forums.juniper.net Open in urlscan Pro
208.74.207.25 Public Scan

Go To Rescan
Add Verdict Report

URL:
https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Submission: On October 21 via api (October 21st 2019, 1:19:16 pm UTC) from CH

Summary HTTP 177 Redirects Links 76 Behaviour Indicators

Summary

This website contacted 43 IPs in 7 countries across 33 domains to perform 177 HTTP transactions. The main IP is 208.74.207.25, located in United States and belongs to NEUSTAR-AS6 - NeuStar, Inc., US. The main domain is forums.juniper.net.
TLS certificate: Issued by DigiCert SHA2 High Assurance Server CA on August 16th 2019. Valid for: a year.

This is the only time forums.juniper.net was scanned on urlscan.io!

urlscan.io Verdict: No classification

Domain & IP information

	IP Address	AS Autonomous System
5 13	208.74.207.25 208.74.207.25	19905 (NEUSTAR-AS6) (NEUSTAR-AS6 - NeuStar)
21	2.18.232.23 2.18.232.23	16625 (AKAMAI-AS) (AKAMAI-AS - Akamai Technologies)
4	23.111.9.35 23.111.9.35	33438 (HIGHWINDS2) (HIGHWINDS2 - Highwinds Network Group)
1	2a00:1450:400... 2a00:1450:4001:820::200a	15169 (GOOGLE) (GOOGLE - Google LLC)
2	2001:4de0:ac1... 2001:4de0:ac19::1:b:2a	20446 (HIGHWINDS3) (HIGHWINDS3 - Highwinds Network Group)
10	93.184.220.97 93.184.220.97	15133 (EDGECAST) (EDGECAST - MCI Communications Services)
1 10	2a02:26f0:10:... 2a02:26f0:10:2a9::720	20940 (AKAMAI-ASN1) (AKAMAI-ASN1)
2	93.184.220.41 93.184.220.41	15133 (EDGECAST) (EDGECAST - MCI Communications Services)
2	52.30.78.155 52.30.78.155	16509 (AMAZON-02) (AMAZON-02 - Amazon.com)
2	13.224.196.121 13.224.196.121	16509 (AMAZON-02) (AMAZON-02 - Amazon.com)
1	13.225.78.27 13.225.78.27	16509 (AMAZON-02) (AMAZON-02 - Amazon.com)
2	52.49.100.189 52.49.100.189	16509 (AMAZON-02) (AMAZON-02 - Amazon.com)
1 1	66.117.28.86 66.117.28.86	15224 (OMNITURE) (OMNITURE - Adobe Systems Inc.)
8	2a03:2880:f01... 2a03:2880:f01c:8012:face:b00c:0:3	32934 (FACEBOOK) (FACEBOOK - Facebook)
1	2a00:1450:400... 2a00:1450:4001:81e::200a	15169 (GOOGLE) (GOOGLE - Google LLC)
4	151.101.112.157 151.101.112.157	54113 (FASTLY) (FASTLY - Fastly)
1 1	2606:2800:234... 2606:2800:234:59:254c:406:2366:268c	15133 (EDGECAST) (EDGECAST - MCI Communications Services)
1 1	68.67.153.60 68.67.153.60	29990 (ASN-APPNEXUS) (ASN-APPNEXUS - AppNexus)
2 2	185.33.223.100 185.33.223.100	29990 (ASN-APPNEXUS) (ASN-APPNEXUS - AppNexus)
1	13.225.78.79 13.225.78.79	16509 (AMAZON-02) (AMAZON-02 - Amazon.com)
1	2a00:1450:400... 2a00:1450:4001:81b::2003	15169 (GOOGLE) (GOOGLE - Google LLC)
1	66.117.29.3 66.117.29.3	15224 (OMNITURE) (OMNITURE - Adobe Systems Inc.)
9	104.244.42.197 104.244.42.197	13414 (TWITTER) (TWITTER - Twitter Inc.)
5	2a03:2880:f11... 2a03:2880:f11c:8183:face:b00c:0:25de	32934 (FACEBOOK) (FACEBOOK - Facebook)
1	65.52.62.25 65.52.62.25	8075 (MICROSOFT...) (MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation)
5 18	2a00:1450:400... 2a00:1450:4001:81d::2004	15169 (GOOGLE) (GOOGLE - Google LLC)
3	2a00:1450:400... 2a00:1450:4001:800::200e	15169 (GOOGLE) (GOOGLE - Google LLC)
1	34.253.43.81 34.253.43.81	16509 (AMAZON-02) (AMAZON-02 - Amazon.com)
6	2a00:1450:400... 2a00:1450:4001:814::2008	15169 (GOOGLE) (GOOGLE - Google LLC)
10	143.204.101.123 143.204.101.123	16509 (AMAZON-02) (AMAZON-02 - Amazon.com)
9	104.244.42.67 104.244.42.67	13414 (TWITTER) (TWITTER - Twitter Inc.)
1	95.100.78.166 95.100.78.166	16625 (AKAMAI-AS) (AKAMAI-AS - Akamai Technologies)
1	2a00:1450:400... 2a00:1450:4001:81c::200a	15169 (GOOGLE) (GOOGLE - Google LLC)
1 2	172.217.18.102 172.217.18.102	15169 (GOOGLE) (GOOGLE - Google LLC)
1 2	216.58.205.230 216.58.205.230	15169 (GOOGLE) (GOOGLE - Google LLC)
3	216.58.207.66 216.58.207.66	15169 (GOOGLE) (GOOGLE - Google LLC)
4	2a00:1450:400... 2a00:1450:4001:814::200e	15169 (GOOGLE) (GOOGLE - Google LLC)
4	34.201.194.177 34.201.194.177	14618 (AMAZON-AES) (AMAZON-AES - Amazon.com)
2 2	209.167.231.17 209.167.231.17	7160 (NETDYNAMICS) (NETDYNAMICS - Oracle Corporation)
1	104.111.241.32 104.111.241.32	16625 (AKAMAI-AS) (AKAMAI-AS - Akamai Technologies)
1 2	2a00:1450:400... 2a00:1450:400c:c00::9a	15169 (GOOGLE) (GOOGLE - Google LLC)
10	2a00:1450:400... 2a00:1450:4001:821::2003	15169 (GOOGLE) (GOOGLE - Google LLC)
3 9	2a00:1450:400... 2a00:1450:4001:818::2002	15169 (GOOGLE) (GOOGLE - Google LLC)
2	143.204.101.126 143.204.101.126	16509 (AMAZON-02) (AMAZON-02 - Amazon.com)
2 2	52.213.193.252 52.213.193.252	16509 (AMAZON-02) (AMAZON-02 - Amazon.com)
1 2	54.230.95.207 54.230.95.207	16509 (AMAZON-02) (AMAZON-02 - Amazon.com)
2	143.204.101.13 143.204.101.13	16509 (AMAZON-02) (AMAZON-02 - Amazon.com)
2	2a05:f500:11:... 2a05:f500:11:101::b93f:9005	14413 (LINKEDIN) (LINKEDIN - LinkedIn Corporation)
177	43

13 208.74.207.25 (United States) 5 redirects

ASN19905 (NEUSTAR-AS6 - NeuStar, Inc., US)
PTR: jnet.lithium.com

forums.juniper.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

21 2.18.232.23 (Ascension Island)

ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US)
PTR: a2-18-232-23.deploy.static.akamaitechnologies.com

assets.adobedtm.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

4 23.111.9.35 (Phoenix, United States)

ASN33438 (HIGHWINDS2 - Highwinds Network Group, Inc., US)

use.fontawesome.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a00:1450:4001:820::200a (Frankfurt am Main, Germany)

ASN15169 (GOOGLE - Google LLC, US)

ajax.googleapis.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 2001:4de0:ac19::1:b:2a (Netherlands)

ASN20446 (HIGHWINDS3 - Highwinds Network Group, Inc., US)

maxcdn.bootstrapcdn.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

10 93.184.220.97 (London, United Kingdom)

ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US)

jnet.i.lithium.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

10 2a02:26f0:10:2a9::720 (Ascension Island) 1 redirects

ASN20940 (AKAMAI-ASN1, US)

www.juniper.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 93.184.220.41 (London, United Kingdom)

ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US)

cloud.webtype.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 52.30.78.155 (Dublin, Ireland)

ASN16509 (AMAZON-02 - Amazon.com, Inc., US)
PTR: ec2-52-30-78-155.eu-west-1.compute.amazonaws.com

dpm.demdex.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 13.224.196.121 (Seattle, United States)

ASN16509 (AMAZON-02 - Amazon.com, Inc., US)
PTR: server-13-224-196-121.fra2.r.cloudfront.net

scripts.demandbase.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 13.225.78.27 (Seattle, United States)

ASN16509 (AMAZON-02 - Amazon.com, Inc., US)
PTR: server-13-225-78-27.fra2.r.cloudfront.net

api.demandbase.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 52.49.100.189 (Dublin, Ireland)

ASN16509 (AMAZON-02 - Amazon.com, Inc., US)
PTR: ec2-52-49-100-189.eu-west-1.compute.amazonaws.com

junipernetworks.d2.sc.omtrdc.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 66.117.28.86 (United States) 1 redirects

ASN15224 (OMNITURE - Adobe Systems Inc., US)

cm.everesttech.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

8 2a03:2880:f01c:8012:face:b00c:0:3 (Ireland)

ASN32934 (FACEBOOK - Facebook, Inc., US)

connect.facebook.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a00:1450:4001:81e::200a (Frankfurt am Main, Germany)

ASN15169 (GOOGLE - Google LLC, US)

fonts.googleapis.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

4 151.101.112.157 (Frankfurt am Main, Germany)

ASN54113 (FASTLY - Fastly, US)

static.ads-twitter.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2606:2800:234:59:254c:406:2366:268c (United States) 1 redirects

ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US)

platform.twitter.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 68.67.153.60 (United States) 1 redirects

ASN29990 (ASN-APPNEXUS - AppNexus, Inc, US)
PTR: s.ml-attr.com.pxlsrv.net

s.ml-attr.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 185.33.223.100 (Netherlands) 2 redirects

ASN29990 (ASN-APPNEXUS - AppNexus, Inc, US)
PTR: 373.bm-nginx-loadbalancer.mgmt.ams1.adnexus.net

secure.adnxs.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 13.225.78.79 (Seattle, United States)

ASN16509 (AMAZON-02 - Amazon.com, Inc., US)
PTR: server-13-225-78-79.fra2.r.cloudfront.net

attr.ml-api.io	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a00:1450:4001:81b::2003 (Frankfurt am Main, Germany)

ASN15169 (GOOGLE - Google LLC, US)

www.google.ca	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 66.117.29.3 (United States)

ASN15224 (OMNITURE - Adobe Systems Inc., US)

junipernetworks.tt.omtrdc.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

9 104.244.42.197 (United States)

ASN13414 (TWITTER - Twitter Inc., US)

t.co	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

5 2a03:2880:f11c:8183:face:b00c:0:25de (Ireland)

ASN32934 (FACEBOOK - Facebook, Inc., US)

www.facebook.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 65.52.62.25 (Chicago, United States)

ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation, US)

pls.webtype.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

18 2a00:1450:4001:81d::2004 (Frankfurt am Main, Germany) 5 redirects

ASN15169 (GOOGLE - Google LLC, US)

www.google.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

3 2a00:1450:4001:800::200e (Frankfurt am Main, Germany)

ASN15169 (GOOGLE - Google LLC, US)

cse.google.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools
clients1.google.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 34.253.43.81 (Dublin, Ireland)

ASN16509 (AMAZON-02 - Amazon.com, Inc., US)
PTR: ec2-34-253-43-81.eu-west-1.compute.amazonaws.com

junipernetworks.demdex.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

6 2a00:1450:4001:814::2008 (Frankfurt am Main, Germany)

ASN15169 (GOOGLE - Google LLC, US)

www.googletagmanager.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

10 143.204.101.123 (Seattle, United States)

ASN16509 (AMAZON-02 - Amazon.com, Inc., US)
PTR: server-143-204-101-123.fra50.r.cloudfront.net

secure.rmulus.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools
research.juniper.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

9 104.244.42.67 (United States)

ASN13414 (TWITTER - Twitter Inc., US)

analytics.twitter.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 95.100.78.166 (Ascension Island)

ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US)
PTR: a95-100-78-166.deploy.static.akamaitechnologies.com

img.en25.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a00:1450:4001:81c::200a (Frankfurt am Main, Germany)

ASN15169 (GOOGLE - Google LLC, US)

www.googleapis.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 172.217.18.102 (United States) 1 redirects

ASN15169 (GOOGLE - Google LLC, US)
PTR: fra16s42-in-f6.1e100.net

5922977.fls.doubleclick.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 216.58.205.230 (Mountain View, United States) 1 redirects

ASN15169 (GOOGLE - Google LLC, US)
PTR: fra15s24-in-f230.1e100.net

3872718.fls.doubleclick.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

3 216.58.207.66 (Mountain View, United States)

ASN15169 (GOOGLE - Google LLC, US)
PTR: fra16s25-in-f2.1e100.net

www.googleadservices.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

4 2a00:1450:4001:814::200e (Frankfurt am Main, Germany)

ASN15169 (GOOGLE - Google LLC, US)

www.google-analytics.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

4 34.201.194.177 (Ashburn, United States)

ASN14618 (AMAZON-AES - Amazon.com, Inc., US)
PTR: ec2-34-201-194-177.compute-1.amazonaws.com

lookups.rmulus.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 209.167.231.17 (United States) 2 redirects

ASN7160 (NETDYNAMICS - Oracle Corporation, US)
PTR: e017.en25.com

s1229.t.eloqua.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 104.111.241.32 (Netherlands)

ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US)
PTR: a104-111-241-32.deploy.static.akamaitechnologies.com

tags.bluekai.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 2a00:1450:400c:c00::9a (Brussels, Belgium) 1 redirects

ASN15169 (GOOGLE - Google LLC, US)

stats.g.doubleclick.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

10 2a00:1450:4001:821::2003 (Frankfurt am Main, Germany)

ASN15169 (GOOGLE - Google LLC, US)

www.google.de	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

9 2a00:1450:4001:818::2002 (Frankfurt am Main, Germany) 3 redirects

ASN15169 (GOOGLE - Google LLC, US)

googleads.g.doubleclick.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 143.204.101.126 (Seattle, United States)

ASN16509 (AMAZON-02 - Amazon.com, Inc., US)
PTR: server-143-204-101-126.fra50.r.cloudfront.net

api.company-target.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 52.213.193.252 (Dublin, Ireland) 2 redirects

ASN16509 (AMAZON-02 - Amazon.com, Inc., US)
PTR: ec2-52-213-193-252.eu-west-1.compute.amazonaws.com

match.prod.bidr.io	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 54.230.95.207 (Seattle, United States) 1 redirects

ASN16509 (AMAZON-02 - Amazon.com, Inc., US)
PTR: server-54-230-95-207.fra2.r.cloudfront.net

segments.company-target.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 143.204.101.13 (Seattle, United States)

ASN16509 (AMAZON-02 - Amazon.com, Inc., US)
PTR: server-143-204-101-13.fra50.r.cloudfront.net

collect.rmulus.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 2a05:f500:11:101::b93f:9005 (Ireland)

