0dc0c30cedaa9b8d3d3c3327a36c91aefbd8af5

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
age
18364
x-cache
HIT
p3p
CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status
200
content-length
1954
x-served-by
cache-hhn4065-HHN
last-modified
Tue, 23 Jan 2018 20:09:00 GMT
x-timer
S1571663937.087518,VS0,VE0
etag
"b7b33882a4f3ffd5cbf07434f3137166+gzip"
vary
Accept-Encoding,Host
content-type
application/javascript; charset=utf-8
via
1.1 varnish
cache-control
no-cache
accept-ranges
bytes
/
collect.rmulus.com/ Frame 436D
43 B
368 B
Image
General
Full URL
https://collect.rmulus.com/?_pclId=3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937&_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=4c8a59ab63a77a27026bf4490e98a2f1&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&cachebuster=31422717
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
143.204.101.13 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS
server-143-204-101-13.fra50.r.cloudfront.net
Software
AmazonS3 /
Resource Hash
cf4724b2f736ed1a0ae6bc28f1ead963d9cd2c1fd87b6ef32e7799fc1c5c8bda

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Fri, 18 Oct 2019 15:35:22 GMT
via
1.1 c6702f5f3b6e77da6f394e67ef1a6aab.cloudfront.net (CloudFront)
last-modified
Mon, 16 Jan 2017 04:49:32 GMT
server
AmazonS3
age
77937
etag
"ad4b0f606e0f8465bc4c4c170b37e1a3"
x-cache
Hit from cloudfront
content-type
image/gif
status
200
x-amz-cf-pop
FRA50-C1
accept-ranges
bytes
content-length
43
x-amz-cf-id
fERUd6f-w4tiXOagwK3795Fy7FaFIBwqfzbCINPXmk6Mcqp5kq8Vcw==
/
px.ads.linkedin.com/collect/ Frame 3286
0
103 B
Script
General
Full URL
https://px.ads.linkedin.com/collect/?time=1571663937092&pid=1318724%2C4751&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%2526_pclPrint%253Dtrue%2526_ptwAids%253Do1oeb%257Cnvrg6%2526_pfbAids%253D340159566928684%257C437764526963678%2526_pliPids%253D1318724%257C4751%2526_pawAids%253DAW-819694878%257CAW-956680084%2526jnpr_vId%253DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%26_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3D%257B%2522not%2520found%2522%253A%2522not%2520found%2522%257D%26_pcityName%3DUnavailable%26_pcompanyName%3DHetzner%2520Online%2520GmbH%26_pcontinentCode%3DEU%26_pcontinentName%3DEurope%26_pcountryISOCode%3DDE%26_pcountryName%3DGermany%26_platitude%3D51.2993%26_plongitude%3D9.491%26_pmatchedIP%3D144.76.109.30%26_ppostalCode%3DNone%26_pstateISOCode%3DUnavailable%26_pstateName%3DUnavailable%26_ptimeZone%3DEurope%252FBerlin%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%257Cnvrg6%26_pfbAids%3D340159566928684%257C437764526963678%26_pliPids%3D1318724%257C4751%26_pawAids%3DAW-819694878%257CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&fmt=js&s=1
Requested by
Host: research.juniper.net
URL: https://research.juniper.net/insight.min.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
2a05:f500:11:101::b93f:9005 , Ireland, ASN14413 (LINKEDIN - LinkedIn Corporation, US),
Reverse DNS
Software
Play /
Resource Hash
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
server
Play
vary
Accept-Encoding
x-li-fabric
prod-lor1
status
200
x-li-proto
http/2
x-li-pop
prod-tln1
content-type
application/javascript
content-length
20
x-li-uuid
T+9PFQaszxWAQJfU7ioAAA==
adsct
analytics.twitter.com/i/ Frame 3286
31 B
163 B
Script
General
Full URL
https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o1oeb&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=1&tw_document_referrer=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&tpx_cb=twttr.conversion.loadPixels&tw_document_href=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%2526_pclPrint%253Dtrue%2526_ptwAids%253Do1oeb%257Cnvrg6%2526_pfbAids%253D340159566928684%257C437764526963678%2526_pliPids%253D1318724%257C4751%2526_pawAids%253DAW-819694878%257CAW-956680084%2526jnpr_vId%253DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%26_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3D%257B%2522not%2520found%2522%253A%2522not%2520found%2522%257D%26_pcityName%3DUnavailable%26_pcompanyName%3DHetzner%2520Online%2520GmbH%26_pcontinentCode%3DEU%26_pcontinentName%3DEurope%26_pcountryISOCode%3DDE%26_pcountryName%3DGermany%26_platitude%3D51.2993%26_plongitude%3D9.491%26_pmatchedIP%3D144.76.109.30%26_ppostalCode%3DNone%26_pstateISOCode%3DUnavailable%26_pstateName%3DUnavailable%26_ptimeZone%3DEurope%252FBerlin%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%257Cnvrg6%26_pfbAids%3D340159566928684%257C437764526963678%26_pliPids%3D1318724%257C4751%26_pawAids%3DAW-819694878%257CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Requested by
Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
104.244.42.67 , United States, ASN13414 (TWITTER - Twitter Inc., US),
Reverse DNS
Software
tsa_o /
Resource Hash
df3e003cc30e9bdd0313100e8ee5d468070b4b34d11ad355f276a356d4b9c7bf
Security Headers
Name Value
Strict-Transport-Security max-age=631138519
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
x-content-type-options
nosniff
p3p
CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status
200, 200 OK
x-twitter-response-tags
BouncerCompliant
strict-transport-security
max-age=631138519
content-length
57
x-xss-protection
0
x-response-time
111
pragma
no-cache
last-modified
Mon, 21 Oct 2019 13:18:57 GMT
server
tsa_o
x-frame-options
SAMEORIGIN
content-type
application/javascript;charset=utf-8
cache-control
no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash
b72d2a40f7abbe035d79f11461ece10a
x-transaction
007a2624002ace85
expires
Tue, 31 Mar 1981 05:00:00 GMT
adsct
analytics.twitter.com/i/ Frame 3286
31 B
112 B
Script
General
Full URL
https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=nvrg6&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=1&tw_document_referrer=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&tpx_cb=twttr.conversion.loadPixels&tw_document_href=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%2526_pclPrint%253Dtrue%2526_ptwAids%253Do1oeb%257Cnvrg6%2526_pfbAids%253D340159566928684%257C437764526963678%2526_pliPids%253D1318724%257C4751%2526_pawAids%253DAW-819694878%257CAW-956680084%2526jnpr_vId%253DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%26_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3D%257B%2522not%2520found%2522%253A%2522not%2520found%2522%257D%26_pcityName%3DUnavailable%26_pcompanyName%3DHetzner%2520Online%2520GmbH%26_pcontinentCode%3DEU%26_pcontinentName%3DEurope%26_pcountryISOCode%3DDE%26_pcountryName%3DGermany%26_platitude%3D51.2993%26_plongitude%3D9.491%26_pmatchedIP%3D144.76.109.30%26_ppostalCode%3DNone%26_pstateISOCode%3DUnavailable%26_pstateName%3DUnavailable%26_ptimeZone%3DEurope%252FBerlin%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%257Cnvrg6%26_pfbAids%3D340159566928684%257C437764526963678%26_pliPids%3D1318724%257C4751%26_pawAids%3DAW-819694878%257CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Requested by
Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
104.244.42.67 , United States, ASN13414 (TWITTER - Twitter Inc., US),
Reverse DNS
Software
tsa_o /
Resource Hash
df3e003cc30e9bdd0313100e8ee5d468070b4b34d11ad355f276a356d4b9c7bf
Security Headers
Name Value
Strict-Transport-Security max-age=631138519
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
x-content-type-options
nosniff
p3p
CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status
200, 200 OK
x-twitter-response-tags
BouncerCompliant
strict-transport-security
max-age=631138519
content-length
57
x-xss-protection
0
x-response-time
119
pragma
no-cache
last-modified
Mon, 21 Oct 2019 13:18:57 GMT
server
tsa_o
x-frame-options
SAMEORIGIN
content-type
application/javascript;charset=utf-8
cache-control
no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash
b72d2a40f7abbe035d79f11461ece10a
x-transaction
002d81a300364069
expires
Tue, 31 Mar 1981 05:00:00 GMT
adsct
t.co/i/ Frame 3286
43 B
170 B
Image
General
Full URL
https://t.co/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o1oeb&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=1&tw_document_referrer=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
104.244.42.197 , United States, ASN13414 (TWITTER - Twitter Inc., US),
Reverse DNS
Software
tsa_o /
Resource Hash
ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957
Security Headers
Name Value
Strict-Transport-Security max-age=0
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
x-content-type-options
nosniff
status
200, 200 OK
x-twitter-response-tags
BouncerCompliant
content-length
65
x-xss-protection
0
x-response-time
116
pragma
no-cache
last-modified
Mon, 21 Oct 2019 13:18:57 GMT
server
tsa_o
x-frame-options
SAMEORIGIN
strict-transport-security
max-age=0
content-type
image/gif;charset=utf-8
cache-control
no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash
c8d0b280c8bbf40823452698b765fc70
x-transaction
00d4a608009001d6
expires
Tue, 31 Mar 1981 05:00:00 GMT
adsct
t.co/i/ Frame 3286
43 B
119 B
Image
General
Full URL
https://t.co/i/adsct?p_id=Twitter&p_user_id=0&txn_id=nvrg6&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=1&tw_document_referrer=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
104.244.42.197 , United States, ASN13414 (TWITTER - Twitter Inc., US),
Reverse DNS
Software
tsa_o /
Resource Hash
ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957
Security Headers
Name Value
Strict-Transport-Security max-age=0
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
x-content-type-options
nosniff
status
200, 200 OK
x-twitter-response-tags
BouncerCompliant
content-length
65
x-xss-protection
0
x-response-time
121
pragma
no-cache
last-modified
Mon, 21 Oct 2019 13:18:57 GMT
server
tsa_o
x-frame-options
SAMEORIGIN
strict-transport-security
max-age=0
content-type
image/gif;charset=utf-8
cache-control
no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash
c8d0b280c8bbf40823452698b765fc70
x-transaction
0059e76e00388ede
expires
Tue, 31 Mar 1981 05:00:00 GMT
340159566928684
connect.facebook.net/signals/config/ Frame 3286
280 KB
65 KB
Script
General
Full URL
https://connect.facebook.net/signals/config/340159566928684?v=2.9.5&r=stable
Requested by
Host: connect.facebook.net
URL: https://connect.facebook.net/en_US/fbevents.js
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a03:2880:f01c:8012:face:b00c:0:3 , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),
Reverse DNS
Software
/
Resource Hash
80a19a79e29cb723295fdccd389f61b999ccb6bde709c20cf6c970e7211b253c
Security Headers
Name Value
Content-Security-Policy default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
Strict-Transport-Security max-age=31536000; preload; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