ASN14413 (LINKEDIN - LinkedIn Corporation, US)

px.ads.linkedin.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
29	juniper.net 6 redirects forums.juniper.net www.juniper.net research.juniper.net	783 KB
21	google.com 5 redirects www.google.com cse.google.com clients1.google.com	267 KB
21	adobedtm.com assets.adobedtm.com	107 KB
15	doubleclick.net 6 redirects 5922977.fls.doubleclick.net 3872718.fls.doubleclick.net stats.g.doubleclick.net googleads.g.doubleclick.net	15 KB
10	google.de www.google.de	1 KB
10	rmulus.com secure.rmulus.com lookups.rmulus.com collect.rmulus.com	31 KB
10	twitter.com 1 redirects platform.twitter.com analytics.twitter.com	2 KB
10	lithium.com jnet.i.lithium.com	568 KB
9	t.co t.co	1 KB
8	facebook.net connect.facebook.net	391 KB
6	googletagmanager.com www.googletagmanager.com	187 KB
5	facebook.com www.facebook.com	246 B
4	company-target.com 1 redirects api.company-target.com segments.company-target.com	3 KB
4	google-analytics.com www.google-analytics.com	18 KB
4	ads-twitter.com static.ads-twitter.com	8 KB
4	fontawesome.com use.fontawesome.com	88 KB
3	googleadservices.com www.googleadservices.com	27 KB
3	omtrdc.net junipernetworks.d2.sc.omtrdc.net junipernetworks.tt.omtrdc.net	1 KB
3	demandbase.com scripts.demandbase.com api.demandbase.com	19 KB
3	demdex.net dpm.demdex.net junipernetworks.demdex.net	2 KB
3	webtype.com cloud.webtype.com pls.webtype.com	75 KB
3	googleapis.com ajax.googleapis.com fonts.googleapis.com www.googleapis.com	30 KB
2	linkedin.com px.ads.linkedin.com	172 B
2	bidr.io 2 redirects match.prod.bidr.io	752 B
2	eloqua.com 2 redirects s1229.t.eloqua.com	1 KB
2	adnxs.com 2 redirects secure.adnxs.com	2 KB
2	bootstrapcdn.com maxcdn.bootstrapcdn.com	29 KB
1	bluekai.com tags.bluekai.com	745 B
1	en25.com img.en25.com	3 KB
1	google.ca www.google.ca	7 KB
1	ml-api.io attr.ml-api.io	484 B
1	ml-attr.com 1 redirects s.ml-attr.com	277 B
1	everesttech.net 1 redirects cm.everesttech.net	527 B
177	33

	Domain	Requested by
21	assets.adobedtm.com	forums.juniper.net assets.adobedtm.com
18	www.google.com	5 redirects www.google.ca cse.google.com forums.juniper.net
13	forums.juniper.net	5 redirects forums.juniper.net
10	www.google.de	forums.juniper.net
10	www.juniper.net	1 redirects forums.juniper.net
10	jnet.i.lithium.com	forums.juniper.net use.fontawesome.com
9	googleads.g.doubleclick.net	3 redirects www.googleadservices.com
9	analytics.twitter.com	static.ads-twitter.com
9	t.co	forums.juniper.net static.ads-twitter.com
8	connect.facebook.net	assets.adobedtm.com connect.facebook.net forums.juniper.net
6	research.juniper.net	secure.rmulus.com research.juniper.net
6	www.googletagmanager.com	assets.adobedtm.com forums.juniper.net research.juniper.net
5	www.facebook.com	forums.juniper.net connect.facebook.net
4	lookups.rmulus.com	secure.rmulus.com
4	www.google-analytics.com	forums.juniper.net
4	secure.rmulus.com	assets.adobedtm.com secure.rmulus.com
4	static.ads-twitter.com	assets.adobedtm.com forums.juniper.net
4	use.fontawesome.com	forums.juniper.net use.fontawesome.com
3	www.googleadservices.com	www.googletagmanager.com
2	px.ads.linkedin.com	research.juniper.net
2	collect.rmulus.com	forums.juniper.net
2	segments.company-target.com	1 redirects forums.juniper.net
2	match.prod.bidr.io	2 redirects
2	api.company-target.com	scripts.demandbase.com
2	stats.g.doubleclick.net	1 redirects forums.juniper.net
2	s1229.t.eloqua.com	2 redirects
2	3872718.fls.doubleclick.net	1 redirects assets.adobedtm.com
2	5922977.fls.doubleclick.net	1 redirects assets.adobedtm.com
2	cse.google.com	forums.juniper.net www.google.com
2	secure.adnxs.com	2 redirects
2	junipernetworks.d2.sc.omtrdc.net	assets.adobedtm.com forums.juniper.net
2	scripts.demandbase.com	assets.adobedtm.com
2	dpm.demdex.net	assets.adobedtm.com forums.juniper.net
2	cloud.webtype.com	forums.juniper.net
2	maxcdn.bootstrapcdn.com	forums.juniper.net
1	tags.bluekai.com	forums.juniper.net
1	clients1.google.com	forums.juniper.net
1	www.googleapis.com	forums.juniper.net
1	img.en25.com	forums.juniper.net
1	junipernetworks.demdex.net	assets.adobedtm.com
1	pls.webtype.com	forums.juniper.net
1	junipernetworks.tt.omtrdc.net	assets.adobedtm.com
1	www.google.ca	forums.juniper.net
1	attr.ml-api.io	forums.juniper.net
1	s.ml-attr.com	1 redirects
1	platform.twitter.com	1 redirects
1	fonts.googleapis.com	forums.juniper.net
1	cm.everesttech.net	1 redirects
1	api.demandbase.com	assets.adobedtm.com
1	ajax.googleapis.com	forums.juniper.net
177	50

This site contains links to these domains. Also see Links.

Domain
www.juniper.net
my.juniper.net
pathfinder.juniper.net
kb.juniper.net
prsearch.juniper.net
entitlementsearch.juniper.net
productsearch.juniper.net
learningportal.juniper.net
userregistration.juniper.net
iam-sso.juniper.net
www.lithium.com
www.facebook.com
twitter.com
www.youtube.com
rss.juniper.net
www.linkedin.com

Subject Issuer	Validity	Valid
secure07.lithium.com DigiCert SHA2 High Assurance Server CA	`2019-08-16` - `2020-09-02`	a year	crt.sh
assets.adobedtm.com DigiCert SHA2 High Assurance Server CA	`2019-09-27` - `2021-10-01`	2 years	crt.sh
*.fontawesome.com DigiCert SHA2 Secure Server CA	`2018-09-17` - `2019-11-21`	a year	crt.sh
*.googleapis.com GTS CA 1O1	`2019-10-03` - `2019-12-26`	3 months	crt.sh
*.bootstrapcdn.com Sectigo RSA Domain Validation Secure Server CA	`2019-09-14` - `2020-10-13`	a year	crt.sh
*.i.lithium.com Go Daddy Secure Certificate Authority - G2	`2017-11-28` - `2020-01-28`	2 years	crt.sh
www.juniper.net DigiCert SHA2 Secure Server CA	`2019-05-17` - `2020-08-15`	a year	crt.sh
s1.wac.edgecastcdn.net DigiCert SHA2 Secure Server CA	`2018-11-05` - `2020-11-20`	2 years	crt.sh
*.demdex.net DigiCert SHA2 High Assurance Server CA	`2018-01-09` - `2021-02-12`	3 years	crt.sh
*.demandbase.com Go Daddy Secure Certificate Authority - G2	`2018-09-20` - `2020-11-19`	2 years	crt.sh
*.d2.sc.omtrdc.net DigiCert SHA2 High Assurance Server CA	`2019-04-23` - `2020-04-14`	a year	crt.sh
*.facebook.com DigiCert SHA2 High Assurance Server CA	`2019-09-22` - `2019-12-20`	3 months	crt.sh
ads-twitter.com DigiCert SHA2 High Assurance Server CA	`2019-08-14` - `2020-08-18`	a year	crt.sh
*.ml-api.io Amazon	`2019-02-22` - `2020-03-22`	a year	crt.sh
*.google.com GTS CA 1O1	`2019-10-03` - `2019-12-26`	3 months	crt.sh
*.tt.omtrdc.net DigiCert SHA2 High Assurance Server CA	`2017-10-19` - `2020-11-25`	3 years	crt.sh
t.co DigiCert SHA2 High Assurance Server CA	`2019-04-09` - `2020-04-01`	a year	crt.sh
*.webtype.com Sectigo RSA Domain Validation Secure Server CA	`2019-06-30` - `2021-07-12`	2 years	crt.sh
www.google.com GTS CA 1O1	`2019-10-03` - `2019-12-26`	3 months	crt.sh
*.google-analytics.com GTS CA 1O1	`2019-10-03` - `2019-12-26`	3 months	crt.sh
rmulus.com Amazon	`2019-04-23` - `2020-05-23`	a year	crt.sh
*.twitter.com DigiCert SHA2 High Assurance Server CA	`2019-04-09` - `2020-04-01`	a year	crt.sh
*.en25.com DigiCert SHA2 Secure Server CA	`2019-06-21` - `2020-08-19`	a year	crt.sh
*.doubleclick.net GTS CA 1O1	`2019-10-03` - `2019-12-26`	3 months	crt.sh
www.googleadservices.com GTS CA 1O1	`2019-10-03` - `2019-12-26`	3 months	crt.sh
odc-prod-01.oracle.com DigiCert ECC Secure Server CA	`2018-12-10` - `2020-03-10`	a year	crt.sh
*.g.doubleclick.net GTS CA 1O1	`2019-10-03` - `2019-12-26`	3 months	crt.sh
www.google.de GTS CA 1O1	`2019-10-03` - `2019-12-26`	3 months	crt.sh
*.company-target.com Go Daddy Secure Certificate Authority - G2	`2019-06-19` - `2021-08-18`	2 years	crt.sh
px.ads.linkedin.com DigiCert SHA2 Secure Server CA	`2019-05-29` - `2021-06-29`	2 years	crt.sh

This page contains 13 frames:

Primary Page: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Frame ID: F6891A4CE00B895A392F08731D396EFF
Requests: 118 HTTP requests in this frame

Frame: https://junipernetworks.demdex.net/dest5.html?d_nsid=0
Frame ID: 7CE4D21AE263921A2E1068FD538511EA
Requests: 1 HTTP requests in this frame

Frame: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5caeb27864746d4fde0010d0.html
Frame ID: 8B9A7E1F597DDE1D8BF1041D053C9BC0
Requests: 1 HTTP requests in this frame

Frame: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5d487bc864746d25bd00073a.html
Frame ID: 489DD825F1621D6B8949E300D6ED35C7
Requests: 1 HTTP requests in this frame

Frame: https://5922977.fls.doubleclick.net/activityi;dc_pre=COPm97S4reUCFdCA3godGKEBlg;src=5922977;type=pageview;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=2656885376668.787
Frame ID: 5B2140BA4129831C3A4E9973238B9C4D
Requests: 1 HTTP requests in this frame

Frame: https://3872718.fls.doubleclick.net/activityi;dc_pre=CJH89rS4reUCFY36dwodplMGuA;src=3872718;type=gojpnet;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=5530350572044.805
Frame ID: 2269561EC1548D577C7E1BC0786EE785
Requests: 1 HTTP requests in this frame

Frame: https://secure.rmulus.com/?_pevId=x6EmWOEL6OyACr3CNgUaa8BgLIQkgHGj-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=enabled&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dpgvw%26_pdataSource%3Dweb%26_pqStr%3Denabled%26jnpr_vID%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=pgvw&_pdataSource=web&jnpr_vID=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pidSource=secure.rmulus.com&_pidName=rmulusId&_pclIp=disabled&_plkpPrfl=disabled
Frame ID: F684D9E3677BD09F9B7CEFA2CF2818F8
Requests: 1 HTTP requests in this frame

Frame: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Frame ID: 32868EAA3AF6A5D695133B75605B4AA7
Requests: 24 HTTP requests in this frame

Frame: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Frame ID: 436DCAFD30ED006267A8A187ACFB431C
Requests: 26 HTTP requests in this frame

Frame: https://www.facebook.com/tr/
Frame ID: 8CEECA65E54EBD1A04C7F9DA32E189C2
Requests: 1 HTTP requests in this frame

Frame: https://www.facebook.com/tr/
Frame ID: 347058D539CA32FB075B843F309E9928
Requests: 1 HTTP requests in this frame

Frame: https://www.facebook.com/tr/
Frame ID: 0C24C247425643CEB6756962DCB4435C
Requests: 1 HTTP requests in this frame

Frame: https://www.facebook.com/tr/
Frame ID: 834603C8448F143F8C2724E5717AA098
Requests: 1 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Detected technologies

Bootstrap (Web Frameworks) Expand

Overall confidence: 100%
Detected patterns

html /<link[^>]+?href="[^"]*bootstrap(?:\.min)?\.css/i
script /(?:\/([\d.]+))?(?:\/js)?\/bootstrap(?:\.min)?\.js/i

Apache (Web Servers) Expand

Overall confidence: 100%
Detected patterns

headers server /(?:Apache(?:$|\/([\d.]+)|[^\/-])|(?:^|\b)HTTPD)/i

Adobe DTM (Tag Managers) Expand

Overall confidence: 100%
Detected patterns

script /\/\/assets.adobedtm.com\//i

Facebook (Widgets) Expand

Overall confidence: 100%
Detected patterns

script /\/\/connect\.facebook\.net\/[^\/]*\/[a-z]*\.js/i

Font Awesome (Font Scripts) Expand

Overall confidence: 100%
Detected patterns

html /<script[^>]* src=[^>]+fontawesome(?:\.js)?/i

Google Analytics (Analytics) Expand

Overall confidence: 100%
Detected patterns

script /google-analytics\.com\/(?:ga|urchin|analytics)\.js/i

jQuery (JavaScript Libraries) Expand

Overall confidence: 100%
Detected patterns

script /\/([\d.]+)\/jquery(?:\.min)?\.js/i
script /jquery.*\.js(?:\?ver(?:sion)?=([\d.]+))?/i

Page Statistics

177
Requests

100 %
HTTPS

35 %
IPv6

33
Domains

50
Subdomains

43
IPs

7
Countries

2651 kB
Transfer

9863 kB
Size

2
Cookies

76 Outgoing links

These are links going to different origins than the main page.

URL: https://www.juniper.net/us/en/
Title:

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/products-services/
Title: Products & Services

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/products-services/application-management-orchestration/
Title: Application Management & Orchestration

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/products-services/ipc/
Title: Identity and Policy Control

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/products-services/network-edge-services/
Title: Network Edge Services

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/products-services/network-management/
Title: Network Management

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/products-services/nos/
Title: Network Operating System

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/products-services/packet-optical/
Title: Packet Optical

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/products-services/routing/
Title: Routers

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/products-services/security/
Title: Security

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/products-services/sdn/
Title: Software Defined Networking

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/products-services/switching/
Title: Switches

Search URL Search Domain Scan URL

URL: https://www.juniper.net/support/eol/
Title: End of Life

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/solutions/
Title: Solutions

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/products-services/services/technical-services/
Title: Services

Search URL Search Domain Scan URL

URL: https://www.juniper.net/documentation/
Title: TechLibrary

Search URL Search Domain Scan URL

URL: https://www.juniper.net/documentation/en_US/design-and-architecture/
Title: Design & Architecture Center

Search URL Search Domain Scan URL

URL: https://www.juniper.net/customers/support/
Title: Support

Search URL Search Domain Scan URL

URL: https://my.juniper.net/saml/login?idp=https://iam-fed.juniper.net/fed/idp
Title: MyJuniper

Search URL Search Domain Scan URL

URL: https://www.juniper.net/casemanager/
Title: Your Open Cases

Search URL Search Domain Scan URL

URL: https://www.juniper.net/casemanager/#/rmas
Title: Your Open RMAs

Search URL Search Domain Scan URL

URL: https://www.juniper.net/casemanager/#/create
Title: Create a Case/RMA

Search URL Search Domain Scan URL

URL: https://www.juniper.net/support/requesting-support.html
Title: Contact Support

Search URL Search Domain Scan URL

URL: https://www.juniper.net/support/warranty/
Title: Product Warranty

Search URL Search Domain Scan URL

URL: https://www.juniper.net/support/downloads/group/?f=junos
Title: Junos

Search URL Search Domain Scan URL

URL: https://www.juniper.net/support/downloads/screenos.html
Title: ScreenOS

Search URL Search Domain Scan URL

URL: https://www.juniper.net/support/downloads/space.html
Title: Junos Space

Search URL Search Domain Scan URL

URL: https://www.juniper.net/support/downloads/
Title: All Downloads

Search URL Search Domain Scan URL

URL: https://pathfinder.juniper.net/home/
Title: Pathfinder

Search URL Search Domain Scan URL

URL: https://kb.juniper.net/
Title: Knowledge Base

Search URL Search Domain Scan URL

URL: https://www.juniper.net/support/downloads/serviceautomation/
Title: Service Now

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/products-services/network-management/junos-space-applications/service-insight/
Title: Service Insight