strict-transport-security
max-age=31536000; preload; includeSubDomains
content-encoding
gzip
x-content-type-options
nosniff
status
200
alt-svc
h3-23=":443"; ma=3600
content-length
66234
x-xss-protection
0
pragma
public
x-fb-debug
UQoTLa/Pw+3drt1oACzlPlQlTj7CRTvYPVjCIWfW1U0f6kMq1rkEcv4bRiLqWOjtN//xFJrxbXeTPOVC5fjQWg==
x-fb-trip-id
1850256238
x-frame-options
DENY
date
Mon, 21 Oct 2019 13:18:57 GMT
vary
Accept-Encoding
content-type
application/x-javascript; charset=utf-8
cache-control
public, max-age=1200
content-security-policy
default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
expires
Sat, 01 Jan 2000 00:00:00 GMT
340159566928684
connect.facebook.net/signals/config/ Frame 436D
280 KB
65 KB
Script
General
Full URL
https://connect.facebook.net/signals/config/340159566928684?v=2.9.5&r=stable
Requested by
Host: connect.facebook.net
URL: https://connect.facebook.net/en_US/fbevents.js
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a03:2880:f01c:8012:face:b00c:0:3 , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),
Reverse DNS
Software
/
Resource Hash
80a19a79e29cb723295fdccd389f61b999ccb6bde709c20cf6c970e7211b253c
Security Headers
Name Value
Content-Security-Policy default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
Strict-Transport-Security max-age=31536000; preload; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