Search URL Search Domain Scan URL

URL: https://prsearch.juniper.net/
Title: Problem Report Search

Search URL Search Domain Scan URL

URL: https://www.juniper.net/svcreg/SRegSerialNum.jsp
Title: Register New Product

Search URL Search Domain Scan URL

URL: https://entitlementsearch.juniper.net/entitlementsearch/
Title: Serial Number Entitlement

Search URL Search Domain Scan URL

URL: https://productsearch.juniper.net/productsearch/
Title: Search Contracts/Products

Search URL Search Domain Scan URL

URL: https://www.juniper.net/ost/
Title: Order Status

Search URL Search Domain Scan URL

URL: https://www.juniper.net/lcrs/license.do
Title: Generate Product Licenses

Search URL Search Domain Scan URL

URL: https://www.juniper.net/lcrs/license.do?tab2
Title: Find License Keys

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/security/
Title: Security Intelligence

Search URL Search Domain Scan URL

URL: https://www.juniper.net/support/security/report_vulnerability.html
Title: Report a Vulnerability

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/training/
Title: Training

Search URL Search Domain Scan URL

URL: https://learningportal.juniper.net/juniper/user_courses.aspx
Title: Courses

Search URL Search Domain Scan URL

URL: https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=5357
Title: Learning Paths

Search URL Search Domain Scan URL

URL: https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=5798
Title: Getting Started

Search URL Search Domain Scan URL

URL: https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=5853
Title: Learning Bytes

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/training/certification/
Title: Certification

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/training/certification/getting-started/
Title: Getting Started

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/training/certification/exam_registration.page
Title: Exam Registration

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/training/open-learning/
Title: Juniper Open Learning

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/training/academicalliance/
Title: Academic Alliance

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/how-to-buy/
Title: How to Buy

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/how-to-buy/form/
Title: Contact Sales

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/how-to-buy/request-a-quote.page
Title: Request a Quote

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/partners/locator/
Title: Buy from a Local Partner

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/how-to-buy/contacts/
Title: Find a Sales Office

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/company/
Title: About Juniper

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/partners/
Title: Partners

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/community/social/
Title: Community

Search URL Search Domain Scan URL

URL: https://userregistration.juniper.net/entitlement/setupAccountInfo.do?returnurl=https%3A%2F%2Fforums.juniper.net%2F
Title: Register

Search URL Search Domain Scan URL

URL: https://iam-sso.juniper.net/oamfed/idp/initiatesso?providerid=https://forums.juniper.net/auth/saml&returnurl=https%3A%2F%2Fforums.juniper.net%2F
Title: Sign In

Search URL Search Domain Scan URL

URL: https://www.lithium.com/powered-by-lithium

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/feedback/
Title: Feedback

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/contact-us/
Title: Contact Us

Search URL Search Domain Scan URL

URL: https://www.facebook.com/JuniperNetworks/

Search URL Search Domain Scan URL

URL: https://twitter.com/JuniperNetworks/

Search URL Search Domain Scan URL

URL: https://www.youtube.com/junipernetworks

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/company/careers/
Title: Careers

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/company/press-center/images/
Title: Image Library

Search URL Search Domain Scan URL

URL: https://rss.juniper.net/
Title: RSS Feeds

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/company/corporate-responsibility/
Title: Corporate Responsibility

Search URL Search Domain Scan URL

URL: https://www.linkedin.com/company/juniper-networks

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/privacy-policy/
Title: Privacy Policy

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/legal-notices/
Title: Legal Notices

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/insights/
Title: Insights

Search URL Search Domain Scan URL

URL: https://www.juniper.net/us/en/site-map/
Title: Site Map

Search URL Search Domain Scan URL

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 10

https://www.juniper.net/techpubs/assets/css/style/style.min.css HTTP 301
https://www.juniper.net/documentation/assets/css/style/style.min.css

Request Chain 25

https://cm.everesttech.net/cm/dd?d_uuid=40611432642373395391657003048716690702 HTTP 302
https://dpm.demdex.net/ibs:dpid=411&dpuuid=Xa2wPgAAFBu0Yzx0

Request Chain 31

https://platform.twitter.com/oct.js HTTP 301
https://static.ads-twitter.com/oct.js

Request Chain 32

https://s.ml-attr.com/getuid?https%3a%2f%2fattr.ml-api.io%2f%3fdomain%3djuniper.net%26pId%3d%24UID HTTP 302
https://secure.adnxs.com/getuid?https%3a%2f%2fattr.ml-api.io%2f%3fdomain%3djuniper.net%26pId%3d%24UID HTTP 302
https://secure.adnxs.com/bounce?%2Fgetuid%3Fhttps%253a%252f%252fattr.ml-api.io%252f%253fdomain%253djuniper.net%2526pId%253d%2524UID HTTP 302
https://attr.ml-api.io/?domain=juniper.net&pId=4919953082322347275

Request Chain 47

https://forums.juniper.net/assets/scripts/jnpr.min.js HTTP 301
https://forums.juniper.net/html/assets/scripts/jnpr.min.js

Request Chain 48

https://forums.juniper.net/assets/scripts/footer-injection.js HTTP 301
https://forums.juniper.net/html/assets/scripts/footer-injection.js

Request Chain 57

https://www.google.com/cse/cse.js?cx=009668004808822005412:yju97b8czpm HTTP 302
https://cse.google.com/cse/cse.js?cx=009668004808822005412:yju97b8czpm

Request Chain 64

https://forums.juniper.net/assets/svg/png/twitter.png HTTP 301
https://forums.juniper.net/html/assets/svg/png/twitter.png

Request Chain 65

https://forums.juniper.net/assets/svg/png/youtube.png HTTP 301
https://forums.juniper.net/html/assets/svg/png/youtube.png

Request Chain 66

https://forums.juniper.net/assets/svg/linkedin-circle.svg HTTP 301
https://forums.juniper.net/html/assets/svg/linkedin-circle.svg

Request Chain 98

https://5922977.fls.doubleclick.net/activityi;src=5922977;type=pageview;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=2656885376668.787 HTTP 302
https://5922977.fls.doubleclick.net/activityi;dc_pre=COPm97S4reUCFdCA3godGKEBlg;src=5922977;type=pageview;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=2656885376668.787

Request Chain 99

https://3872718.fls.doubleclick.net/activityi;src=3872718;type=gojpnet;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=5530350572044.805 HTTP 302
https://3872718.fls.doubleclick.net/activityi;dc_pre=CJH89rS4reUCFY36dwodplMGuA;src=3872718;type=gojpnet;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=5530350572044.805

Request Chain 104

https://s1229.t.eloqua.com/visitor/v200/svrGP?pps=3&siteid=1229&ref2=elqNone&tzo=-60&ms=99&optin=disabled HTTP 302
https://s1229.t.eloqua.com/visitor/v200/svrGP.aspx?pps=3&siteid=1229&ref2=elqNone&tzo=-60&ms=99&optin=disabled&elqCookie=1 HTTP 302
https://tags.bluekai.com/site/37366?vid=679a745650d24cc085eb77d8965b2862

Request Chain 110

https://stats.g.doubleclick.net/r/collect?t=dc&aip=1&_r=3&v=1&_v=j79&tid=UA-2343305-1&cid=1588292560.1571663936&jid=824571634&gjid=1638796004&_gid=1491227351.1571663936&_u=YGDAgEAB~&z=358956172 HTTP 302
https://www.google.com/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-2343305-1&cid=1588292560.1571663936&jid=824571634&_v=j79&z=358956172 HTTP 302
https://www.google.de/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-2343305-1&cid=1588292560.1571663936&jid=824571634&_v=j79&z=358956172&slf_rd=1&random=1075004916

Request Chain 114

https://match.prod.bidr.io/cookie-sync/demandbase HTTP 303
https://match.prod.bidr.io/cookie-sync/demandbase?_bee_ppp=1 HTTP 303
https://segments.company-target.com/log?vendor=choca&user_id=AAIRN067W2EAAD8-oGx-9g HTTP 303
https://segments.company-target.com/validateCookie?vendor=choca&user_id=AAIRN067W2EAAD8-oGx-9g&verifyHash=c98c9f6f68c4dea536d7f502bae74584fd247a32

Request Chain 156

https://googleads.g.doubleclick.net/pagead/viewthroughconversion/956680084/?random=1571663937200&cv=9&fst=1571663937200&num=1&fmt=3&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&ig=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1 HTTP 302
https://www.google.com/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=3031433607&resp=GooglemKTybQhCsO HTTP 302
https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=3031433607&resp=GooglemKTybQhCsO&ipr=y

Request Chain 157

https://googleads.g.doubleclick.net/pagead/viewthroughconversion/956680084/?random=1571663937200&cv=9&fst=1571663937200&num=1&fmt=3&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&ig=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts%26_plkpKey%5C%3Djnpr_vId%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts%3B_plkpKey%3Djnpr_vId%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1 HTTP 302
https://www.google.com/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts%26_plkpKey%5C%3Djnpr_vId%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts%3B_plkpKey%3Djnpr_vId%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=2817242393&resp=GooglemKTybQhCsO HTTP 302
https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts%26_plkpKey%5C%3Djnpr_vId%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts%3B_plkpKey%3Djnpr_vId%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=2817242393&resp=GooglemKTybQhCsO&ipr=y

Request Chain 161

https://googleads.g.doubleclick.net/pagead/viewthroughconversion/956680084/?random=1571663937204&cv=9&fst=1571663937204&num=1&fmt=3&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&ig=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1 HTTP 302
https://www.google.com/pagead/1p-user-list/956680084/?random=1571663937204&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=3590609516&resp=GooglemKTybQhCsO HTTP 302
https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937204&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=3590609516&resp=GooglemKTybQhCsO&ipr=y

177 HTTP transactions
1 data transactions

Method
Protocol Status Resource
Path Size
x-fer Time
Latency Type
MIME-Type IP
Location

GET
H/1.1 404
Not Found Primary Request Cookie set Masad-Stealer-Exfiltrating-using-Telegram Show response
forums.juniper.net/t5/Threat-Research/ 65 KB
66 KB 1058ms
408ms Document
text/html 208.74.207.25
NeuStar

General

Check archive.org

Show headers Download Go to

Full URL

https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

HTTP/1.1

Security

TLS 1.2, ECDHE_RSA, AES_256_GCM

Server

208.74.207.25 , United States, ASN19905 (NEUSTAR-AS6 - NeuStar, Inc., US),

Reverse DNS

jnet.lithium.com

Software

Apache /

Resource Hash

3236d2dc701f583a81401e777323e8026c6342c1e5bb5ac7fb9262f929227b1c

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000;includeSubDomains

Request headers

Host: forums.juniper.net
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: none
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1

Response headers

Date: Mon, 21 Oct 2019 13:18:53 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000;includeSubDomains
Set-Cookie: LiSESSIONID=C259BB5C9CBBBF2313D1748661C1D818; Path=/; Secure; HttpOnly LithiumUserInfo=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ LithiumUserSecure=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/ LithiumVisitor=~2YWLl8CzxoslPBgdv~tD2x-39eeRDXC2ihZPAzYN7E2fFY-ORgz2n_u4Eic3dgIRxAEdEMBbqYhrkokQCP3ac4Fb0xDl1GoT1WRZOMTQ..; Expires=Thu, 18-Oct-2029 13:18:53 GMT; Path=/; HttpOnly
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate, private
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8

GET
H2 200 satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js Show response
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/ 216 KB
55 KB 21ms
6ms Script
application/x-javascript 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Requested by: Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash: 0620feb9ea1ef87a0f1fd0df37a90ef556afb630b3360be72266f4f505dc42b4

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:53 GMT
content-encoding: gzip
last-modified: Thu, 17 Oct 2019 18:01:22 GMT
server: AkamaiNetStorage
etag: "9188a98a6ce424d358bd2e480f5360ce:1571335282.099072"
vary: Accept-Encoding
content-type: application/x-javascript
status: 200
cache-control: max-age=3600
accept-ranges: bytes
timing-allow-origin: *
content-length: 55978
expires: Mon, 21 Oct 2019 14:18:53 GMT

GET
H2 200 878544ee83.js Show response
use.fontawesome.com/ 9 KB
4 KB 57ms
5ms Script
text/javascript 23.111.9.35
Highwinds Network...

General

Check archive.org

Show headers Download Go to

Full URL: https://use.fontawesome.com/878544ee83.js
Requested by: Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 23.111.9.35 Phoenix, United States, ASN33438 (HIGHWINDS2 - Highwinds Network Group, Inc., US),
Reverse DNS
Software: NetDNA-cache/2.2 /
Resource Hash: 79e16119ceda988947279eb9addd1869b4270af3967b69ec9e09713ae4b6572b

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:53 GMT
content-encoding: gzip
last-modified: Thu, 06 Jul 2017 20:04:23 GMT
server: NetDNA-cache/2.2
x-amz-request-id: 0D6A6C1A102791EB
etag: W/"734c7204bf19e6c6fe89c31ce2ed51a6"
x-cache: HIT
content-type: text/javascript
status: 200
cache-control: max-age=0, private, must-revalidate
x-amz-id-2: jg4RW35GqIb0JSj/rzJU56zTW1OK3NoDhiaHngE7bDzAnxLFA8xyca81EuYdw+GxW22aCIxf7vM=

GET
H2 200 jquery.min.js Show response
ajax.googleapis.com/ajax/libs/jquery/2.1.4/ 82 KB
29 KB 8ms
5ms Script
text/javascript 2a00:1450:4001:820::200a
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:820::200a Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

sffe /

Resource Hash

22642f202577f0ba2f22cbe56b6cf291a09374487567cd3563e0d2a29f75c0c5

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Fri, 11 Oct 2019 10:01:17 GMT
content-encoding: gzip
x-content-type-options: nosniff
age: 875856
status: 200
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 29725
x-xss-protection: 0
last-modified: Tue, 20 Dec 2016 18:17:03 GMT
server: sffe
vary: Accept-Encoding
content-type: text/javascript; charset=UTF-8
access-control-allow-origin: *
cache-control: public, max-age=31536000, stale-while-revalidate=2592000
accept-ranges: bytes
timing-allow-origin: *
expires: Sat, 10 Oct 2020 10:01:17 GMT

GET
H2 200 bootstrap.min.css
maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/ 118 KB
19 KB 9ms
8ms Stylesheet
text/css 2001:4de0:ac19::1:b:2a
Highwinds Network...

General

Check archive.org

Show headers Download Go to

Full URL: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
Requested by: Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2001:4de0:ac19::1:b:2a , Netherlands, ASN20446 (HIGHWINDS3 - Highwinds Network Group, Inc., US),
Reverse DNS
Software: /
Resource Hash: f75e846cc83bd11432f4b1e21a45f31bc85283d11d372f7b19accd1bf6a2635c

Request headers

Sec-Fetch-Mode: cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Origin: https://forums.juniper.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:53 GMT
content-encoding: gzip
last-modified: Wed, 12 Dec 2018 18:34:07 GMT
status: 200
etag: "1544639647"
vary: Accept-Encoding
x-cache: HIT
content-type: text/css; charset=utf-8
access-control-allow-origin: *
cache-control: public, max-age=31536000
x-hello-human: Say hello back! @getBootstrapCDN on Twitter
accept-ranges: bytes
timing-allow-origin: *
content-length: 19740

GET
H2 200 bootstrap.min.js Show response
maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/ 36 KB
10 KB 10ms
9ms Script
text/javascript 2001:4de0:ac19::1:b:2a
Highwinds Network...

General

Check archive.org

Show headers Download Go to

Full URL: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js
Requested by: Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2001:4de0:ac19::1:b:2a , Netherlands, ASN20446 (HIGHWINDS3 - Highwinds Network Group, Inc., US),
Reverse DNS
Software: /
Resource Hash: 53964478a7c634e8dad34ecc303dd8048d00dce4993906de1bacf67f663486ef

Request headers

Sec-Fetch-Mode: cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Origin: https://forums.juniper.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:53 GMT
content-encoding: gzip
last-modified: Wed, 12 Dec 2018 18:33:51 GMT
status: 200
etag: "1544639631"
vary: Accept-Encoding
x-cache: HIT
content-type: text/javascript; charset=utf-8
access-control-allow-origin: *
cache-control: public, max-age=31536000
x-hello-human: Say hello back! @getBootstrapCDN on Twitter
accept-ranges: bytes
timing-allow-origin: *
content-length: 9832

GET
H2 200 juniperresponsive.css
jnet.i.lithium.com/skins/3844011/78d9481934a9081393f958263d2558df/ 2 MB
236 KB 42ms
7ms Stylesheet
text/css 93.184.220.97
MCI Communication...

General

Check archive.org

Show headers Download Go to

Full URL

https://jnet.i.lithium.com/skins/3844011/78d9481934a9081393f958263d2558df/juniperresponsive.css

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_256_GCM

Server

93.184.220.97 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),

Reverse DNS

Software

ECS (fcn/41D8) /

Resource Hash

d2474340ff2bb92f87a9ff9df68cd9bb04ec042a4af464d42d76ad69d9b2a67d

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:53 GMT
content-encoding: gzip
last-modified: Sat, 14 Sep 2019 01:41:53 GMT
server: ECS (fcn/41D8)
vary: Accept-Encoding
x-cache: HIT
content-type: text/css;charset=UTF-8
status: 200
cache-control: s-maxage=582093
strict-transport-security: max-age=31536000;includeSubDomains
accept-ranges: bytes
content-length: 241472
expires: Tue, 20 Oct 2020 13:18:53 GMT

GET
H2 200 vtoolkit-extras.css
www.juniper.net/us/en/community/css/ 4 KB
2 KB 59ms
6ms Stylesheet
text/css 2a02:26f0:10:2a9::720
AKAMAI-ASN1

General

Check archive.org

Show headers Download Go to

Full URL

https://www.juniper.net/us/en/community/css/vtoolkit-extras.css

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_256_GCM

Server

2a02:26f0:10:2a9::720 , Ascension Island, ASN20940 (AKAMAI-ASN1, US),

Reverse DNS

Software

Apache /

Resource Hash

626ef4978a3758ced595afe37b89812432ef49fe3f967d2cd8e1321459b3a9b8

Security Headers

Name	Value
Content-Security-Policy	upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
Strict-Transport-Security	max-age=31536000
X-Xss-Protection	1; mode=block

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

content-security-policy: upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
content-encoding: gzip
vary: Accept-Encoding
status: 200
strict-transport-security: max-age=31536000
content-length: 1365
x-xss-protection: 1; mode=block
x-ua-compatible: IE=edge,chrome=1
last-modified: Tue, 16 Sep 2014 23:06:53 GMT
server: Apache
date: Mon, 21 Oct 2019 13:18:53 GMT
access-control-max-age: 1000
access-control-allow-methods: POST, GET, OPTIONS, PUT
content-type: text/css
access-control-allow-origin: *
cache-control: public, max-age=37506
access-control-allow-headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token

GET
H2 200 grunticon.loader.js Show response
www.juniper.net/assets/svg/ 804 B
1001 B 60ms
7ms Script
application/javascript 2a02:26f0:10:2a9::720
AKAMAI-ASN1

General

Check archive.org

Show headers Download Go to

Full URL

https://www.juniper.net/assets/svg/grunticon.loader.js

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_256_GCM

Server

2a02:26f0:10:2a9::720 , Ascension Island, ASN20940 (AKAMAI-ASN1, US),

Reverse DNS

Software

Apache /

Resource Hash

b1110f2c7ae9f0a22977c4df6431fdfef92d1e8223f9734713e57aeb2ee96fcf

Security Headers

Name	Value
Content-Security-Policy	upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
Strict-Transport-Security	max-age=31536000
X-Xss-Protection	1; mode=block

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

content-security-policy: upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
content-encoding: gzip
vary: Accept-Encoding
status: 200
strict-transport-security: max-age=31536000
content-length: 514
x-xss-protection: 1; mode=block
x-ua-compatible: IE=edge,chrome=1
last-modified: Mon, 02 Oct 2017 07:57:28 GMT
server: Apache
date: Mon, 21 Oct 2019 13:18:53 GMT
access-control-max-age: 1000
access-control-allow-methods: POST, GET, OPTIONS, PUT
content-type: application/javascript
access-control-allow-origin: *
cache-control: public, max-age=83100
accept-ranges: bytes
access-control-allow-headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token

GET
H2 200 lib.min.js Show response
www.juniper.net/assets/library/ 202 KB
65 KB 61ms
8ms Script
application/javascript 2a02:26f0:10:2a9::720
AKAMAI-ASN1

General

Check archive.org

Show headers Download Go to

Full URL

https://www.juniper.net/assets/library/lib.min.js

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_256_GCM

Server

2a02:26f0:10:2a9::720 , Ascension Island, ASN20940 (AKAMAI-ASN1, US),

Reverse DNS

Software

Apache/2.4.33 (Unix) OpenSSL/1.0.2k-fips mod_jk/1.2.43 /

Resource Hash

eec3860fdc0bff086a73a04051948c4e76ea29a6b61eaa870083739555b83f64

Security Headers

Name	Value
Content-Security-Policy	upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
Strict-Transport-Security	max-age=31536000
X-Xss-Protection	1; mode=block

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

content-security-policy: upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
content-encoding: gzip
vary: Accept-Encoding
status: 200
strict-transport-security: max-age=31536000
content-length: 66076
x-xss-protection: 1; mode=block
x-ua-compatible: IE=edge,chrome=1
last-modified: Mon, 02 Oct 2017 07:57:27 GMT
server: Apache/2.4.33 (Unix) OpenSSL/1.0.2k-fips mod_jk/1.2.43
date: Mon, 21 Oct 2019 13:18:53 GMT
access-control-max-age: 1000
access-control-allow-methods: POST, GET, OPTIONS, PUT
content-type: application/javascript
access-control-allow-origin: *
cache-control: public, max-age=160920
accept-ranges: bytes
access-control-allow-headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token

GET
H2 200 jnpr.min.js Show response
www.juniper.net/assets/scripts/ 339 KB
103 KB 66ms
14ms Script
application/javascript 2a02:26f0:10:2a9::720
AKAMAI-ASN1

General

Check archive.org

Show headers Download Go to

Full URL

https://www.juniper.net/assets/scripts/jnpr.min.js

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_256_GCM

Server

2a02:26f0:10:2a9::720 , Ascension Island, ASN20940 (AKAMAI-ASN1, US),

Reverse DNS

Software

Apache/2.4.33 (Unix) OpenSSL/1.0.2k-fips mod_jk/1.2.43 /

Resource Hash

2c9f1c57bc31c65cdb84a1c44c0c91fc88799512fd87c5bc6e52b21f69abd5d0

Security Headers

Name	Value
Content-Security-Policy	upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
Strict-Transport-Security	max-age=31536000
X-Xss-Protection	1; mode=block

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

content-security-policy: upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
content-encoding: gzip
vary: Accept-Encoding
status: 200
strict-transport-security: max-age=31536000
content-length: 104943
x-xss-protection: 1; mode=block
x-ua-compatible: IE=edge,chrome=1
last-modified: Fri, 09 Nov 2018 18:57:29 GMT
server: Apache/2.4.33 (Unix) OpenSSL/1.0.2k-fips mod_jk/1.2.43
date: Mon, 21 Oct 2019 13:18:53 GMT
access-control-max-age: 1000
access-control-allow-methods: POST, GET, OPTIONS, PUT
content-type: application/javascript
access-control-allow-origin: *
cache-control: public, max-age=66828
accept-ranges: bytes
access-control-allow-headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token

GET
H2

200

style.min.css
www.juniper.net/documentation/assets/css/style/
Redirect Chain

https://www.juniper.net/techpubs/assets/css/style/style.min.css
https://www.juniper.net/documentation/assets/css/style/style.min.css

2 MB
405 KB

315ms
314ms

Stylesheet
text/css

2a02:26f0:10:2a9::720
AKAMAI-ASN1

General

Check archive.org

Show headers Download Go to

Full URL

https://www.juniper.net/documentation/assets/css/style/style.min.css

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_256_GCM

Server

2a02:26f0:10:2a9::720 , Ascension Island, ASN20940 (AKAMAI-ASN1, US),

Reverse DNS

Software

Apache /

Resource Hash

79340c32d5422c3331db60c78f9854b0d9c0a9bd0f9c454b7398734c1b990658

Security Headers

Name	Value
Content-Security-Policy	upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
Strict-Transport-Security	max-age=31536000
X-Xss-Protection	1; mode=block

Request headers

Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

content-security-policy: upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
content-encoding: gzip
vary: Accept-Encoding
status: 200
strict-transport-security: max-age=31536000
x-xss-protection: 1; mode=block
x-ua-compatible: IE=edge,chrome=1
last-modified: Mon, 17 Oct 2016 23:30:57 GMT
server: Apache
date: Mon, 21 Oct 2019 13:18:54 GMT
access-control-max-age: 1000
access-control-allow-methods: POST, GET, OPTIONS, PUT
content-type: text/css
access-control-allow-origin: *
cache-control: max-age=259200, public
access-control-allow-headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token

Redirect headers

content-security-policy: upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
access-control-allow-origin: *
status: 301
strict-transport-security: max-age=31536000
content-length: 275
x-xss-protection: 1; mode=block
x-ua-compatible: IE=edge,chrome=1
server: Apache
date: Mon, 21 Oct 2019 13:18:54 GMT
access-control-max-age: 1000
access-control-allow-methods: POST, GET, OPTIONS, PUT
content-type: text/html; charset=iso-8859-1
location: https://www.juniper.net/documentation/assets/css/style/style.min.css
cache-control: max-age=5
accept-ranges: bytes
access-control-allow-headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token
expires: Mon, 21 Oct 2019 13:18:58 GMT

GET
H2 200 05cb80fc-3221-476f-983d-76dfa0b1370c.css
cloud.webtype.com/css/ 38 KB
9 KB 28ms
7ms Stylesheet
text/css 93.184.220.41
MCI Communication...

General

Check archive.org

Show headers Download Go to

Full URL: https://cloud.webtype.com/css/05cb80fc-3221-476f-983d-76dfa0b1370c.css
Requested by: Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 93.184.220.41 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),
Reverse DNS
Software: ECS (fcn/418E) /
Resource Hash: 3eadffc329fb1c32ee10e809962cb4114a71d92b0f30db0b9ba9bef6abc91015

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:59 GMT
content-encoding: gzip
last-modified: Wed, 31 Jan 2018 08:43:22 GMT
server: ECS (fcn/418E)
status: 200
etag: "870837579"
vary: Accept-Encoding
x-cache: HIT
content-type: text/css
access-control-allow-origin: *
cache-control: max-age=604800
accept-ranges: bytes
content-length: 8995
expires: Mon, 28 Oct 2019 13:18:59 GMT

GET
H/1.1 200
OK id Show response
dpm.demdex.net/ 374 B
1 KB 31ms
30ms XHR
application/json 52.30.78.155
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL

https://dpm.demdex.net/id?d_visid_ver=3.1.2&d_fieldgroup=MC&d_rtbd=json&d_ver=2&d_orgid=D206123F524450F50A490D45%40AdobeOrg&d_nsid=0&ts=1571663933960

Requested by

Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js

Protocol

HTTP/1.1

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

52.30.78.155 Dublin, Ireland, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),

Reverse DNS

ec2-52-30-78-155.eu-west-1.compute.amazonaws.com

Software

Resource Hash

0eb2263b102275bbff7847e76a3668c516c2db3d2f6523b94259525ab8124a4b

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains

Request headers

Sec-Fetch-Mode: cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Type: application/x-www-form-urlencoded

Response headers

DCS: dcs-prod-irl1-v048-090367e9c.edge-irl1.demdex.com 5.61.0.20191015084456 2ms (+0ms)
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Encoding: gzip
X-TID: ViWKxQ6WTVQ=
Vary: Origin, Accept-Encoding, User-Agent
P3P: policyref="/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa PSAa PSDa OUR SAMa BUS PUR COM NAV INT"
Access-Control-Allow-Origin: https://forums.juniper.net
Cache-Control: no-cache,no-store,must-revalidate,max-age=0,proxy-revalidate,no-transform,private
Access-Control-Allow-Credentials: true
Connection: keep-alive
Content-Type: application/json;charset=utf-8
Content-Length: 310
Expires: Thu, 01 Jan 1970 00:00:00 GMT

GET
H2 200 mbox-contents-ba151bac91f2b7214d881fb194e167b525fadece.js Show response
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/ 74 KB
27 KB 11ms
11ms Script
application/x-javascript 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/mbox-contents-ba151bac91f2b7214d881fb194e167b525fadece.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash: 9912c03b52a7cb0fc11bde58e200010eca671219552929b31be4c2e26c0e10c3

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"

Response headers

date: Mon, 21 Oct 2019 13:18:53 GMT
content-encoding: gzip
last-modified: Wed, 16 Oct 2019 15:57:41 GMT
server: AkamaiNetStorage
etag: "b8f6521187f987f1e079c5d7031aabec:1571241461.429591"
vary: Accept-Encoding
content-type: application/x-javascript
status: 200
cache-control: max-age=3600
accept-ranges: bytes
timing-allow-origin: *
content-length: 27369
expires: Mon, 21 Oct 2019 14:18:53 GMT

GET
H2 200 satellite-57b12a8364746d4d41000291.js Show response
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/ 3 KB
1 KB 10ms
10ms Script
application/x-javascript 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-57b12a8364746d4d41000291.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash: e8a8cd48f7f93a8c8d708eda1f3f9c6ddd886c3f6c38eee67aeac98897b09510

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"

Response headers

date: Mon, 21 Oct 2019 13:18:53 GMT
content-encoding: gzip
last-modified: Thu, 17 Oct 2019 18:01:28 GMT
server: AkamaiNetStorage
etag: "3b522f8dca2496b57a53408a29d518bb:1571335288.312743"
vary: Accept-Encoding
content-type: application/x-javascript
status: 200
cache-control: max-age=3600
accept-ranges: bytes
timing-allow-origin: *
content-length: 984
expires: Mon, 21 Oct 2019 14:18:53 GMT

GET
H2 200 wRPiG49f.min.js Show response
scripts.demandbase.com/adobeanalytics/ 5 KB
2 KB 23ms
6ms Script
application/javascript 13.224.196.121
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL: https://scripts.demandbase.com/adobeanalytics/wRPiG49f.min.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 13.224.196.121 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS: server-13-224-196-121.fra2.r.cloudfront.net
Software: AmazonS3 /
Resource Hash: 640ab2801ebaaac35a628d23dfe09caac3ba92b4ad30519a876620e1e8505b7b

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

x-amz-version-id: urW4QnYue10YN_dcWsUElf7M0TP7x_nm
content-encoding: gzip
last-modified: Mon, 14 Oct 2019 21:05:25 GMT
server: AmazonS3
age: 8033
date: Mon, 21 Oct 2019 11:05:01 GMT
vary: Accept-Encoding
x-cache: Hit from cloudfront
content-type: application/javascript
status: 200
x-amz-cf-pop: FRA2-C1
x-amz-cf-id: SbCmSgPPBpLQcD0wncmzs8RUT4_W1DMDwcltw4FmpUfSGl4mQ5yWCg==
via: 1.1 172e63b20fb363ed969de28ae3937e21.cloudfront.net (CloudFront)

GET
H/1.1 200
OK ip.json Show response
api.demandbase.com/api/v2/ 445 B
885 B 96ms
80ms Script
application/javascript 13.225.78.27
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL: https://api.demandbase.com/api/v2/ip.json?key=364bbfa27ca300ef9638e9d163c1fb03&callback=Dmdbase_CDC.callback
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: HTTP/1.1
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 13.225.78.27 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS: server-13-225-78-27.fra2.r.cloudfront.net
Software: nginx /
Resource Hash: 2381b47f8892f725ff4cc6758375a338efbea0fc9178e18c8c97ee4d8d1d290c