strict-transport-security
max-age=31536000; preload; includeSubDomains
content-encoding
gzip
x-content-type-options
nosniff
status
200
alt-svc
h3-23=":443"; ma=3600
content-length
66234
x-xss-protection
0
pragma
public
x-fb-debug
UQoTLa/Pw+3drt1oACzlPlQlTj7CRTvYPVjCIWfW1U0f6kMq1rkEcv4bRiLqWOjtN//xFJrxbXeTPOVC5fjQWg==
x-fb-trip-id
1850256238
x-frame-options
DENY
date
Mon, 21 Oct 2019 13:18:57 GMT
vary
Accept-Encoding
content-type
application/x-javascript; charset=utf-8
cache-control
public, max-age=1200
content-security-policy
default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
expires
Sat, 01 Jan 2000 00:00:00 GMT
conversion_async.js
www.googleadservices.com/pagead/ Frame 3286
24 KB
9 KB
Script
General
Full URL
https://www.googleadservices.com/pagead/conversion_async.js
Requested by
Host: www.googletagmanager.com
URL: https://www.googletagmanager.com/gtag/js?id=AW-819694878
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
216.58.207.66 Mountain View, United States, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
fra16s25-in-f2.1e100.net
Software
cafe /
Resource Hash
04cc99186aa1ed2c9e0989ad7f6a2e180508c8656caef8cd2b153fa8dbba9038
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
x-content-type-options
nosniff
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
200
content-disposition
attachment; filename="f.txt"
alt-svc
quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
9198
x-xss-protection
0
server
cafe
etag
4566352449703540938
vary
Accept-Encoding
content-type
text/javascript; charset=UTF-8
cache-control
private, max-age=3600
timing-allow-origin
*
expires
Mon, 21 Oct 2019 13:18:57 GMT
/
px.ads.linkedin.com/collect/ Frame 436D
0
69 B
Script
General
Full URL
https://px.ads.linkedin.com/collect/?time=1571663937119&pid=1318724%2C4751&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%2526_pclPrint%253Dtrue%2526_ptwAids%253Do1oeb%257Cnvrg6%2526_pfbAids%253D340159566928684%257C437764526963678%2526_pliPids%253D1318724%257C4751%2526_pawAids%253DAW-819694878%257CAW-956680084%2526jnpr_vId%253DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%26_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3D%257B%2522not%2520found%2522%253A%2522not%2520found%2522%257D%26_pcityName%3DUnavailable%26_pcompanyName%3DHetzner%2520Online%2520GmbH%26_pcontinentCode%3DEU%26_pcontinentName%3DEurope%26_pcountryISOCode%3DDE%26_pcountryName%3DGermany%26_platitude%3D51.2993%26_plongitude%3D9.491%26_pmatchedIP%3D144.76.109.30%26_ppostalCode%3DNone%26_pstateISOCode%3DUnavailable%26_pstateName%3DUnavailable%26_ptimeZone%3DEurope%252FBerlin%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%257Cnvrg6%26_pfbAids%3D340159566928684%257C437764526963678%26_pliPids%3D1318724%257C4751%26_pawAids%3DAW-819694878%257CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&fmt=js&s=1
Requested by
Host: research.juniper.net
URL: https://research.juniper.net/insight.min.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
2a05:f500:11:101::b93f:9005 , Ireland, ASN14413 (LINKEDIN - LinkedIn Corporation, US),
Reverse DNS
Software
Play /
Resource Hash
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
server
Play
vary
Accept-Encoding
x-li-fabric
prod-lor1
status
200
x-li-proto
http/2
x-li-pop
prod-tln1
content-type
application/javascript
content-length
20
x-li-uuid
AhjYFgaszxVgfpK97SoAAA==
adsct
analytics.twitter.com/i/ Frame 436D
31 B
118 B
Script
General
Full URL
https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o1oeb&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=1&tw_document_referrer=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&tpx_cb=twttr.conversion.loadPixels&tw_document_href=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%2526_pclPrint%253Dtrue%2526_ptwAids%253Do1oeb%257Cnvrg6%2526_pfbAids%253D340159566928684%257C437764526963678%2526_pliPids%253D1318724%257C4751%2526_pawAids%253DAW-819694878%257CAW-956680084%2526jnpr_vId%253DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%26_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3D%257B%2522not%2520found%2522%253A%2522not%2520found%2522%257D%26_pcityName%3DUnavailable%26_pcompanyName%3DHetzner%2520Online%2520GmbH%26_pcontinentCode%3DEU%26_pcontinentName%3DEurope%26_pcountryISOCode%3DDE%26_pcountryName%3DGermany%26_platitude%3D51.2993%26_plongitude%3D9.491%26_pmatchedIP%3D144.76.109.30%26_ppostalCode%3DNone%26_pstateISOCode%3DUnavailable%26_pstateName%3DUnavailable%26_ptimeZone%3DEurope%252FBerlin%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%257Cnvrg6%26_pfbAids%3D340159566928684%257C437764526963678%26_pliPids%3D1318724%257C4751%26_pawAids%3DAW-819694878%257CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Requested by
Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
104.244.42.67 , United States, ASN13414 (TWITTER - Twitter Inc., US),
Reverse DNS
Software
tsa_o /
Resource Hash
df3e003cc30e9bdd0313100e8ee5d468070b4b34d11ad355f276a356d4b9c7bf
Security Headers
Name Value
Strict-Transport-Security max-age=631138519
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
x-content-type-options
nosniff
p3p
CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status
200, 200 OK
x-twitter-response-tags
BouncerCompliant
strict-transport-security
max-age=631138519
content-length
57
x-xss-protection
0
x-response-time
113
pragma
no-cache
last-modified
Mon, 21 Oct 2019 13:18:57 GMT
server
tsa_o
x-frame-options
SAMEORIGIN
content-type
application/javascript;charset=utf-8
cache-control
no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash
b72d2a40f7abbe035d79f11461ece10a
x-transaction
001a888b00666748
expires
Tue, 31 Mar 1981 05:00:00 GMT
adsct
t.co/i/ Frame 436D
43 B
124 B
Image
General
Full URL
https://t.co/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o1oeb&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=1&tw_document_referrer=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram
Requested by
Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
104.244.42.197 , United States, ASN13414 (TWITTER - Twitter Inc., US),
Reverse DNS
Software
tsa_o /
Resource Hash
ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957
Security Headers
Name Value
Strict-Transport-Security max-age=0
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
x-content-type-options
nosniff
status
200, 200 OK
x-twitter-response-tags
BouncerCompliant
content-length
65
x-xss-protection
0
x-response-time
109
pragma
no-cache
last-modified
Mon, 21 Oct 2019 13:18:57 GMT
server
tsa_o
x-frame-options
SAMEORIGIN
strict-transport-security
max-age=0
content-type
image/gif;charset=utf-8
cache-control
no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash
c8d0b280c8bbf40823452698b765fc70
x-transaction
00432d400000dd44
expires
Tue, 31 Mar 1981 05:00:00 GMT
adsct
analytics.twitter.com/i/ Frame 436D
31 B
117 B
Script
General
Full URL
https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=nvrg6&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=1&tw_document_referrer=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&tpx_cb=twttr.conversion.loadPixels&tw_document_href=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%2526_pclPrint%253Dtrue%2526_ptwAids%253Do1oeb%257Cnvrg6%2526_pfbAids%253D340159566928684%257C437764526963678%2526_pliPids%253D1318724%257C4751%2526_pawAids%253DAW-819694878%257CAW-956680084%2526jnpr_vId%253DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%26_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3D%257B%2522not%2520found%2522%253A%2522not%2520found%2522%257D%26_pcityName%3DUnavailable%26_pcompanyName%3DHetzner%2520Online%2520GmbH%26_pcontinentCode%3DEU%26_pcontinentName%3DEurope%26_pcountryISOCode%3DDE%26_pcountryName%3DGermany%26_platitude%3D51.2993%26_plongitude%3D9.491%26_pmatchedIP%3D144.76.109.30%26_ppostalCode%3DNone%26_pstateISOCode%3DUnavailable%26_pstateName%3DUnavailable%26_ptimeZone%3DEurope%252FBerlin%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%257Cnvrg6%26_pfbAids%3D340159566928684%257C437764526963678%26_pliPids%3D1318724%257C4751%26_pawAids%3DAW-819694878%257CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Requested by
Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
104.244.42.67 , United States, ASN13414 (TWITTER - Twitter Inc., US),
Reverse DNS
Software
tsa_o /
Resource Hash
df3e003cc30e9bdd0313100e8ee5d468070b4b34d11ad355f276a356d4b9c7bf
Security Headers
Name Value
Strict-Transport-Security max-age=631138519
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
x-content-type-options
nosniff
p3p
CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status
200, 200 OK
x-twitter-response-tags
BouncerCompliant
strict-transport-security
max-age=631138519
content-length
57
x-xss-protection
0
x-response-time
114
pragma
no-cache
last-modified
Mon, 21 Oct 2019 13:18:57 GMT
server
tsa_o
x-frame-options
SAMEORIGIN
content-type
application/javascript;charset=utf-8
cache-control
no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash
b72d2a40f7abbe035d79f11461ece10a
x-transaction
0098972100a8fc00
expires
Tue, 31 Mar 1981 05:00:00 GMT
adsct
t.co/i/ Frame 436D
43 B
119 B
Image
General
Full URL
https://t.co/i/adsct?p_id=Twitter&p_user_id=0&txn_id=nvrg6&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=1&tw_document_referrer=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram
Requested by
Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_128_GCM
Server
104.244.42.197 , United States, ASN13414 (TWITTER - Twitter Inc., US),
Reverse DNS
Software
tsa_o /
Resource Hash
ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957
Security Headers
Name Value
Strict-Transport-Security max-age=0
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
x-content-type-options
nosniff
status
200, 200 OK
x-twitter-response-tags
BouncerCompliant
content-length
65
x-xss-protection
0
x-response-time
116
pragma
no-cache
last-modified
Mon, 21 Oct 2019 13:18:57 GMT
server
tsa_o
x-frame-options
SAMEORIGIN
strict-transport-security
max-age=0
content-type
image/gif;charset=utf-8
cache-control
no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash
c8d0b280c8bbf40823452698b765fc70
x-transaction
00a2e017006bdb0f
expires
Tue, 31 Mar 1981 05:00:00 GMT
conversion_async.js
www.googleadservices.com/pagead/ Frame 436D
24 KB
9 KB
Script
General
Full URL
https://www.googleadservices.com/pagead/conversion_async.js
Requested by
Host: www.googletagmanager.com
URL: https://www.googletagmanager.com/gtag/js?id=AW-819694878
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
216.58.207.66 Mountain View, United States, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
fra16s25-in-f2.1e100.net
Software
cafe /
Resource Hash
04cc99186aa1ed2c9e0989ad7f6a2e180508c8656caef8cd2b153fa8dbba9038
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
x-content-type-options
nosniff
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
200
content-disposition
attachment; filename="f.txt"
alt-svc
quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
9198
x-xss-protection
0
server
cafe
etag
4566352449703540938
vary
Accept-Encoding
content-type
text/javascript; charset=UTF-8
cache-control
private, max-age=3600
timing-allow-origin
*
expires
Mon, 21 Oct 2019 13:18:57 GMT
/
www.facebook.com/tr/ Frame 8CEE
0
0
Document
General
Full URL
https://www.facebook.com/tr/
Requested by
Host: connect.facebook.net
URL: https://connect.facebook.net/en_US/fbevents.js
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a03:2880:f11c:8183:face:b00c:0:25de , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),
Reverse DNS
Software
proxygen-bolt /
Resource Hash
Security Headers
Name Value
Strict-Transport-Security max-age=31536000; includeSubDomains

Request headers

:method
POST
:authority
www.facebook.com
:scheme
https
:path
/tr/
content-length
3794
pragma
no-cache
cache-control
no-cache
origin
https://research.juniper.net
upgrade-insecure-requests
1
content-type
application/x-www-form-urlencoded
user-agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode
nested-navigate
accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site
cross-site
referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
accept-encoding
gzip, deflate, br
Origin
https://research.juniper.net
Upgrade-Insecure-Requests
1
Content-Type
application/x-www-form-urlencoded
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode
nested-navigate
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936

Response headers

status
200
content-type
text/plain
access-control-allow-origin
https://research.juniper.net
access-control-allow-credentials
true
strict-transport-security
max-age=31536000; includeSubDomains
content-length
0
server
proxygen-bolt
alt-svc
h3-23=":443"; ma=3600
date
Mon, 21 Oct 2019 13:18:57 GMT
437764526963678
connect.facebook.net/signals/config/ Frame 3286
281 KB
65 KB
Script
General
Full URL
https://connect.facebook.net/signals/config/437764526963678?v=2.9.5&r=stable
Requested by
Host: connect.facebook.net
URL: https://connect.facebook.net/en_US/fbevents.js
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a03:2880:f01c:8012:face:b00c:0:3 , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),
Reverse DNS
Software
/
Resource Hash
711484d0904f76b29c4cbf14e3e7d11c818545fdf95c19112c2ef1bd3e0680b8
Security Headers
Name Value
Strict-Transport-Security max-age=31536000; preload; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

strict-transport-security
max-age=31536000; preload; includeSubDomains
content-encoding
gzip
x-content-type-options
nosniff
status
200
alt-svc
h3-23=":443"; ma=3600
content-length
66280
x-xss-protection
0
pragma
public
x-fb-debug
pZGS4bnavCzec4DHVgpYFP8wBaDZBN2CpeyktdImSa4dtsBLo7y7nBaB47gPrhj16L/LKZbFI04oYBfiIMFitw==
x-fb-trip-id
1850256238
x-frame-options
DENY
date
Mon, 21 Oct 2019 13:18:57 GMT
vary
Accept-Encoding
content-type
application/x-javascript; charset=utf-8
cache-control
public, max-age=1200
expires
Sat, 01 Jan 2000 00:00:00 GMT
/
www.facebook.com/tr/ Frame 3470
0
0
Document
General
Full URL
https://www.facebook.com/tr/
Requested by
Host: connect.facebook.net
URL: https://connect.facebook.net/en_US/fbevents.js
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a03:2880:f11c:8183:face:b00c:0:25de , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),
Reverse DNS
Software
proxygen-bolt /
Resource Hash
Security Headers
Name Value
Strict-Transport-Security max-age=31536000; includeSubDomains

Request headers

:method
POST
:authority
www.facebook.com
:scheme
https
:path
/tr/
content-length
3846
pragma
no-cache
cache-control
no-cache
origin
https://research.juniper.net
upgrade-insecure-requests
1
content-type
application/x-www-form-urlencoded
user-agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode
nested-navigate
accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site
cross-site
referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
accept-encoding
gzip, deflate, br
Origin
https://research.juniper.net
Upgrade-Insecure-Requests
1
Content-Type
application/x-www-form-urlencoded
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode
nested-navigate
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936

Response headers

status
200
content-type
text/plain
access-control-allow-origin
https://research.juniper.net
access-control-allow-credentials
true
strict-transport-security
max-age=31536000; includeSubDomains
content-length
0
server
proxygen-bolt
alt-svc
h3-23=":443"; ma=3600
date
Mon, 21 Oct 2019 13:18:57 GMT
437764526963678
connect.facebook.net/signals/config/ Frame 436D
281 KB
65 KB
Script
General
Full URL
https://connect.facebook.net/signals/config/437764526963678?v=2.9.5&r=stable
Requested by
Host: connect.facebook.net
URL: https://connect.facebook.net/en_US/fbevents.js
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a03:2880:f01c:8012:face:b00c:0:3 , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),
Reverse DNS
Software
/
Resource Hash
711484d0904f76b29c4cbf14e3e7d11c818545fdf95c19112c2ef1bd3e0680b8
Security Headers
Name Value
Strict-Transport-Security max-age=31536000; preload; includeSubDomains
X-Content-Type-Options nosniff
X-Frame-Options DENY
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

strict-transport-security
max-age=31536000; preload; includeSubDomains
content-encoding
gzip
x-content-type-options
nosniff
status
200
alt-svc
h3-23=":443"; ma=3600
content-length
66280
x-xss-protection
0
pragma
public
x-fb-debug
pZGS4bnavCzec4DHVgpYFP8wBaDZBN2CpeyktdImSa4dtsBLo7y7nBaB47gPrhj16L/LKZbFI04oYBfiIMFitw==
x-fb-trip-id
1850256238
x-frame-options
DENY
date
Mon, 21 Oct 2019 13:18:57 GMT
vary
Accept-Encoding
content-type
application/x-javascript; charset=utf-8
cache-control
public, max-age=1200
expires
Sat, 01 Jan 2000 00:00:00 GMT
/
googleads.g.doubleclick.net/pagead/viewthroughconversion/819694878/ Frame 3286
3 KB
1 KB
Script
General
Full URL
https://googleads.g.doubleclick.net/pagead/viewthroughconversion/819694878/?random=1571663937199&cv=9&fst=1571663937199&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&ig=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&rfmt=3&fmt=4
Requested by
Host: www.googleadservices.com
URL: https://www.googleadservices.com/pagead/conversion_async.js
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:818::2002 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
f3572da14ecd1438b014367bee13c3f32b1bbce41a0ea16254a3455c64b064f2
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
status
200
cache-control
no-cache, must-revalidate
content-disposition
attachment; filename="f.txt"
content-type
text/javascript; charset=UTF-8
alt-svc
quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
1228
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
/
googleads.g.doubleclick.net/pagead/viewthroughconversion/819694878/ Frame 3286
7 KB
2 KB
Script
General
Full URL
https://googleads.g.doubleclick.net/pagead/viewthroughconversion/819694878/?random=1571663937200&cv=9&fst=1571663937200&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&ig=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts%26_plkpKey%5C%3Djnpr_vId%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts%3B_plkpKey%3Djnpr_vId%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&rfmt=3&fmt=4
Requested by
Host: www.googleadservices.com
URL: https://www.googleadservices.com/pagead/conversion_async.js
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:818::2002 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
3a97f850111de83f07a53261de9a8a1dfa6823a4ea63ee414a9f3533c247b3ef
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
status
200
cache-control
no-cache, must-revalidate
content-disposition
attachment; filename="f.txt"
content-type
text/javascript; charset=UTF-8
alt-svc
quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
1827
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
/
www.google.de/pagead/1p-user-list/956680084/ Frame 3286
Redirect Chain
  • https://googleads.g.doubleclick.net/pagead/viewthroughconversion/956680084/?random=1571663937200&cv=9&fst=1571663937200&num=1&fmt=3&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=12...
  • https://www.google.com/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java...
  • https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=...
42 B
110 B
Image
General
Full URL
https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=3031433607&resp=GooglemKTybQhCsO&ipr=y
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
Security Headers
Name Value
Content-Security-Policy script-src 'none'; object-src 'none'
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
200
cache-control
no-cache, no-store, must-revalidate
content-security-policy
script-src 'none'; object-src 'none'
content-type
image/gif
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
42
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT

Redirect headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options
nosniff
server
cafe
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
302
content-type
image/gif
location
https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=3031433607&resp=GooglemKTybQhCsO&ipr=y
cache-control
no-cache, no-store, must-revalidate
content-security-policy
script-src 'none'; object-src 'none'
timing-allow-origin
*
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
42
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
/
www.google.de/pagead/1p-user-list/956680084/ Frame 3286
Redirect Chain
  • https://googleads.g.doubleclick.net/pagead/viewthroughconversion/956680084/?random=1571663937200&cv=9&fst=1571663937200&num=1&fmt=3&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=12...
  • https://www.google.com/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java...
  • https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=...
42 B
110 B
Image
General
Full URL
https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts%26_plkpKey%5C%3Djnpr_vId%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts%3B_plkpKey%3Djnpr_vId%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=2817242393&resp=GooglemKTybQhCsO&ipr=y
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
Security Headers
Name Value
Content-Security-Policy script-src 'none'; object-src 'none'
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
200
cache-control
no-cache, no-store, must-revalidate
content-security-policy
script-src 'none'; object-src 'none'
content-type
image/gif
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
42
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT