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date: Mon, 21 Oct 2019 13:18:54 GMT
Content-Encoding: gzip
X-Amz-Cf-Pop: FRA2-C2
X-Cache: Miss from cloudfront
Connection: keep-alive
Request-ID: dad73653-ed19-4e0a-b5dc-9d7b325aec2e
Content-Length: 246
Pragma: no-cache
Server: nginx
Vary: Accept-Encoding, Origin
Content-Type: application/javascript;charset=utf-8
Via: 1.1 1e498d046330e15095a1a2a958463bf5.cloudfront.net (CloudFront)
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Identification-Source: CENTRAL
Api-Version: v2
X-Amz-Cf-Id: -ppVotJFgeVrQDS96DSCzcu3BC1ml1i3N2HtAxagZtoiLAV5ThHHRQ==
Expires: Sun, 20 Oct 2019 13:18:54 GMT

GET
H2 200 satellite-5bd31e9364746d6b860045a0.js Show response
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/ 883 B
679 B 10ms
9ms Script
application/x-javascript 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5bd31e9364746d6b860045a0.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash: 179f42988ae4cab77687b27656fc69ab3fa07efbcf6279ac1bef85ac0688e69d

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"

Response headers

date: Mon, 21 Oct 2019 13:18:53 GMT
content-encoding: gzip
last-modified: Thu, 17 Oct 2019 18:01:25 GMT
server: AkamaiNetStorage
etag: "b3998ca07afe5ed1d91aa042d31218db:1571335285.266836"
vary: Accept-Encoding
content-type: application/x-javascript
status: 200
cache-control: max-age=3600
accept-ranges: bytes
timing-allow-origin: *
content-length: 434
expires: Mon, 21 Oct 2019 14:18:53 GMT

GET
H2 200 satellite-57d9c57464746d4d3e010a86.js Show response
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/ 2 KB
1001 B 10ms
10ms Script
application/x-javascript 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-57d9c57464746d4d3e010a86.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash: 7ee39e6b76207efc841a6882a2af5241490e1a2161c4e13790f78fb4dbfdde28

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"

Response headers

date: Mon, 21 Oct 2019 13:18:53 GMT
content-encoding: gzip
last-modified: Thu, 17 Oct 2019 18:01:24 GMT
server: AkamaiNetStorage
etag: "458ad1cb95d004fd440d76d56ca277df:1571335284.729373"
vary: Accept-Encoding
content-type: application/x-javascript
status: 200
cache-control: max-age=3600
accept-ranges: bytes
timing-allow-origin: *
content-length: 755
expires: Mon, 21 Oct 2019 14:18:53 GMT

GET
H2 200 satellite-58a48a3864746d025c00d79f.js Show response
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/ 156 B
373 B 11ms
10ms Script
application/x-javascript 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-58a48a3864746d025c00d79f.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash: 7da66ec546c027bfe5b9ca59aa2225cfaa5f0d68f96801f31186878c0fa853f8

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"

Response headers

date: Mon, 21 Oct 2019 13:18:53 GMT
content-encoding: gzip
last-modified: Thu, 17 Oct 2019 18:01:24 GMT
server: AkamaiNetStorage
etag: "bbf4e24515459a70357a852ca14861ff:1571335284.953002"
vary: Accept-Encoding
content-type: application/x-javascript
status: 200
cache-control: max-age=3600
accept-ranges: bytes
timing-allow-origin: *
content-length: 129
expires: Mon, 21 Oct 2019 14:18:53 GMT

GET
H2 200 satellite-5cb8c2a664746d2308000a38.js Show response
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/ 628 B
673 B 6ms
6ms Script
application/x-javascript 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5cb8c2a664746d2308000a38.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash: c74679537a89890b260d93e19aad5f4cc95a230623a945ffcc3d981fc13a1adf

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
content-encoding: gzip
last-modified: Thu, 17 Oct 2019 18:01:23 GMT
server: AkamaiNetStorage
etag: "d0c9f868e386e1a9e35ae77ce39994c4:1571335283.733684"
vary: Accept-Encoding
content-type: application/x-javascript
status: 200
cache-control: max-age=3600
accept-ranges: bytes
timing-allow-origin: *
content-length: 427
expires: Mon, 21 Oct 2019 14:18:54 GMT

GET
H2 200 satellite-5ced369c64746d5ad2000705.js Show response
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/ 802 B
663 B 6ms
6ms Script
application/x-javascript 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5ced369c64746d5ad2000705.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash: 3e84bcc6469e170029339c0b60b522671ca5d4298578308ec882df95f7badd9c

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
content-encoding: gzip
last-modified: Thu, 17 Oct 2019 18:01:23 GMT
server: AkamaiNetStorage
etag: "95e1885cf743f564cb30ce957416ea37:1571335283.968406"
vary: Accept-Encoding
content-type: application/x-javascript
status: 200
cache-control: max-age=3600
accept-ranges: bytes
timing-allow-origin: *
content-length: 417
expires: Mon, 21 Oct 2019 14:18:54 GMT

GET
H2 200 satellite-5da0c41564746d1a08001540.js Show response
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/ 421 B
515 B 6ms
6ms Script
application/x-javascript 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5da0c41564746d1a08001540.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash: e28195ef556c2e1f2d22ff939f487f10a32e608255bbd541be3eda5883b414c3

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
content-encoding: gzip
last-modified: Thu, 17 Oct 2019 18:01:24 GMT
server: AkamaiNetStorage
etag: "c6bf9762b7fcef23638a4087e99a0057:1571335284.374693"
vary: Accept-Encoding
content-type: application/x-javascript
status: 200
cache-control: max-age=3600
accept-ranges: bytes
timing-allow-origin: *
content-length: 270
expires: Mon, 21 Oct 2019 14:18:54 GMT

GET
H2 200 lia-scripts-head-min.js Show response
jnet.i.lithium.com/t5/scripts/572EC0AEEDB9258EC5107B121EC8036F/ 12 KB
4 KB 314ms
313ms Script
text/javascript 93.184.220.97
MCI Communication...

General

Check archive.org

Show headers Download Go to

Full URL

https://jnet.i.lithium.com/t5/scripts/572EC0AEEDB9258EC5107B121EC8036F/lia-scripts-head-min.js

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_256_GCM

Server

93.184.220.97 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),

Reverse DNS

Software

Apache /

Resource Hash

1bc61ec53e5af2299b45821748c5d3984ed56fa406cd1c49531ef1d25bdc30ce

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
content-encoding: gzip
last-modified: Fri, 20 Sep 2019 20:35:44 GMT
server: Apache
vary: Accept-Encoding
x-cache: HIT
content-type: text/javascript;charset=UTF-8
status: 200
cache-control: s-maxage=18
strict-transport-security: max-age=31536000;includeSubDomains
accept-ranges: bytes
content-length: 4088
expires: Sat, 19 Sep 2020 20:37:21 GMT

GET
H2 200 id Show response
junipernetworks.d2.sc.omtrdc.net/ 3 B
311 B 114ms
28ms XHR
application/x-javascript 52.49.100.189
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL

https://junipernetworks.d2.sc.omtrdc.net/id?d_visid_ver=3.1.2&d_fieldgroup=A&mcorgid=D206123F524450F50A490D45%40AdobeOrg&mid=35836098749383461002240898189079157993&ts=1571663934002

Requested by

Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

52.49.100.189 Dublin, Ireland, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),

Reverse DNS

ec2-52-49-100-189.eu-west-1.compute.amazonaws.com

Software

jag /

Resource Hash

ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	1; mode=block

Request headers

Sec-Fetch-Mode: cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Content-Type: application/x-www-form-urlencoded

Response headers

status: 200
date: Mon, 21 Oct 2019 13:18:53 GMT
x-content-type-options: nosniff
server: jag
xserver: anedge-64d5676c7b-7x6j4
vary: Origin
x-c: master-1047.I1d1c81.M0-302
p3p: CP="This is not a P3P policy"
access-control-allow-origin: https://forums.juniper.net
cache-control: no-cache, no-store, max-age=0, no-transform, private
access-control-allow-credentials: true
content-type: application/x-javascript
content-length: 3
x-xss-protection: 1; mode=block

GET
H/1.1

200
OK

ibs:dpid=411&dpuuid=Xa2wPgAAFBu0Yzx0
dpm.demdex.net/
Redirect Chain

https://cm.everesttech.net/cm/dd?d_uuid=40611432642373395391657003048716690702
https://dpm.demdex.net/ibs:dpid=411&dpuuid=Xa2wPgAAFBu0Yzx0

42 B
840 B

32ms
31ms

Image
image/gif

52.30.78.155
Amazon.com

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://dpm.demdex.net/ibs:dpid=411&dpuuid=Xa2wPgAAFBu0Yzx0

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

HTTP/1.1

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

52.30.78.155 Dublin, Ireland, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),

Reverse DNS

ec2-52-30-78-155.eu-west-1.compute.amazonaws.com

Software

Resource Hash

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains

Request headers

Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

DCS: dcs-prod-irl1-v048-08ea54992.edge-irl1.demdex.com 5.61.0.20191015084456 2ms (+1ms)
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-TID: ulkwp4K0Sds=
P3P: policyref="/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa PSAa PSDa OUR SAMa BUS PUR COM NAV INT"
Cache-Control: no-cache,no-store,must-revalidate,max-age=0,proxy-revalidate,no-transform,private
Connection: keep-alive
Content-Type: image/gif
Content-Length: 42
Expires: Thu, 01 Jan 1970 00:00:00 GMT

Redirect headers

Date: Mon, 21 Oct 2019 13:18:53 GMT
Server: AMO-cookiemap/1.1
P3P: CP="NOI NID DEVa PSAa PSDa OUR IND PUR COM NAV INT DEM"
Location: https://dpm.demdex.net/ibs:dpid=411&dpuuid=Xa2wPgAAFBu0Yzx0
Cache-Control: no-cache
Connection: Keep-Alive
Keep-Alive: timeout=15,max=100
Content-Length: 0

GET
H2 200 fbevents.js Show response
connect.facebook.net/en_US/ 103 KB
22 KB 6ms
6ms Script
application/x-javascript 2a03:2880:f01c:8012:face:b00c:0:3
Facebook

General

Check archive.org

Show headers Download Go to

Full URL

https://connect.facebook.net/en_US/fbevents.js

Requested by

Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5cb8c2a664746d2308000a38.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a03:2880:f01c:8012:face:b00c:0:3 , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),

Reverse DNS

Software

Resource Hash

9404cee30e4489a7ed4d6de2dd92aa8e4386fd5ff1c81ebcea77f581952eac31

Security Headers

Name	Value
Content-Security-Policy	default-src * data: blob:;script-src .facebook.com .fbcdn.net .facebook.net .google-analytics.com .virtualearth.net .google.com 127.0.0.1:* .spotilocal.com: 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' ;connect-src .facebook.com facebook.com .fbcdn.net .facebook.net .spotilocal.com: wss://.facebook.com: https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
Strict-Transport-Security	max-age=31536000; preload; includeSubDomains
X-Content-Type-Options	nosniff
X-Frame-Options	DENY
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

strict-transport-security: max-age=31536000; preload; includeSubDomains
content-encoding: gzip
x-content-type-options: nosniff
status: 200
alt-svc: h3-23=":443"; ma=3600
content-length: 22458
x-xss-protection: 0
pragma: public
x-fb-debug: 9LbhJYzqUafrwz9qmZ4HDRNhb8q7fXt1MM5ApUMTvvWp3Z9QWj/E8lrNHMBcR5YK5sgLb/VAFeVgDSTd9xFQ7g==
x-fb-trip-id: 1850256238
x-frame-options: DENY
date: Mon, 21 Oct 2019 13:18:54 GMT
vary: Accept-Encoding
content-type: application/x-javascript; charset=utf-8
cache-control: public, max-age=1200
content-security-policy: default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
expires: Sat, 01 Jan 2000 00:00:00 GMT

GET
H2 200 878544ee83.css
use.fontawesome.com/ 1 KB
684 B 6ms
6ms Stylesheet
text/css 23.111.9.35
Highwinds Network...

General

Check archive.org

Show headers Download Go to

Full URL: https://use.fontawesome.com/878544ee83.css
Requested by: Host: use.fontawesome.com
URL: https://use.fontawesome.com/878544ee83.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 23.111.9.35 Phoenix, United States, ASN33438 (HIGHWINDS2 - Highwinds Network Group, Inc., US),
Reverse DNS
Software: NetDNA-cache/2.2 /
Resource Hash: 9e5b8d4ced66c172dc84f16051eee4bac1e0fc60781c1ea05d73072b3cc7ddf1

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
content-encoding: gzip
last-modified: Thu, 06 Jul 2017 20:04:23 GMT
server: NetDNA-cache/2.2
x-amz-request-id: A344FC7528604F7C
etag: W/"44b78b10e53fb4ffb2d9c54f11d4eb0f"
x-cache: HIT
content-type: text/css
status: 200
cache-control: max-age=0, private, must-revalidate
x-amz-id-2: 2O2jLjyz2hoYGjr/0Qq7Vz15Mi0dqmJQ0l9ESseCYTzubqtko+p55qm02Zu3fRHhKSQAZJBSlpo=

GET
H2 200 font-awesome-css.min.css
use.fontawesome.com/releases/v4.7.0/css/ 30 KB
8 KB 7ms
6ms Stylesheet
text/css 23.111.9.35
Highwinds Network...

General

Check archive.org

Show headers Download Go to

Full URL: https://use.fontawesome.com/releases/v4.7.0/css/font-awesome-css.min.css
Requested by: Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 23.111.9.35 Phoenix, United States, ASN33438 (HIGHWINDS2 - Highwinds Network Group, Inc., US),
Reverse DNS
Software: NetDNA-cache/2.2 /
Resource Hash: 5b9573e1023da775390e9284ec0eb1c606df9b468a28980055b4a6aa804f4350

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
content-encoding: gzip
last-modified: Tue, 25 Oct 2016 17:21:58 GMT
server: NetDNA-cache/2.2
status: 200
etag: W/"36082410df2ef7f83932219089dc1443"
vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method, Accept-Encoding
access-control-allow-methods: GET
content-type: text/css
access-control-allow-origin: *
access-control-max-age: 3000
cache-control: max-age=31556926
x-cache: HIT

GET
H2 200 css
fonts.googleapis.com/ 2 KB
504 B 17ms
16ms Stylesheet
text/css 2a00:1450:4001:81e::200a
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://fonts.googleapis.com/css?family=Lato:300,400,700

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:81e::200a Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

ESF /

Resource Hash

f7d6b1c8e88874fb2696fc3128ea91fc6f47915466ea9f566ab2c39fcebffbd6

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

strict-transport-security: max-age=31536000
content-encoding: br
last-modified: Mon, 21 Oct 2019 13:18:54 GMT
server: ESF
link: <https://fonts.gstatic.com>; rel=preconnect; crossorigin
status: 200
date: Mon, 21 Oct 2019 13:18:54 GMT
x-frame-options: SAMEORIGIN
content-type: text/css; charset=utf-8
access-control-allow-origin: *
cache-control: private, max-age=86400, stale-while-revalidate=604800
timing-allow-origin: *
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
x-xss-protection: 0
expires: Mon, 21 Oct 2019 13:18:54 GMT

GET
H2 200 uwt.js Show response
static.ads-twitter.com/ 5 KB
2 KB 18ms
5ms Script
application/javascript 151.101.112.157
Fastly

General

Check archive.org

Show headers Download Go to

Full URL: https://static.ads-twitter.com/uwt.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5ced369c64746d5ad2000705.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 151.101.112.157 Frankfurt am Main, Germany, ASN54113 (FASTLY - Fastly, US),
Reverse DNS
Software: /
Resource Hash: 319949c8c08b86e9c35ea542c0dc0c30cedaa9b8d3d3c3327a36c91aefbd8af5

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
content-encoding: gzip
age: 18361
x-cache: HIT
p3p: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status: 200
content-length: 1954
x-served-by: cache-hhn4065-HHN
last-modified: Tue, 23 Jan 2018 20:09:00 GMT
x-timer: S1571663934.245293,VS0,VE0
etag: "b7b33882a4f3ffd5cbf07434f3137166+gzip"
vary: Accept-Encoding,Host
content-type: application/javascript; charset=utf-8
via: 1.1 varnish
cache-control: no-cache
accept-ranges: bytes

GET
H2

200

oct.js Show response
static.ads-twitter.com/
Redirect Chain

https://platform.twitter.com/oct.js
https://static.ads-twitter.com/oct.js

5 KB
2 KB

5ms
5ms

Script
application/javascript

151.101.112.157
Fastly

General

Check archive.org

Show headers Download Go to

Full URL: https://static.ads-twitter.com/oct.js
Requested by: Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 151.101.112.157 Frankfurt am Main, Germany, ASN54113 (FASTLY - Fastly, US),
Reverse DNS
Software: /
Resource Hash: 319949c8c08b86e9c35ea542c0dc0c30cedaa9b8d3d3c3327a36c91aefbd8af5

Request headers

Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
content-encoding: gzip
age: 18359
x-cache: HIT
p3p: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status: 200
content-length: 1954
x-served-by: cache-hhn4065-HHN
last-modified: Tue, 23 Jan 2018 20:09:00 GMT
x-timer: S1571663934.263571,VS0,VE0
etag: "b7b33882a4f3ffd5cbf07434f3137166+gzip"
vary: Accept-Encoding,Host
content-type: application/javascript; charset=utf-8
via: 1.1 varnish
cache-control: no-cache
accept-ranges: bytes

Redirect headers

Access-Control-Allow-Origin: *
Date: Mon, 21 Oct 2019 13:18:54 GMT
Server: ECS (fcn/41AD)
Content-Length: 0
Location: https://static.ads-twitter.com/oct.js
Access-Control-Allow-Methods: GET
P3P: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"

GET
H/1.1

200
OK

/
attr.ml-api.io/
Redirect Chain

https://s.ml-attr.com/getuid?https%3a%2f%2fattr.ml-api.io%2f%3fdomain%3djuniper.net%26pId%3d%24UID
https://secure.adnxs.com/getuid?https%3a%2f%2fattr.ml-api.io%2f%3fdomain%3djuniper.net%26pId%3d%24UID
https://secure.adnxs.com/bounce?%2Fgetuid%3Fhttps%253a%252f%252fattr.ml-api.io%252f%253fdomain%253djuniper.net%2526pId%253d%2524UID
https://attr.ml-api.io/?domain=juniper.net&pId=4919953082322347275

4 B
484 B

432ms
380ms

Image
image/jpeg

13.225.78.79
Amazon.com

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://attr.ml-api.io/?domain=juniper.net&pId=4919953082322347275
Requested by: Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol: HTTP/1.1
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 13.225.78.79 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS: server-13-225-78-79.fra2.r.cloudfront.net
Software: /
Resource Hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date: Mon, 21 Oct 2019 13:18:55 GMT
Via: 1.1 c7015d60d4f8f2170aaaa75e69e40618.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: FRA2-C2
x-amzn-RequestId: 32bafaa7-baa8-4566-b363-87057195e495
X-Cache: Miss from cloudfront
Content-Type: image/jpeg
X-Amzn-Trace-Id: Root=1-5dadb03e-a23a03ed7aad77c38e87bb77;Sampled=0
Connection: keep-alive
x-amz-apigw-id: B6h51GQJoAMFccw=
Content-Length: 4
X-Amz-Cf-Id: gYhHvl36Ij5UA0DtALAeyQapFJiskv-eNscBEpTYi56yjoAb02pCgQ==

Redirect headers

Pragma: no-cache
Date: Mon, 21 Oct 2019 13:18:56 GMT
X-Proxy-Origin: 144.76.109.30; 144.76.109.30; 373.bm-nginx-loadbalancer.mgmt.ams1; *.adnxs.com; 185.33.220.102:80
AN-X-Request-Uuid: 12e23b4f-a19c-4081-b111-dfe96fa32da5
Server: nginx/1.13.4
Access-Control-Allow-Origin: *
P3P: policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE"
Location: https://attr.ml-api.io/?domain=juniper.net&pId=4919953082322347275
Cache-Control: no-store, no-cache, private
Access-Control-Allow-Credentials: true
Connection: keep-alive
Content-Type: text/html; charset=utf-8
Content-Length: 0
X-XSS-Protection: 0
Expires: Sat, 15 Nov 2008 16:00:00 GMT

GET
H2 200 lia-scripts-head-min.js Show response
jnet.i.lithium.com/t5/scripts/211F6EC4D6F385A1FE3DDCF161E416CD/ 4 KB
2 KB 6ms
6ms Script
text/javascript 93.184.220.97
MCI Communication...

General

Check archive.org

Show headers Download Go to

Full URL

https://jnet.i.lithium.com/t5/scripts/211F6EC4D6F385A1FE3DDCF161E416CD/lia-scripts-head-min.js

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_256_GCM

Server

93.184.220.97 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),

Reverse DNS

Software

ECS (fcn/418B) /

Resource Hash

8febd8b0e9b817a31d401574d8f8aaeb5003d76c2c1afa9da932fa0990685b53

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
content-encoding: gzip
last-modified: Fri, 20 Sep 2019 20:34:31 GMT
server: ECS (fcn/418B)
vary: Accept-Encoding
x-cache: HIT
content-type: text/javascript;charset=UTF-8
status: 200
cache-control: s-maxage=12655
strict-transport-security: max-age=31536000;includeSubDomains
content-length: 1464
expires: Sun, 20 Sep 2020 15:32:30 GMT

GET
H2 200 jsapi Show response
www.google.ca/ 26 KB
7 KB 39ms
17ms Script
text/javascript 2a00:1450:4001:81b::2003
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://www.google.ca/jsapi

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:81b::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

GSE /

Resource Hash

04cc38228e78bcd321b02a1db468d35e557f12251aae38a9b2f1814f2761b9b4

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	1; mode=block

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
content-encoding: gzip
x-content-type-options: nosniff
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
server: GSE
x-frame-options: SAMEORIGIN
content-type: text/javascript; charset=utf-8
status: 200
cache-control: private, max-age=3600, must-revalidate
vary: Accept-Encoding
content-length: 6425
x-xss-protection: 1; mode=block
expires: Mon, 21 Oct 2019 13:18:54 GMT

GET
H2 200 437764526963678 Show response
connect.facebook.net/signals/config/ 281 KB
65 KB 8ms
8ms Script
application/x-javascript 2a03:2880:f01c:8012:face:b00c:0:3
Facebook

General

Check archive.org

Show headers Download Go to

Full URL

https://connect.facebook.net/signals/config/437764526963678?v=2.9.5&r=stable

Requested by

Host: connect.facebook.net
URL: https://connect.facebook.net/en_US/fbevents.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a03:2880:f01c:8012:face:b00c:0:3 , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),

Reverse DNS

Software

Resource Hash

711484d0904f76b29c4cbf14e3e7d11c818545fdf95c19112c2ef1bd3e0680b8

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; preload; includeSubDomains
X-Content-Type-Options	nosniff
X-Frame-Options	DENY
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

strict-transport-security: max-age=31536000; preload; includeSubDomains
content-encoding: gzip
x-content-type-options: nosniff
status: 200
alt-svc: h3-23=":443"; ma=3600
content-length: 66280
x-xss-protection: 0
pragma: public
x-fb-debug: pZGS4bnavCzec4DHVgpYFP8wBaDZBN2CpeyktdImSa4dtsBLo7y7nBaB47gPrhj16L/LKZbFI04oYBfiIMFitw==
x-fb-trip-id: 1850256238
x-frame-options: DENY
date: Mon, 21 Oct 2019 13:18:54 GMT
vary: Accept-Encoding
content-type: application/x-javascript; charset=utf-8
cache-control: public, max-age=1200
expires: Sat, 01 Jan 2000 00:00:00 GMT

GET
H2 200 fontawesome-webfont.woff2
use.fontawesome.com/releases/v4.7.0/fonts/ 75 KB
76 KB 20ms
7ms Font
application/font-woff2 23.111.9.35
Highwinds Network...

General

Check archive.org

Show headers Download Go to

Full URL: https://use.fontawesome.com/releases/v4.7.0/fonts/fontawesome-webfont.woff2
Requested by: Host: use.fontawesome.com
URL: https://use.fontawesome.com/878544ee83.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 23.111.9.35 Phoenix, United States, ASN33438 (HIGHWINDS2 - Highwinds Network Group, Inc., US),
Reverse DNS
Software: NetDNA-cache/2.2 /
Resource Hash: 2adefcbc041e7d18fcf2d417879dc5a09997aa64d675b7a3c4b6ce33da13f3fe

Request headers

Sec-Fetch-Mode: cors
Referer: https://use.fontawesome.com/878544ee83.css
Origin: https://forums.juniper.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
last-modified: Mon, 17 Jul 2017 16:24:59 GMT
server: NetDNA-cache/2.2
status: 200
etag: "af7ae505a9eed503f8b8e6982036873e"
vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method, Accept-Encoding
access-control-allow-methods: GET
content-type: application/font-woff2
access-control-allow-origin: *
access-control-max-age: 3000
cache-control: max-age=31556926
x-cache: HIT
accept-ranges: bytes
content-length: 77160

GET
H2 200 fontawesome-webfont.woff2
jnet.i.lithium.com/html/assets/fonts/ 55 KB
56 KB 32ms
14ms Font
application/octet-stream 93.184.220.97
MCI Communication...

General

Check archive.org

Show headers Download Go to

Full URL

https://jnet.i.lithium.com/html/assets/fonts/fontawesome-webfont.woff2?v=4.3.0

Requested by

Host: use.fontawesome.com
URL: https://use.fontawesome.com/878544ee83.js

Protocol

Security

TLS 1.3, , AES_256_GCM

Server

93.184.220.97 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),

Reverse DNS

Software

ECS (fcn/40D8) /

Resource Hash

aadc3580d2b64ff5a7e6f1425587db4e8b033efcbf8f5c332ca52a5ed580c87c

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode: cors
Referer: https://jnet.i.lithium.com/skins/3844011/78d9481934a9081393f958263d2558df/juniperresponsive.css
Origin: https://forums.juniper.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
last-modified: Fri, 20 Sep 2019 20:27:50 GMT
server: ECS (fcn/40D8)
status: 200
etag: W/"56780-1569011270000"
strict-transport-security: max-age=31536000;includeSubDomains
x-cache: HIT
content-type: application/octet-stream
access-control-allow-origin: *
accept-ranges: bytes
content-length: 56780

GET
H2 404 fontawesome.woff
jnet.i.lithium.com/skins/3844011/fonts/ 0
0 342ms
324ms Font
text/html 93.184.220.97
MCI Communication...

General

Check archive.org

Show headers Download Go to

Full URL

https://jnet.i.lithium.com/skins/3844011/fonts/fontawesome.woff

Requested by

Host: use.fontawesome.com
URL: https://use.fontawesome.com/878544ee83.js

Protocol

Security

TLS 1.3, , AES_256_GCM

Server

93.184.220.97 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),

Reverse DNS

Software

Apache /

Resource Hash

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode: cors
Referer: https://jnet.i.lithium.com/skins/3844011/78d9481934a9081393f958263d2558df/juniperresponsive.css
Origin: https://forums.juniper.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

status: 404
date: Mon, 21 Oct 2019 13:18:54 GMT
server: Apache
access-control-allow-origin: *
content-length: 866
strict-transport-security: max-age=31536000;includeSubDomains
content-type: text/html;charset=utf-8

GET
H2 200 json Show response
junipernetworks.tt.omtrdc.net/m2/junipernetworks/mbox/ 537 B
799 B 104ms
52ms XHR
application/json 66.117.29.3
Adobe Systems Inc.

General

Check archive.org

Show headers Download Go to

Full URL: https://junipernetworks.tt.omtrdc.net/m2/junipernetworks/mbox/json?mbox=target-global-mbox&mboxSession=cf70bd4818734394a6bc3507976b0df0&mboxPC=&mboxPage=beccad6e12614607999378cf5963b927&mboxRid=9d51e88b837d4d3c8222d00ff507f34d&mboxVersion=1.6.2&mboxCount=1&mboxTime=1571671134191&mboxHost=forums.juniper.net&mboxURL=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&mboxReferrer=&browserHeight=1200&browserWidth=1600&browserTimeOffset=120&screenHeight=1200&screenWidth=1600&colorDepth=24&devicePixelRatio=1&screenOrientation=landscape&profile.isp=true&profile.audience=Bot&profile.audience_segment=&at_property=731b0e75-98c0-3152-d94c-88331af4fd48&mboxMCSDID=526E1CAC99412436-0A4138FF57CADCDD&vst.trk=junipernetworks.d2.sc.omtrdc.net&vst.trks=junipernetworks.d2.sc.omtrdc.net&mboxMCGVID=35836098749383461002240898189079157993&mboxAAMB=6G1ynYcLPuiQxYZrsz_pkqfLG9yMXBpb2zX5dvJdYQJzPXImdj0y&mboxMCGLH=6
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/mbox-contents-ba151bac91f2b7214d881fb194e167b525fadece.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 66.117.29.3 , United States, ASN15224 (OMNITURE - Adobe Systems Inc., US),
Reverse DNS
Software: /
Resource Hash: ffa161118fe5c86651a1086172071bfe65d3c22968af6e2cfdfc450b8051770d

Request headers

Sec-Fetch-Mode: cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:53 GMT
status: 200
vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers
content-type: application/json;charset=UTF-8
access-control-allow-origin: https://forums.juniper.net
cache-control: no-cache
access-control-allow-credentials: true
timing-allow-origin: *
content-length: 537
x-request-id: 9d51e88b837d4d3c8222d00ff507f34d

GET
H2 200 adsct
t.co/i/ 43 B
449 B 140ms
127ms Image
image/gif 104.244.42.197
Twitter Inc.

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://t.co/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o1lnh&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

104.244.42.197 , United States, ASN13414 (TWITTER - Twitter Inc., US),

Reverse DNS

Software

tsa_o /

Resource Hash

ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957

Security Headers

Name	Value
Strict-Transport-Security	max-age=0
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
content-encoding: gzip
x-content-type-options: nosniff
status: 200, 200 OK
x-twitter-response-tags: BouncerCompliant
content-length: 65
x-xss-protection: 0
x-response-time: 121
pragma: no-cache
last-modified: Mon, 21 Oct 2019 13:18:54 GMT
server: tsa_o
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=0
content-type: image/gif;charset=utf-8
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash: c8d0b280c8bbf40823452698b765fc70
x-transaction: 0046b239008d7604
expires: Tue, 31 Mar 1981 05:00:00 GMT

GET
H2 200 adsct
t.co/i/ 43 B
124 B 116ms
115ms Image
image/gif 104.244.42.197
Twitter Inc.

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://t.co/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o1oeb&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

104.244.42.197 , United States, ASN13414 (TWITTER - Twitter Inc., US),

Reverse DNS

Software

tsa_o /

Resource Hash

ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957

Security Headers

Name	Value
Strict-Transport-Security	max-age=0
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
content-encoding: gzip
x-content-type-options: nosniff
status: 200, 200 OK
x-twitter-response-tags: BouncerCompliant
content-length: 65
x-xss-protection: 0
x-response-time: 108
pragma: no-cache
last-modified: Mon, 21 Oct 2019 13:18:54 GMT
server: tsa_o
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=0
content-type: image/gif;charset=utf-8
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash: c8d0b280c8bbf40823452698b765fc70
x-transaction: 008fcf3c002ecfe8
expires: Tue, 31 Mar 1981 05:00:00 GMT

GET
H2 200 adsct
t.co/i/ 43 B
125 B 123ms
122ms Image
image/gif 104.244.42.197
Twitter Inc.

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://t.co/i/adsct?p_id=Twitter&p_user_id=0&txn_id=nvrg6&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

104.244.42.197 , United States, ASN13414 (TWITTER - Twitter Inc., US),

Reverse DNS

Software

tsa_o /

Resource Hash

ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957

Security Headers

Name	Value
Strict-Transport-Security	max-age=0
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
content-encoding: gzip
x-content-type-options: nosniff
status: 200, 200 OK
x-twitter-response-tags: BouncerCompliant
content-length: 65
x-xss-protection: 0
x-response-time: 115
pragma: no-cache
last-modified: Mon, 21 Oct 2019 13:18:54 GMT
server: tsa_o
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=0
content-type: image/gif;charset=utf-8
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash: c8d0b280c8bbf40823452698b765fc70
x-transaction: 0097975300546c75
expires: Tue, 31 Mar 1981 05:00:00 GMT

GET
H2 200 adsct
t.co/i/ 43 B
124 B 118ms
117ms Image
image/gif 104.244.42.197
Twitter Inc.