Redirect headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options
nosniff
server
cafe
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
302
content-type
image/gif
location
https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts%26_plkpKey%5C%3Djnpr_vId%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts%3B_plkpKey%3Djnpr_vId%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=2817242393&resp=GooglemKTybQhCsO&ipr=y
cache-control
no-cache, no-store, must-revalidate
content-security-policy
script-src 'none'; object-src 'none'
timing-allow-origin
*
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
42
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
/
googleads.g.doubleclick.net/pagead/viewthroughconversion/819694878/ Frame 436D
3 KB
1 KB
Script
General
Full URL
https://googleads.g.doubleclick.net/pagead/viewthroughconversion/819694878/?random=1571663937203&cv=9&fst=1571663937203&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&ig=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&rfmt=3&fmt=4
Requested by
Host: www.googleadservices.com
URL: https://www.googleadservices.com/pagead/conversion_async.js
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:818::2002 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
21ac54b2dfa107c2c34e22763929c410c38b8b8dc586cb34221b708735da39b2
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
status
200
cache-control
no-cache, must-revalidate
content-disposition
attachment; filename="f.txt"
content-type
text/javascript; charset=UTF-8
alt-svc
quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
1237
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
/
googleads.g.doubleclick.net/pagead/viewthroughconversion/819694878/ Frame 436D
7 KB
2 KB
Script
General
Full URL
https://googleads.g.doubleclick.net/pagead/viewthroughconversion/819694878/?random=1571663937204&cv=9&fst=1571663937204&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&ig=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%5C%3D_pclIp._pmatchedIP%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts_ip%3B_plkpKey%3D_pclIp._pmatchedIP%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&rfmt=3&fmt=4
Requested by
Host: www.googleadservices.com
URL: https://www.googleadservices.com/pagead/conversion_async.js
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:818::2002 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
373fe54362c261716e6033ea509f22416fa0f09dae64dbdc7cd7219af8cff89e
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
status
200
cache-control
no-cache, must-revalidate
content-disposition
attachment; filename="f.txt"
content-type
text/javascript; charset=UTF-8
alt-svc
quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
1834
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
/
googleads.g.doubleclick.net/pagead/viewthroughconversion/956680084/ Frame 436D
7 KB
2 KB
Script
General
Full URL
https://googleads.g.doubleclick.net/pagead/viewthroughconversion/956680084/?random=1571663937205&cv=9&fst=1571663937205&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&ig=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%5C%3D_pclIp._pmatchedIP%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts_ip%3B_plkpKey%3D_pclIp._pmatchedIP%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&rfmt=3&fmt=4
Requested by
Host: www.googleadservices.com
URL: https://www.googleadservices.com/pagead/conversion_async.js
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:818::2002 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
3ce9806392df75ac66fb903977838ff4609b65dfb4f160ebd04b22c996184947
Security Headers
Name Value
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
status
200
cache-control
no-cache, must-revalidate
content-disposition
attachment; filename="f.txt"
content-type
text/javascript; charset=UTF-8
alt-svc
quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
1834
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
/
www.google.de/pagead/1p-user-list/956680084/ Frame 436D
Redirect Chain
  • https://googleads.g.doubleclick.net/pagead/viewthroughconversion/956680084/?random=1571663937204&cv=9&fst=1571663937204&num=1&fmt=3&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=12...
  • https://www.google.com/pagead/1p-user-list/956680084/?random=1571663937204&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java...
  • https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937204&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=...
42 B
110 B
Image
General
Full URL
https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937204&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=3590609516&resp=GooglemKTybQhCsO&ipr=y
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
Security Headers
Name Value
Content-Security-Policy script-src 'none'; object-src 'none'
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
200
cache-control
no-cache, no-store, must-revalidate
content-security-policy
script-src 'none'; object-src 'none'
content-type
image/gif
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
42
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT

Redirect headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options
nosniff
server
cafe
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
302
content-type
image/gif
location
https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937204&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=3590609516&resp=GooglemKTybQhCsO&ipr=y
cache-control
no-cache, no-store, must-revalidate
content-security-policy
script-src 'none'; object-src 'none'
timing-allow-origin
*
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
42
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
/
www.facebook.com/tr/ Frame 0C24
0
0
Document
General
Full URL
https://www.facebook.com/tr/
Requested by
Host: connect.facebook.net
URL: https://connect.facebook.net/en_US/fbevents.js
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a03:2880:f11c:8183:face:b00c:0:25de , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),
Reverse DNS
Software
proxygen-bolt /
Resource Hash
Security Headers
Name Value
Strict-Transport-Security max-age=31536000; includeSubDomains

Request headers

:method
POST
:authority
www.facebook.com
:scheme
https
:path
/tr/
content-length
3794
pragma
no-cache
cache-control
no-cache
origin
https://research.juniper.net
upgrade-insecure-requests
1
content-type
application/x-www-form-urlencoded
user-agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode
nested-navigate
accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site
cross-site
referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
accept-encoding
gzip, deflate, br
Origin
https://research.juniper.net
Upgrade-Insecure-Requests
1
Content-Type
application/x-www-form-urlencoded
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode
nested-navigate
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936

Response headers

status
200
content-type
text/plain
access-control-allow-origin
https://research.juniper.net
access-control-allow-credentials
true
strict-transport-security
max-age=31536000; includeSubDomains
content-length
0
server
proxygen-bolt
alt-svc
h3-23=":443"; ma=3600
date
Mon, 21 Oct 2019 13:18:57 GMT
/
www.facebook.com/tr/ Frame 8346
0
0
Document
General
Full URL
https://www.facebook.com/tr/
Requested by
Host: connect.facebook.net
URL: https://connect.facebook.net/en_US/fbevents.js
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a03:2880:f11c:8183:face:b00c:0:25de , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),
Reverse DNS
Software
proxygen-bolt /
Resource Hash
Security Headers
Name Value
Strict-Transport-Security max-age=31536000; includeSubDomains

Request headers

:method
POST
:authority
www.facebook.com
:scheme
https
:path
/tr/
content-length
3846
pragma
no-cache
cache-control
no-cache
origin
https://research.juniper.net
upgrade-insecure-requests
1
content-type
application/x-www-form-urlencoded
user-agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode
nested-navigate
accept
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site
cross-site
referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
accept-encoding
gzip, deflate, br
Origin
https://research.juniper.net
Upgrade-Insecure-Requests
1
Content-Type
application/x-www-form-urlencoded
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode
nested-navigate
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936

Response headers

status
200
content-type
text/plain
access-control-allow-origin
https://research.juniper.net
access-control-allow-credentials
true
strict-transport-security
max-age=31536000; includeSubDomains
content-length
0
server
proxygen-bolt
alt-svc
h3-23=":443"; ma=3600
date
Mon, 21 Oct 2019 13:18:57 GMT
/
www.google.com/pagead/1p-user-list/819694878/ Frame 3286
42 B
110 B
Image
General
Full URL
https://www.google.com/pagead/1p-user-list/819694878/?random=1571663937199&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&fmt=3&is_vtc=1&random=3819243290&resp=GooglemKTybQhCsO&rmt_tld=0&ipr=y
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
Security Headers
Name Value
Content-Security-Policy script-src 'none'; object-src 'none'
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
200
cache-control
no-cache, no-store, must-revalidate
content-security-policy
script-src 'none'; object-src 'none'
content-type
image/gif
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
42
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
/
www.google.de/pagead/1p-user-list/819694878/ Frame 3286
42 B
110 B
Image
General
Full URL
https://www.google.de/pagead/1p-user-list/819694878/?random=1571663937199&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&fmt=3&is_vtc=1&random=3819243290&resp=GooglemKTybQhCsO&rmt_tld=1&ipr=y
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
Security Headers
Name Value
Content-Security-Policy script-src 'none'; object-src 'none'
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
200
cache-control
no-cache, no-store, must-revalidate
content-security-policy
script-src 'none'; object-src 'none'
content-type
image/gif
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
42
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
/
www.google.com/pagead/1p-user-list/819694878/ Frame 3286
42 B
110 B
Image
General
Full URL
https://www.google.com/pagead/1p-user-list/819694878/?random=1571663937200&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts%26_plkpKey%5C%3Djnpr_vId%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts%3B_plkpKey%3Djnpr_vId%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&fmt=3&is_vtc=1&random=3128167364&resp=GooglemKTybQhCsO&rmt_tld=0&ipr=y
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
Security Headers
Name Value
Content-Security-Policy script-src 'none'; object-src 'none'
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
200
cache-control
no-cache, no-store, must-revalidate
content-security-policy
script-src 'none'; object-src 'none'
content-type
image/gif
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
42
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
/
www.google.de/pagead/1p-user-list/819694878/ Frame 3286
42 B
110 B
Image
General
Full URL
https://www.google.de/pagead/1p-user-list/819694878/?random=1571663937200&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts%26_plkpKey%5C%3Djnpr_vId%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts%3B_plkpKey%3Djnpr_vId%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&fmt=3&is_vtc=1&random=3128167364&resp=GooglemKTybQhCsO&rmt_tld=1&ipr=y
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
Security Headers
Name Value
Content-Security-Policy script-src 'none'; object-src 'none'
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
200
cache-control
no-cache, no-store, must-revalidate
content-security-policy
script-src 'none'; object-src 'none'
content-type
image/gif
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
42
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
/
www.google.com/pagead/1p-user-list/819694878/ Frame 436D
42 B
278 B
Image
General
Full URL
https://www.google.com/pagead/1p-user-list/819694878/?random=1571663937203&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&fmt=3&is_vtc=1&random=506434098&resp=GooglemKTybQhCsO&rmt_tld=0&ipr=y
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
Security Headers
Name Value
Content-Security-Policy script-src 'none'; object-src 'none'
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
200
cache-control
no-cache, no-store, must-revalidate
content-security-policy
script-src 'none'; object-src 'none'
content-type
image/gif
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
42
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
/
www.google.de/pagead/1p-user-list/819694878/ Frame 436D
42 B
110 B
Image
General
Full URL
https://www.google.de/pagead/1p-user-list/819694878/?random=1571663937203&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&fmt=3&is_vtc=1&random=506434098&resp=GooglemKTybQhCsO&rmt_tld=1&ipr=y
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
Security Headers
Name Value
Content-Security-Policy script-src 'none'; object-src 'none'
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
200
cache-control
no-cache, no-store, must-revalidate
content-security-policy
script-src 'none'; object-src 'none'
content-type
image/gif
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
42
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
/
www.google.com/pagead/1p-user-list/819694878/ Frame 436D
42 B
110 B
Image
General
Full URL
https://www.google.com/pagead/1p-user-list/819694878/?random=1571663937204&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%5C%3D_pclIp._pmatchedIP%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts_ip%3B_plkpKey%3D_pclIp._pmatchedIP%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&fmt=3&is_vtc=1&random=887524795&resp=GooglemKTybQhCsO&rmt_tld=0&ipr=y
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
Security Headers
Name Value
Content-Security-Policy script-src 'none'; object-src 'none'
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
200
cache-control
no-cache, no-store, must-revalidate
content-security-policy
script-src 'none'; object-src 'none'
content-type
image/gif
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
42
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
/
www.google.de/pagead/1p-user-list/819694878/ Frame 436D
42 B
110 B
Image
General
Full URL
https://www.google.de/pagead/1p-user-list/819694878/?random=1571663937204&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%5C%3D_pclIp._pmatchedIP%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts_ip%3B_plkpKey%3D_pclIp._pmatchedIP%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&fmt=3&is_vtc=1&random=887524795&resp=GooglemKTybQhCsO&rmt_tld=1&ipr=y
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
Security Headers
Name Value
Content-Security-Policy script-src 'none'; object-src 'none'
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
200
cache-control
no-cache, no-store, must-revalidate
content-security-policy
script-src 'none'; object-src 'none'
content-type
image/gif
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
42
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
/
www.google.com/pagead/1p-user-list/956680084/ Frame 436D
42 B
110 B
Image
General
Full URL
https://www.google.com/pagead/1p-user-list/956680084/?random=1571663937205&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%5C%3D_pclIp._pmatchedIP%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts_ip%3B_plkpKey%3D_pclIp._pmatchedIP%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&fmt=3&is_vtc=1&random=930459174&resp=GooglemKTybQhCsO&rmt_tld=0&ipr=y
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
Security Headers
Name Value
Content-Security-Policy script-src 'none'; object-src 'none'
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
200
cache-control
no-cache, no-store, must-revalidate
content-security-policy
script-src 'none'; object-src 'none'
content-type
image/gif
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
42
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
/
www.google.de/pagead/1p-user-list/956680084/ Frame 436D
42 B
110 B
Image
General
Full URL
https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937205&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%5C%3D_pclIp._pmatchedIP%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts_ip%3B_plkpKey%3D_pclIp._pmatchedIP%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&fmt=3&is_vtc=1&random=930459174&resp=GooglemKTybQhCsO&rmt_tld=1&ipr=y
Requested by
Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol
H2
Security
TLS 1.3, , AES_128_GCM
Server
2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software
cafe /
Resource Hash
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
Security Headers
Name Value
Content-Security-Policy script-src 'none'; object-src 'none'
X-Content-Type-Options nosniff
X-Xss-Protection 0

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma
no-cache
date
Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options
nosniff
server
cafe
timing-allow-origin
*
p3p
policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status
200
cache-control
no-cache, no-store, must-revalidate
content-security-policy
script-src 'none'; object-src 'none'
content-type
image/gif
alt-svc
quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length
42
x-xss-protection
0
expires
Fri, 01 Jan 1990 00:00:00 GMT
satellite-57e2f6c764746d7a990154e8.js
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/
1 KB
676 B
Script
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-57e2f6c764746d7a990154e8.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash
0b30b39cc04a7922ed34d3d567d814c6ea9c8cea7e4ba2302b5d45272c13a483

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
last-modified
Thu, 17 Oct 2019 18:01:31 GMT
server
AkamaiNetStorage
etag
"143f04ca053bbbb67e7e7db60384c44e:1571335291.002567"
vary
Accept-Encoding
content-type
application/x-javascript
status
200
cache-control
max-age=3600
accept-ranges
bytes
timing-allow-origin
*
content-length
431
expires
Mon, 21 Oct 2019 14:18:57 GMT
satellite-586d49e464746d11fd002f2c.js
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/
414 B
526 B
Script
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-586d49e464746d11fd002f2c.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash
f0ebf94842d7584c1c3c4925765c776bc6acc5345d1c01bdb846b416bad07877

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
last-modified
Thu, 17 Oct 2019 18:01:31 GMT
server
AkamaiNetStorage
etag
"73f8288b3e1da89f3ff0360bfca03245:1571335291.159718"
vary
Accept-Encoding
content-type
application/x-javascript
status
200
cache-control
max-age=3600
accept-ranges
bytes
timing-allow-origin
*
content-length
281
expires
Mon, 21 Oct 2019 14:18:57 GMT
satellite-5630f65f64746d185c002af5.js
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/
503 B
580 B
Script
General
Full URL
https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5630f65f64746d185c002af5.js
Requested by
Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol
H2
Security
TLS 1.2, ECDHE_RSA, AES_256_GCM
Server
2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS
a2-18-232-23.deploy.static.akamaitechnologies.com
Software
AkamaiNetStorage /
Resource Hash
1fee2fb3eb1831930f4e325e6f05dc0d322ce37f53cc7da4cd2cdde999ed0b1d

Request headers

Sec-Fetch-Mode
no-cors
Referer
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date
Mon, 21 Oct 2019 13:18:57 GMT
content-encoding
gzip
last-modified
Thu, 17 Oct 2019 18:01:24 GMT
server
AkamaiNetStorage
etag
"902ab4d82e29bb124a4127654ea7be62:1571335284.528625"
vary
Accept-Encoding
content-type
application/x-javascript
status
200
cache-control
max-age=3600
accept-ranges
bytes
timing-allow-origin
*
content-length
335
expires
Mon, 21 Oct 2019 14:18:57 GMT