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://t.co/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o29di&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

104.244.42.197 , United States, ASN13414 (TWITTER - Twitter Inc., US),

Reverse DNS

Software

tsa_o /

Resource Hash

ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957

Security Headers

Name	Value
Strict-Transport-Security	max-age=0
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
content-encoding: gzip
x-content-type-options: nosniff
status: 200, 200 OK
x-twitter-response-tags: BouncerCompliant
content-length: 65
x-xss-protection: 0
x-response-time: 110
pragma: no-cache
last-modified: Mon, 21 Oct 2019 13:18:54 GMT
server: tsa_o
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=0
content-type: image/gif;charset=utf-8
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash: c8d0b280c8bbf40823452698b765fc70
x-transaction: 00147ea200551856
expires: Tue, 31 Mar 1981 05:00:00 GMT

GET
H2 200 adsct
t.co/i/ 43 B
119 B 119ms
118ms Image
image/gif 104.244.42.197
Twitter Inc.

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://t.co/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o2i9x&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

104.244.42.197 , United States, ASN13414 (TWITTER - Twitter Inc., US),

Reverse DNS

Software

tsa_o /

Resource Hash

ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957

Security Headers

Name	Value
Strict-Transport-Security	max-age=0
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
content-encoding: gzip
x-content-type-options: nosniff
status: 200, 200 OK
x-twitter-response-tags: BouncerCompliant
content-length: 65
x-xss-protection: 0
x-response-time: 110
pragma: no-cache
last-modified: Mon, 21 Oct 2019 13:18:54 GMT
server: tsa_o
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=0
content-type: image/gif;charset=utf-8
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash: c8d0b280c8bbf40823452698b765fc70
x-transaction: 00927b2d00fb33c2
expires: Tue, 31 Mar 1981 05:00:00 GMT

GET
H2 200 /
www.facebook.com/tr/ 44 B
246 B 7ms
6ms Image
image/gif 2a03:2880:f11c:8183:face:b00c:0:25de
Facebook

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.facebook.com/tr/?id=437764526963678&ev=PageView&dl=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&rl=&if=false&ts=1571663934302&cd[jnpr_vId]=gxUxgn1A2amUgo3KlIV32HqHtyKywD8Y-1571663934&sw=1600&sh=1200&v=2.9.5&r=stable&ec=0&o=29&fbp=fb.1.1571663934301.918616283&it=1571663934145&coo=false&rqm=GET

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a03:2880:f11c:8183:face:b00c:0:25de , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),

Reverse DNS

Software

proxygen-bolt /

Resource Hash

10d8d42d73a02ddb877101e72fbfa15a0ec820224d97cedee4cf92d571be5caa

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
last-modified: Fri, 21 Dec 2012 00:00:01 GMT
server: proxygen-bolt
strict-transport-security: max-age=31536000; includeSubDomains
content-type: image/gif
status: 200
cache-control: no-cache, must-revalidate, max-age=0
alt-svc: h3-23=":443"; ma=3600
content-length: 44
expires: Mon, 21 Oct 2019 13:18:54 GMT

GET
H2 200 button_lithium_logo.png
jnet.i.lithium.com/skins/images/DD51985ABEA4648409E8F4747DB8C33F/responsive_peak/images/ 2 KB
2 KB 7ms
6ms Image
image/png 93.184.220.97
MCI Communication...

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://jnet.i.lithium.com/skins/images/DD51985ABEA4648409E8F4747DB8C33F/responsive_peak/images/button_lithium_logo.png

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_256_GCM

Server

93.184.220.97 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),

Reverse DNS

Software

ECS (fcn/40DA) /

Resource Hash

06999de90eb62434c9e26cc7b0b70c3db1602e5b3ebea36b7dd6cb9e4ebbd784

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
last-modified: Fri, 20 Sep 2019 20:27:43 GMT
server: ECS (fcn/40DA)
strict-transport-security: max-age=31536000;includeSubDomains
x-cache: HIT
content-type: image/png;charset=UTF-8
status: 200
cache-control: s-maxage=452705
accept-ranges: bytes
content-length: 1707
expires: Tue, 20 Oct 2020 13:18:54 GMT

GET
H/1.1

404
Not Found

jnpr.min.js
forums.juniper.net/html/assets/scripts/
Redirect Chain

https://forums.juniper.net/assets/scripts/jnpr.min.js
https://forums.juniper.net/html/assets/scripts/jnpr.min.js

0
0

404ms
169ms

Script
text/html

208.74.207.25
NeuStar

General

Check archive.org

Show headers Download Go to

Full URL

https://forums.juniper.net/html/assets/scripts/jnpr.min.js

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

HTTP/1.1

Security

TLS 1.2, ECDHE_RSA, AES_256_GCM

Server

208.74.207.25 , United States, ASN19905 (NEUSTAR-AS6 - NeuStar, Inc., US),

Reverse DNS

jnet.lithium.com

Software

Apache /

Resource Hash

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000;includeSubDomains

Request headers

Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date: Mon, 21 Oct 2019 13:18:55 GMT
Vary: Origin,Access-Control-Request-Headers,Access-Control-Request-Method,Access-Control-Allow-Credentials,Access-Control-Max-Age
Server: Apache
Connection: close
Content-Length: 930
Strict-Transport-Security: max-age=31536000;includeSubDomains
Content-Type: text/html;charset=utf-8

Redirect headers

Location: https://forums.juniper.net/html/assets/scripts/jnpr.min.js
Date: Mon, 21 Oct 2019 13:18:54 GMT
Server: Apache
Connection: close
Content-Length: 266
Strict-Transport-Security: max-age=31536000;includeSubDomains
Content-Type: text/html; charset=iso-8859-1

GET
H/1.1

404
Not Found

footer-injection.js
forums.juniper.net/html/assets/scripts/
Redirect Chain

https://forums.juniper.net/assets/scripts/footer-injection.js
https://forums.juniper.net/html/assets/scripts/footer-injection.js

0
0

483ms
167ms

Script
text/html

208.74.207.25
NeuStar

General

Check archive.org

Show headers Download Go to

Full URL

https://forums.juniper.net/html/assets/scripts/footer-injection.js

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

HTTP/1.1

Security

TLS 1.2, ECDHE_RSA, AES_256_GCM

Server

208.74.207.25 , United States, ASN19905 (NEUSTAR-AS6 - NeuStar, Inc., US),

Reverse DNS

jnet.lithium.com

Software

Apache /

Resource Hash

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000;includeSubDomains

Request headers

Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date: Mon, 21 Oct 2019 13:18:55 GMT
Vary: Origin,Access-Control-Request-Headers,Access-Control-Request-Method,Access-Control-Allow-Credentials,Access-Control-Max-Age
Server: Apache
Connection: close
Content-Length: 946
Strict-Transport-Security: max-age=31536000;includeSubDomains
Content-Type: text/html;charset=utf-8

Redirect headers

Location: https://forums.juniper.net/html/assets/scripts/footer-injection.js
Date: Mon, 21 Oct 2019 13:18:55 GMT
Server: Apache
Connection: close
Content-Length: 274
Strict-Transport-Security: max-age=31536000;includeSubDomains
Content-Type: text/html; charset=iso-8859-1

GET
H2 200 lia-scripts-common-min.js Show response
jnet.i.lithium.com/t5/scripts/BE8CB1DF7619C9CB31E35C81CB4C0EC0/ 329 KB
89 KB 319ms
317ms Script
text/javascript 93.184.220.97
MCI Communication...

General

Check archive.org

Show headers Download Go to

Full URL

https://jnet.i.lithium.com/t5/scripts/BE8CB1DF7619C9CB31E35C81CB4C0EC0/lia-scripts-common-min.js

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_256_GCM

Server

93.184.220.97 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),

Reverse DNS

Software

Apache /

Resource Hash

081de2455a7c07a455ae28fec0acf0db473c515d1d38b49fda402724febc6da7

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:55 GMT
content-encoding: gzip
last-modified: Fri, 20 Sep 2019 20:26:56 GMT
server: Apache
vary: Accept-Encoding
x-cache: HIT
content-type: text/javascript;charset=UTF-8
status: 200
cache-control: s-maxage=82
strict-transport-security: max-age=31536000;includeSubDomains
accept-ranges: bytes
content-length: 91306
expires: Sat, 19 Sep 2020 20:33:48 GMT

GET
H2 200 lia-scripts-body-min.js Show response
jnet.i.lithium.com/t5/scripts/2E0711A75768E4784ED602DBD284206F/ 1 KB
600 B 8ms
7ms Script
text/javascript 93.184.220.97
MCI Communication...

General

Check archive.org

Show headers Download Go to

Full URL

https://jnet.i.lithium.com/t5/scripts/2E0711A75768E4784ED602DBD284206F/lia-scripts-body-min.js

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_256_GCM

Server

93.184.220.97 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),

Reverse DNS

Software

ECS (fcn/41A8) /

Resource Hash

18a02257219987458dc60f3fc2284ce0ceba4affa260c51d66d0b6e815e0a90f

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
content-encoding: gzip
last-modified: Fri, 20 Sep 2019 20:37:55 GMT
server: ECS (fcn/41A8)
vary: Accept-Encoding
x-cache: HIT
content-type: text/javascript;charset=UTF-8
status: 200
cache-control: s-maxage=457382
strict-transport-security: max-age=31536000;includeSubDomains
accept-ranges: bytes
content-length: 516
expires: Tue, 20 Oct 2020 13:18:54 GMT

GET
H2 404 fontawesome.ttf
jnet.i.lithium.com/skins/3844011/fonts/ 0
0 321ms
321ms Font
text/html 93.184.220.97
MCI Communication...

General

Check archive.org

Show headers Download Go to

Full URL

https://jnet.i.lithium.com/skins/3844011/fonts/fontawesome.ttf

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_256_GCM

Server

93.184.220.97 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),

Reverse DNS

Software

Apache /

Resource Hash

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode: cors
Referer: https://jnet.i.lithium.com/skins/3844011/78d9481934a9081393f958263d2558df/juniperresponsive.css
Origin: https://forums.juniper.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

status: 404
date: Mon, 21 Oct 2019 13:18:54 GMT
server: Apache
access-control-allow-origin: *
content-length: 866
strict-transport-security: max-age=31536000;includeSubDomains
content-type: text/html;charset=utf-8

GET
H2 200 nav-search.svg
www.juniper.net/assets/svg/ 604 B
744 B 7ms
6ms Image
image/svg+xml 2a02:26f0:10:2a9::720
AKAMAI-ASN1

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.juniper.net/assets/svg/nav-search.svg

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_256_GCM

Server

2a02:26f0:10:2a9::720 , Ascension Island, ASN20940 (AKAMAI-ASN1, US),

Reverse DNS

Software

Apache /

Resource Hash

513a1cdd025b3086aa57881e2c801d57b76154c11975cc9283a9a3b480650722

Security Headers

Name	Value
X-Frame-Options	SAMEORIGIN

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://www.juniper.net/documentation/assets/css/style/style.min.css
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
content-encoding: gzip
vary: Accept-Encoding
status: 200
content-length: 361
x-ua-compatible: IE=edge,chrome=1
last-modified: Wed, 20 Jul 2016 17:19:39 GMT
server: Apache
x-frame-options: SAMEORIGIN
access-control-max-age: 1000
access-control-allow-methods: POST, GET, OPTIONS, DELETE, PUT
content-type: image/svg+xml
access-control-allow-origin: https://partners.juniper.net
cache-control: public, max-age=160930
accept-ranges: bytes
access-control-allow-headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token

GET
H2 200 nav-search-white.svg
www.juniper.net/assets/svg/ 1 KB
1 KB 7ms
6ms Image
image/svg+xml 2a02:26f0:10:2a9::720
AKAMAI-ASN1

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.juniper.net/assets/svg/nav-search-white.svg

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_256_GCM

Server

2a02:26f0:10:2a9::720 , Ascension Island, ASN20940 (AKAMAI-ASN1, US),

Reverse DNS

Software

Apache/2.4.33 (Unix) OpenSSL/1.0.2k-fips mod_jk/1.2.43 /

Resource Hash

690217dd4ebde7d6750b11980ac97780557184aa636e8ae5ca6a53aadfbce5b8

Security Headers

Name	Value
Content-Security-Policy	upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
Strict-Transport-Security	max-age=31536000
X-Xss-Protection	1; mode=block

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://www.juniper.net/documentation/assets/css/style/style.min.css
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

content-security-policy: upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
content-encoding: gzip
vary: Accept-Encoding
status: 200
strict-transport-security: max-age=31536000
content-length: 657
x-xss-protection: 1; mode=block
x-ua-compatible: IE=edge,chrome=1
last-modified: Wed, 20 Jul 2016 17:19:39 GMT
server: Apache/2.4.33 (Unix) OpenSSL/1.0.2k-fips mod_jk/1.2.43
date: Mon, 21 Oct 2019 13:18:54 GMT
access-control-max-age: 1000
access-control-allow-methods: POST, GET, OPTIONS, PUT
content-type: image/svg+xml
access-control-allow-origin: *
cache-control: public, max-age=143067
accept-ranges: bytes
access-control-allow-headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token

GET
H/1.1 200
OK v.gif
pls.webtype.com/ 807 B
1 KB 451ms
111ms Image
image/gif 65.52.62.25
Microsoft Corpora...

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://pls.webtype.com/v.gif?ct=182296,182293,182299,182294,182298,182295,182297,182293,182294,182298,182295,182297,182299,182296,182299,182298,182293,182296,182295,182294,182297,182296,182297,182295,182294,182298,182293,182299&r=71911&p=68690&h=Hzc0I5MIWElYX3SnOIHSGw%3d%3d
Requested by: Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol: HTTP/1.1
Security: TLS 1.2, ECDHE_RSA, AES_256_CBC
Server: 65.52.62.25 Chicago, United States, ASN8075 (MICROSOFT-CORP-MSN-AS-BLOCK - Microsoft Corporation, US),
Reverse DNS
Software: Microsoft-IIS/8.5 / ASP.NET
Resource Hash: 3ca19e57c9a2465ae4df271316ba4d29e7ff7f113a2a2c5297780c0b7a0ac09d

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://cloud.webtype.com/css/05cb80fc-3221-476f-983d-76dfa0b1370c.css
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Pragma: no-cache
Date: Mon, 21 Oct 2019 13:18:54 GMT
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Type: image/gif
Cache-Control: no-cache
Content-Length: 807
Expires: -1

GET
H2 200 8dede187-f539-4e89-8e5d-d76f5d0095ae
cloud.webtype.com/webtype/ff2/3/ 65 KB
65 KB 26ms
6ms Font
application/octet-stream 93.184.220.41
MCI Communication...