Verdicts & Comments Add Verdict or Comment

160 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

object| onformdata object| onpointerrawupdate object| _elqQ function| Visitor object| _satellite object| s_c_il number| s_c_in function| targetPageParams string| val object| adobe object| ___target_traces function| mboxCreate function| mboxDefine function| mboxUpdate string| rootDomain object| domainParts number| slot undefined| gatewayReq undefined| gatewayListener number| ii string| jnpr_vID_state string| jnpr_vID number| POLL_INTERVAL number| MAX_POLL_COUNT number| pollCount function| poll object| Dmdbase_CDC function| juniperVideoOnPlayerStateChange object| jnprData function| fbq function| _fbq object| FontAwesomeCdnConfig string| cssUrl function| $ function| jQuery function| twq function| grunticon object| splitString string| value object| newParams function| Swipe boolean| p object| s boolean| z function| keyshotVR function| _ function| FastClick function| Hammer boolean| liveAgentDeployment object| liveagent function| juniGetResponsiveInstace object| html5 object| Modernizr object| twttr object| ttMETA function| ttMBX object| LITHIUM number| googleLT_ object| google object| ca function| google_exportSymbol function| google_exportProperty function| submitsearchForm function| searchKeyword function| submitnavSearch undefined| ie undefined| szCookieText string| UDS_ServiceBase string| UDS_ApiKey boolean| UDS_KeyVerified boolean| UDS_LoadFailure string| UDS_CurrentLocale string| UDS_ShortDatePattern string| UDS_Version string| UDS_JSHash function| GwebSearch function| GcustomwebSearch function| GbookSearch function| GblogSearch function| GvideoSearch function| GnewsSearch function| GlocalSearch function| GimageSearch function| GcustomimageSearch function| GpatentSearch function| GSearch function| GSearchControl function| GSearchForm function| GsearcherOptions function| GdrawOptions object| __gcse object| closure_lm_778817 function| setCookie function| getParam object| gclid object| utm_source object| utm_campaign object| utm_content object| utm_term object| utm_medium object| cid function| gtag object| dataLayer function| doAwRemarketing function| doEvent function| handleProfileJnprTrgtAccnts function| profileHandler function| getCookie function| ssCheck number| k function| ResizeSensor function| ElementQueries object| jQuery18306774468292413174 object| JNPR function| _googCsa number| nextSearchboxId string| myrsid function| AppMeasurement_Module_ActivityMap function| AppMeasurement function| s_gi function| s_pgicq number| s_objectID number| s_giq object| s_i_jnprod object| google_tag_manager string| newHash string| oldHash object| cookieList undefined| cookieVal number| len object| _gaq undefined| urlParams undefined| internalUTM undefined| custCookie undefined| utm_expid undefined| searchTerm undefined| gak_refDomain string| altPageName undefined| tabVal object| gaCookies function| handleTrackEvent string| GoogleAnalyticsObject function| ga object| _pntheon object| _elq number| googleNDT_ number| _googCsaAlwaysHttps number| googleAltLoader object| google_tag_data object| gaplugins object| gaGlobal object| gaData function| GooglemKTybQhCsO function| google_trackConversion object| GooglebQhCsO function| __extends object| Demandbase object| __db function| DBSegment object| mmIntegrations

2 Cookies

Domain/Path Name / Value
.doubleclick.net/ Name: IDE
Value: AHWqTUn4QeLlpbPs0iXSE65iZ5tQCW466ywZS4kWF4N0KE3OIiZ_bHUhdVCQvWAf
.juniper.net/ Name: _fbp
Value: fb.1.1571663937173.1180827004

1 Console Messages

Source Level URL
Text
console-api log URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram(Line 170)
Message:
on load

Security Headers

This page lists any security headers set by the main page. If you want to understand what these mean and how to use them, head on over to this page

Header Value
Strict-Transport-Security max-age=31536000;includeSubDomains

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

3872718.fls.doubleclick.net
5922977.fls.doubleclick.net
ajax.googleapis.com
analytics.twitter.com
api.company-target.com
api.demandbase.com
assets.adobedtm.com
attr.ml-api.io
clients1.google.com
cloud.webtype.com
cm.everesttech.net
collect.rmulus.com
connect.facebook.net
cse.google.com
dpm.demdex.net
fonts.googleapis.com
forums.juniper.net
googleads.g.doubleclick.net
img.en25.com
jnet.i.lithium.com
junipernetworks.d2.sc.omtrdc.net
junipernetworks.demdex.net
junipernetworks.tt.omtrdc.net
lookups.rmulus.com
match.prod.bidr.io
maxcdn.bootstrapcdn.com
platform.twitter.com
pls.webtype.com
px.ads.linkedin.com
research.juniper.net
s.ml-attr.com
s1229.t.eloqua.com
scripts.demandbase.com
secure.adnxs.com
secure.rmulus.com
segments.company-target.com
static.ads-twitter.com
stats.g.doubleclick.net
t.co
tags.bluekai.com
use.fontawesome.com
www.facebook.com
www.google-analytics.com
www.google.ca
www.google.com
www.google.de
www.googleadservices.com
www.googleapis.com
www.googletagmanager.com
www.juniper.net
104.111.241.32
104.244.42.197
104.244.42.67
13.224.196.121
13.225.78.27
13.225.78.79
143.204.101.123
143.204.101.126
143.204.101.13
151.101.112.157
172.217.18.102
185.33.223.100
2.18.232.23
2001:4de0:ac19::1:b:2a
208.74.207.25
209.167.231.17
216.58.205.230
216.58.207.66
23.111.9.35
2606:2800:234:59:254c:406:2366:268c
2a00:1450:4001:800::200e
2a00:1450:4001:814::2008
2a00:1450:4001:814::200e
2a00:1450:4001:818::2002
2a00:1450:4001:81b::2003
2a00:1450:4001:81c::200a
2a00:1450:4001:81d::2004
2a00:1450:4001:81e::200a
2a00:1450:4001:820::200a
2a00:1450:4001:821::2003
2a00:1450:400c:c00::9a
2a02:26f0:10:2a9::720
2a03:2880:f01c:8012:face:b00c:0:3
2a03:2880:f11c:8183:face:b00c:0:25de
2a05:f500:11:101::b93f:9005
34.201.194.177
34.253.43.81
52.213.193.252
52.30.78.155
52.49.100.189
54.230.95.207
65.52.62.25
66.117.28.86
66.117.29.3
68.67.153.60
93.184.220.41
93.184.220.97
95.100.78.166
04cc38228e78bcd321b02a1db468d35e557f12251aae38a9b2f1814f2761b9b4
04cc99186aa1ed2c9e0989ad7f6a2e180508c8656caef8cd2b153fa8dbba9038
0620feb9ea1ef87a0f1fd0df37a90ef556afb630b3360be72266f4f505dc42b4
066d654e9fdae411ba75229bf293bb54156406111dd0f69f789f97a8a8a6502b
06999de90eb62434c9e26cc7b0b70c3db1602e5b3ebea36b7dd6cb9e4ebbd784
081de2455a7c07a455ae28fec0acf0db473c515d1d38b49fda402724febc6da7
0af3aae90b7de9fdceee2ab421378ea2f54c74be81ef43fc6c1790a032755d80
0b30b39cc04a7922ed34d3d567d814c6ea9c8cea7e4ba2302b5d45272c13a483
0eb2263b102275bbff7847e76a3668c516c2db3d2f6523b94259525ab8124a4b
10d8d42d73a02ddb877101e72fbfa15a0ec820224d97cedee4cf92d571be5caa
179f42988ae4cab77687b27656fc69ab3fa07efbcf6279ac1bef85ac0688e69d
18640403461461c763056c71c9d16db51cfaf8bd64473e8746b7692e25200e12
18a02257219987458dc60f3fc2284ce0ceba4affa260c51d66d0b6e815e0a90f
1bc61ec53e5af2299b45821748c5d3984ed56fa406cd1c49531ef1d25bdc30ce
1e76b665a6f0a9668df5358d69d8e88e82e602cbb5d5eb7acb4ea7daa5d5190d
1fee2fb3eb1831930f4e325e6f05dc0d322ce37f53cc7da4cd2cdde999ed0b1d
2099c9be1d977088b3fa5f862474b7ed87e34c8988f6eaf1a20b15787c9998b6
21ac54b2dfa107c2c34e22763929c410c38b8b8dc586cb34221b708735da39b2
22642f202577f0ba2f22cbe56b6cf291a09374487567cd3563e0d2a29f75c0c5
2381b47f8892f725ff4cc6758375a338efbea0fc9178e18c8c97ee4d8d1d290c
24b74951479c73418c6486173931f2c1b9f56142776dda0a7dc19a9e9884b8a9
2adefcbc041e7d18fcf2d417879dc5a09997aa64d675b7a3c4b6ce33da13f3fe
2aec599bb34eb6dc9628239d56d39f8b9fbf6cea0d7b4272d3a6c18c6ab81e05
2c9f1c57bc31c65cdb84a1c44c0c91fc88799512fd87c5bc6e52b21f69abd5d0
2e4f5dd09499f2da4d8350e694d389f5837bc9a97addae7785a708a1867551a2
2e982e3c73e6f28505203e3efd647293555d1b34940f19626bd054bd6f2efc57
319949c8c08b86e9c35ea542c0dc0c30cedaa9b8d3d3c3327a36c91aefbd8af5
3236d2dc701f583a81401e777323e8026c6342c1e5bb5ac7fb9262f929227b1c
373fe54362c261716e6033ea509f22416fa0f09dae64dbdc7cd7219af8cff89e
39d48454cc249ca68918b13d93558d1027516393b06df1c104557532da1bc02e
3a97f850111de83f07a53261de9a8a1dfa6823a4ea63ee414a9f3533c247b3ef
3b7b8a4b411ddf8db9bacc2f3aabf406f8e4c0c087829b336ca331c40adfdff1
3ca19e57c9a2465ae4df271316ba4d29e7ff7f113a2a2c5297780c0b7a0ac09d
3ce9806392df75ac66fb903977838ff4609b65dfb4f160ebd04b22c996184947
3e84bcc6469e170029339c0b60b522671ca5d4298578308ec882df95f7badd9c
3eadffc329fb1c32ee10e809962cb4114a71d92b0f30db0b9ba9bef6abc91015
40a20291f9b526cba58796a4bbd0256d5663313e02c9d5ab5a842476562b3108
4c891889ca55d5cadf9e960d2e40f31f50ac0b6252417a9be7414ff2f26a3880
513a1cdd025b3086aa57881e2c801d57b76154c11975cc9283a9a3b480650722
53964478a7c634e8dad34ecc303dd8048d00dce4993906de1bacf67f663486ef
5b4f7ddf2cbd5ef8611f5fd90529a7c0b42bedb4c6f5a8f08d1c328b55043372
5b9573e1023da775390e9284ec0eb1c606df9b468a28980055b4a6aa804f4350
626ef4978a3758ced595afe37b89812432ef49fe3f967d2cd8e1321459b3a9b8
640ab2801ebaaac35a628d23dfe09caac3ba92b4ad30519a876620e1e8505b7b
656e1fb71a24f4d230a9ce9ff572e6c7e52382d7bbe666dafb10c12fc2799210
690217dd4ebde7d6750b11980ac97780557184aa636e8ae5ca6a53aadfbce5b8
6b4ebd6049c806e3eef1bd770b2d8b4fdd75803861ead3584ee753e41988efae
711484d0904f76b29c4cbf14e3e7d11c818545fdf95c19112c2ef1bd3e0680b8
775babc192dd84c190b44f9612ad8a9de10a522c9a178e7f37a623b13974582b
78a8202e2d22f37c9ed73bb52845944b2776d14a59bd21bd44dca6ca11795495
79340c32d5422c3331db60c78f9854b0d9c0a9bd0f9c454b7398734c1b990658
79e16119ceda988947279eb9addd1869b4270af3967b69ec9e09713ae4b6572b
7b08b6c86fb4d51c3e96dd3f06ed35c02b7f0662404fb6b14b9b2b0425a9e28a
7bde86f22329283dc816191116fb2c332cfdb506928e6551cae7273356d8d238
7da66ec546c027bfe5b9ca59aa2225cfaa5f0d68f96801f31186878c0fa853f8
7ee39e6b76207efc841a6882a2af5241490e1a2161c4e13790f78fb4dbfdde28
80a19a79e29cb723295fdccd389f61b999ccb6bde709c20cf6c970e7211b253c
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015
851bd834d24a84c0f4780789e868a65f9db8d9655a7a0cac039dbf3b65ad873f
8c5519ff6e93dfefc21c8b9c586ceef2060b2161e6be946d5b704341456ef053
8c785b78817298c70c27829e6903d75fac181ed591e3260c4b1fec35f0cd03c0
8febd8b0e9b817a31d401574d8f8aaeb5003d76c2c1afa9da932fa0990685b53
9093f80f7653038c751be64d054f6159875ac0f6f99935c4008bf3f705abdbee
925ce3258ea45dd475bffbdc02c278e08d6bc4667c685b18c43b8dd0cb8bee5a
9404cee30e4489a7ed4d6de2dd92aa8e4386fd5ff1c81ebcea77f581952eac31
983b0caf336e8542214fc17019a4fc5e0360864b92806ca14d55c1fc1c2c5a0f
9912c03b52a7cb0fc11bde58e200010eca671219552929b31be4c2e26c0e10c3
994f862399526907874323d0bf282947d8c1b6e01c2ef047da2b5521e88eba5b
9b8a69e995564719ea29e03b8593d8d18d03c3c8411a0eba1d714afec595d848
9e5b8d4ced66c172dc84f16051eee4bac1e0fc60781c1ea05d73072b3cc7ddf1
a1ecbaed793a1f564c49c671f2dd0ce36f858534ef6d26b55783a06b884cc506
a844cdc48c7591822e45128a138f1dbba5753a3ca9992bd71c36758d51d0b68e
aadc3580d2b64ff5a7e6f1425587db4e8b033efcbf8f5c332ca52a5ed580c87c
ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957
acbde4a5a6ca3a99092c40c7d64b1e6a3c170a991a1ae98dd28b590cec53a7c0
b1110f2c7ae9f0a22977c4df6431fdfef92d1e8223f9734713e57aeb2ee96fcf
b6b12491bd3384604967dba5b6d0d4430484097b7982a988bf78aae31bf9ff76
b8eea75e456823a6e0eebfa1e4f27b56395485fff2bbf27e0344f7bf4fa8e509
be411113a7cc410c17ca7c311a35166e012b630b56da83341cbed129f6abd6bd
c0f533082d6b784c7f939ad3fbcafc2faa6a88d96f0b076f7a0e28b431995bff
c5aff3477022f781ee765989cdf6abbdd986f331064c59f5655fab8c6f9796c7
c74679537a89890b260d93e19aad5f4cc95a230623a945ffcc3d981fc13a1adf
c85e7ce68f3a78005c8c4603e3312b48ab1465bfdc86b397941295aa75299f2e
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356
cf4724b2f736ed1a0ae6bc28f1ead963d9cd2c1fd87b6ef32e7799fc1c5c8bda
d2474340ff2bb92f87a9ff9df68cd9bb04ec042a4af464d42d76ad69d9b2a67d
db0031471b3f9181ff21d83674674ac3dd7c128531fae90bc274ad0e17c58c37
dbb67c620eaabf6679a314db18d3ae43037aef71ab27422e6feec08ee987cc0a
df3e003cc30e9bdd0313100e8ee5d468070b4b34d11ad355f276a356d4b9c7bf
e28195ef556c2e1f2d22ff939f487f10a32e608255bbd541be3eda5883b414c3
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
e8a8cd48f7f93a8c8d708eda1f3f9c6ddd886c3f6c38eee67aeac98897b09510
e931faaef092c8d98a58ac536216378f58e2a17a4833bbe5f9a29e5bbed849f6
edd8db5c29b96b7a290a5e266d426dca85541b7cd7a62b180e5ec89dc635f05f
eec3860fdc0bff086a73a04051948c4e76ea29a6b61eaa870083739555b83f64
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
f0ebf94842d7584c1c3c4925765c776bc6acc5345d1c01bdb846b416bad07877
f3572da14ecd1438b014367bee13c3f32b1bbce41a0ea16254a3455c64b064f2
f50798458e958d44022e68ed50eaf58ee47256a163f3022681fe1c899139d612
f75e846cc83bd11432f4b1e21a45f31bc85283d11d372f7b19accd1bf6a2635c
f7d6b1c8e88874fb2696fc3128ea91fc6f47915466ea9f566ab2c39fcebffbd6
ffa161118fe5c86651a1086172071bfe65d3c22968af6e2cfdfc450b8051770d