General

Check archive.org

Show headers Download Go to

Full URL: https://cloud.webtype.com/webtype/ff2/3/8dede187-f539-4e89-8e5d-d76f5d0095ae?ec_token=8f7c4c4997246fd7fa920371cd943b561cc1376e933e830d08e6b0683939639d404785f456ee325751018e71943647ae782803b571f76a4f99f7a69ad60de620815d74f862eece7f227ffe36b6f147fa2b31f695cc15970eca36239817181a29ea965395e032cd50d8bcc8b099a1626213eb724dfd4684b9557a15c5e2021686a30eae0c2d0ea656970a0c0c4ce2ae2c712caf2dc5f9c018ecb5745d83293ecd895dc071daf39dd538d429fffa183b83b31c38c8abaeb7ec5e8e3b0ac0f33e82655a5bf4fb9401a18e2abf64fec6a5945249a755e2098321fce89fbe6ab4cd2eec3ef0c1337e8a3d20160631b99ac177110468caa17059&ec_token=8f7c4c4997246fd7fa920376cc943b5654522473d8a897cacca97149c4e47f6f58194b50d81812299938889f52af0c1606db01f5be73b0deef52167fa79f12b243aff40a15ac84109f59783d30e511148a6dae4a711358f22b6206a2f996042606d5449df7366ee850657c2e998ae60e1825a00958d3ce1c5e7085a3d6eb82a8614189a4023ff9c5bdd7b05a25fe732e7b1b66d3387e3b492e8886adbde3cfee77939e8d1f63817ab735b2504ec31754c9241fa74730508eca7af76aeb3c0a684994a21e0356e79ee6b3bb4ab55048106ca56cd7bb487524c384b9adf60e1944e2450c73f7e1b30ae197ac26
Requested by: Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 93.184.220.41 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),
Reverse DNS
Software: ECS (fcn/40B6) /
Resource Hash: c85e7ce68f3a78005c8c4603e3312b48ab1465bfdc86b397941295aa75299f2e

Request headers

Sec-Fetch-Mode: cors
Referer: https://cloud.webtype.com/css/05cb80fc-3221-476f-983d-76dfa0b1370c.css
Origin: https://forums.juniper.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
last-modified: Fri, 23 Oct 2015 21:29:02 GMT
server: ECS (fcn/40B6)
etag: "2872188931"
status: 200
x-cache: HIT
content-type: application/octet-stream
access-control-allow-origin: *
cache-control: max-age=604800
accept-ranges: bytes
content-length: 66108
expires: Mon, 28 Oct 2019 13:18:54 GMT

GET
H2 200 Lato-Regular.woff2
jnet.i.lithium.com/html/assets/ 178 KB
179 KB 6ms
6ms Font
application/octet-stream 93.184.220.97
MCI Communication...

General

Check archive.org

Show headers Download Go to

Full URL

https://jnet.i.lithium.com/html/assets/Lato-Regular.woff2

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_256_GCM

Server

93.184.220.97 London, United Kingdom, ASN15133 (EDGECAST - MCI Communications Services, Inc. d/b/a Verizon Business, US),

Reverse DNS

Software

ECS (fcn/41AE) /

Resource Hash

983b0caf336e8542214fc17019a4fc5e0360864b92806ca14d55c1fc1c2c5a0f

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode: cors
Referer: https://jnet.i.lithium.com/skins/3844011/78d9481934a9081393f958263d2558df/juniperresponsive.css
Origin: https://forums.juniper.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
last-modified: Tue, 25 Sep 2018 18:37:35 GMT
server: ECS (fcn/41AE)
status: 200
etag: W/"182708-1537900655000"
strict-transport-security: max-age=31536000;includeSubDomains
x-cache: HIT
content-type: application/octet-stream
access-control-allow-origin: *
accept-ranges: bytes
content-length: 182708

GET
H2

200

cse.js Show response
cse.google.com/cse/
Redirect Chain

https://www.google.com/cse/cse.js?cx=009668004808822005412:yju97b8czpm
https://cse.google.com/cse/cse.js?cx=009668004808822005412:yju97b8czpm

11 KB
4 KB

43ms
32ms

Script
text/javascript

2a00:1450:4001:800::200e
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://cse.google.com/cse/cse.js?cx=009668004808822005412:yju97b8czpm

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:800::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

gws /

Resource Hash

1e76b665a6f0a9668df5358d69d8e88e82e602cbb5d5eb7acb4ea7daa5d5190d

Security Headers

Name	Value
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
content-encoding: br
server: gws
x-frame-options: SAMEORIGIN
p3p: CP="This is not a P3P policy! See g.co/p3phelp for more info."
status: 200
cache-control: private
content-disposition: attachment; filename="f.txt"
content-type: text/javascript; charset=UTF-8
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 3497
x-xss-protection: 0
expires: Mon, 21 Oct 2019 13:18:54 GMT

Redirect headers

date: Mon, 21 Oct 2019 13:18:54 GMT
x-content-type-options: nosniff
server: sffe
status: 302
content-type: text/html; charset=UTF-8
location: https://cse.google.com/cse/cse.js?cx=009668004808822005412:yju97b8czpm
cache-control: private
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 267
x-xss-protection: 0

GET
H2 200 / Show response
www.google.com/uds/ 607 B
448 B 15ms
15ms Script
text/javascript 2a00:1450:4001:81d::2004
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://www.google.com/uds/?file=search&v=1

Requested by

Host: www.google.ca
URL: https://www.google.ca/jsapi

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

GSE /

Resource Hash

18640403461461c763056c71c9d16db51cfaf8bd64473e8746b7692e25200e12

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	1; mode=block

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
content-encoding: gzip
x-content-type-options: nosniff
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
server: GSE
x-frame-options: SAMEORIGIN
content-type: text/javascript; charset=utf-8
status: 200
cache-control: private, max-age=3600, must-revalidate
vary: Accept-Encoding
content-length: 286
x-xss-protection: 1; mode=block
expires: Mon, 21 Oct 2019 13:18:54 GMT

GET
H2 200 default+en.css
www.google.com/uds/api/search/1.0/bb26211819c995bb58c0620c726c7b45/ 45 KB
10 KB 6ms
6ms Stylesheet
text/css 2a00:1450:4001:81d::2004
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://www.google.com/uds/api/search/1.0/bb26211819c995bb58c0620c726c7b45/default+en.css

Requested by

Host: www.google.ca
URL: https://www.google.ca/jsapi

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

GSE /

Resource Hash

be411113a7cc410c17ca7c311a35166e012b630b56da83341cbed129f6abd6bd

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	1; mode=block

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Fri, 11 Oct 2019 07:25:05 GMT
content-encoding: gzip
x-content-type-options: nosniff
server: GSE
age: 885229
x-frame-options: SAMEORIGIN
content-type: text/css; charset=UTF-8
status: 200
vary: Accept-Encoding
cache-control: public, max-age=31536000
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 10257
x-xss-protection: 1; mode=block
expires: Sat, 10 Oct 2020 07:25:05 GMT

GET
H2 200 default+en.I.js Show response
www.google.com/uds/api/search/1.0/bb26211819c995bb58c0620c726c7b45/ 315 KB
92 KB 7ms
7ms Script
application/x-javascript 2a00:1450:4001:81d::2004
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://www.google.com/uds/api/search/1.0/bb26211819c995bb58c0620c726c7b45/default+en.I.js

Requested by

Host: www.google.ca
URL: https://www.google.ca/jsapi

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

GSE /

Resource Hash

24b74951479c73418c6486173931f2c1b9f56142776dda0a7dc19a9e9884b8a9

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	1; mode=block

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"

Response headers

date: Fri, 18 Oct 2019 15:25:32 GMT
content-encoding: gzip
x-content-type-options: nosniff
server: GSE
age: 251602
x-frame-options: SAMEORIGIN
content-type: application/x-javascript; charset=UTF-8
status: 200
vary: Accept-Encoding
cache-control: public, max-age=31536000
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 94503
x-xss-protection: 1; mode=block
expires: Sat, 17 Oct 2020 15:25:32 GMT

GET
H/1.1 200
OK Cookie set dest5.html
junipernetworks.demdex.net/ Frame 7CE4 0
0 136ms
31ms Document
text/html 34.253.43.81
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL

https://junipernetworks.demdex.net/dest5.html?d_nsid=0

Requested by

Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js

Protocol

HTTP/1.1

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

34.253.43.81 Dublin, Ireland, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),

Reverse DNS

ec2-34-253-43-81.eu-west-1.compute.amazonaws.com

Software

Resource Hash

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains

Request headers

Host: junipernetworks.demdex.net
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode: nested-navigate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: cross-site
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Accept-Encoding: gzip, deflate, br
Cookie: demdex=40611432642373395391657003048716690702
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode: nested-navigate
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Response headers

Accept-Ranges: bytes
Cache-Control: max-age=21600
Content-Encoding: gzip
Content-Type: text/html
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Last-Modified: Wed, 16 Oct 2019 08:54:45 GMT
P3P: policyref="/w3c/p3p.xml", CP="NOI NID CURa ADMa DEVa PSAa PSDa OUR SAMa BUS PUR COM NAV INT"
Pragma: no-cache
Set-Cookie: demdex=40611432642373395391657003048716690702;Path=/;Domain=.demdex.net;Expires=Sat, 18-Apr-2020 13:18:54 GMT;Max-Age=15552000
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding, User-Agent
X-TID: Qdg7+75HRkQ=
Content-Length: 2764
Connection: keep-alive

GET
H2 200 logo.svg
www.juniper.net/assets/svg/ 5 KB
2 KB 6ms
6ms Image
image/svg+xml 2a02:26f0:10:2a9::720
AKAMAI-ASN1

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.juniper.net/assets/svg/logo.svg

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_256_GCM

Server

2a02:26f0:10:2a9::720 , Ascension Island, ASN20940 (AKAMAI-ASN1, US),

Reverse DNS

Software

Apache /

Resource Hash

2099c9be1d977088b3fa5f862474b7ed87e34c8988f6eaf1a20b15787c9998b6

Security Headers

Name	Value
X-Frame-Options	SAMEORIGIN

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://www.juniper.net/documentation/assets/css/style/style.min.css
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:54 GMT
content-encoding: gzip
vary: Accept-Encoding
status: 200
content-length: 2118
x-ua-compatible: IE=edge,chrome=1
last-modified: Wed, 20 Jul 2016 17:19:37 GMT
server: Apache
x-frame-options: SAMEORIGIN
access-control-max-age: 1000
access-control-allow-methods: POST, GET, OPTIONS, DELETE, PUT
content-type: image/svg+xml
access-control-allow-origin: https://partners.juniper.net
cache-control: public, max-age=104734
accept-ranges: bytes
access-control-allow-headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token

GET
H/1.1 404
Not Found J-Nethome.jpg
forums.juniper.net/html/assets/ 918 B
918 B 477ms
161ms Image
text/html 208.74.207.25
NeuStar

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://forums.juniper.net/html/assets/J-Nethome.jpg

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

HTTP/1.1

Security

TLS 1.2, ECDHE_RSA, AES_256_GCM

Server

208.74.207.25 , United States, ASN19905 (NEUSTAR-AS6 - NeuStar, Inc., US),

Reverse DNS

jnet.lithium.com

Software

Apache /

Resource Hash

2aec599bb34eb6dc9628239d56d39f8b9fbf6cea0d7b4272d3a6c18c6ab81e05

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date: Mon, 21 Oct 2019 13:18:55 GMT
Vary: Origin,Access-Control-Request-Headers,Access-Control-Request-Method,Access-Control-Allow-Credentials,Access-Control-Max-Age
Server: Apache
Connection: close
Content-Length: 918
Strict-Transport-Security: max-age=31536000;includeSubDomains
Content-Type: text/html;charset=utf-8

GET
H/1.1

404
Not Found

twitter.png
forums.juniper.net/html/assets/svg/png/
Redirect Chain

https://forums.juniper.net/assets/svg/png/twitter.png
https://forums.juniper.net/html/assets/svg/png/twitter.png

930 B
930 B

485ms
165ms

Image
text/html

208.74.207.25
NeuStar

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://forums.juniper.net/html/assets/svg/png/twitter.png

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

HTTP/1.1

Security

TLS 1.2, ECDHE_RSA, AES_256_GCM

Server

208.74.207.25 , United States, ASN19905 (NEUSTAR-AS6 - NeuStar, Inc., US),

Reverse DNS

jnet.lithium.com

Software

Apache /

Resource Hash

9b8a69e995564719ea29e03b8593d8d18d03c3c8411a0eba1d714afec595d848

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000;includeSubDomains

Request headers

Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date: Mon, 21 Oct 2019 13:18:55 GMT
Vary: Origin,Access-Control-Request-Headers,Access-Control-Request-Method,Access-Control-Allow-Credentials,Access-Control-Max-Age
Server: Apache
Connection: close
Content-Length: 930
Strict-Transport-Security: max-age=31536000;includeSubDomains
Content-Type: text/html;charset=utf-8

Redirect headers

Location: https://forums.juniper.net/html/assets/svg/png/twitter.png
Date: Mon, 21 Oct 2019 13:18:55 GMT
Server: Apache
Connection: close
Content-Length: 266
Strict-Transport-Security: max-age=31536000;includeSubDomains
Content-Type: text/html; charset=iso-8859-1

GET
H/1.1

404
Not Found

youtube.png
forums.juniper.net/html/assets/svg/png/
Redirect Chain

https://forums.juniper.net/assets/svg/png/youtube.png
https://forums.juniper.net/html/assets/svg/png/youtube.png

930 B
930 B

491ms
166ms

Image
text/html

208.74.207.25
NeuStar

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://forums.juniper.net/html/assets/svg/png/youtube.png

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

HTTP/1.1

Security

TLS 1.2, ECDHE_RSA, AES_256_GCM

Server

208.74.207.25 , United States, ASN19905 (NEUSTAR-AS6 - NeuStar, Inc., US),

Reverse DNS

jnet.lithium.com

Software

Apache /

Resource Hash

925ce3258ea45dd475bffbdc02c278e08d6bc4667c685b18c43b8dd0cb8bee5a

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000;includeSubDomains

Request headers

Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date: Mon, 21 Oct 2019 13:18:55 GMT
Vary: Origin,Access-Control-Request-Headers,Access-Control-Request-Method,Access-Control-Allow-Credentials,Access-Control-Max-Age
Server: Apache
Connection: close
Content-Length: 930
Strict-Transport-Security: max-age=31536000;includeSubDomains
Content-Type: text/html;charset=utf-8

Redirect headers

Location: https://forums.juniper.net/html/assets/svg/png/youtube.png
Date: Mon, 21 Oct 2019 13:18:55 GMT
Server: Apache
Connection: close
Content-Length: 266
Strict-Transport-Security: max-age=31536000;includeSubDomains
Content-Type: text/html; charset=iso-8859-1

GET
H/1.1

404
Not Found

linkedin-circle.svg
forums.juniper.net/html/assets/svg/
Redirect Chain

https://forums.juniper.net/assets/svg/linkedin-circle.svg
https://forums.juniper.net/html/assets/svg/linkedin-circle.svg

938 B
938 B

475ms
163ms

Image
text/html

208.74.207.25
NeuStar

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://forums.juniper.net/html/assets/svg/linkedin-circle.svg

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

HTTP/1.1

Security

TLS 1.2, ECDHE_RSA, AES_256_GCM

Server

208.74.207.25 , United States, ASN19905 (NEUSTAR-AS6 - NeuStar, Inc., US),

Reverse DNS

jnet.lithium.com

Software

Apache /

Resource Hash

78a8202e2d22f37c9ed73bb52845944b2776d14a59bd21bd44dca6ca11795495

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000;includeSubDomains

Request headers

Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date: Mon, 21 Oct 2019 13:18:55 GMT
Server: Apache
Vary: Origin,Access-Control-Request-Headers,Access-Control-Request-Method,Access-Control-Allow-Credentials,Access-Control-Max-Age
Content-Type: text/html;charset=utf-8
Access-Control-Allow-Origin: *
Connection: close
Strict-Transport-Security: max-age=31536000;includeSubDomains
Content-Length: 938

Redirect headers

Location: https://forums.juniper.net/html/assets/svg/linkedin-circle.svg
Date: Mon, 21 Oct 2019 13:18:55 GMT
Server: Apache
Connection: close
Content-Length: 270
Strict-Transport-Security: max-age=31536000;includeSubDomains
Content-Type: text/html; charset=iso-8859-1

GET
H2 200 select-down.svg
www.juniper.net/assets/svg/ 626 B
934 B 7ms
7ms Image
image/svg+xml 2a02:26f0:10:2a9::720
AKAMAI-ASN1

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.juniper.net/assets/svg/select-down.svg

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_256_GCM

Server

2a02:26f0:10:2a9::720 , Ascension Island, ASN20940 (AKAMAI-ASN1, US),

Reverse DNS

Software

Apache/2.4.33 (Unix) OpenSSL/1.0.2k-fips mod_jk/1.2.43 /

Resource Hash

066d654e9fdae411ba75229bf293bb54156406111dd0f69f789f97a8a8a6502b

Security Headers

Name	Value
Content-Security-Policy	upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
Strict-Transport-Security	max-age=31536000
X-Xss-Protection	1; mode=block

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://www.juniper.net/documentation/assets/css/style/style.min.css
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

content-security-policy: upgrade-insecure-requests; frame-ancestors *.juniper.net https://juniper.highspot.com https://junipernetworks.lookbookhq.com
content-encoding: gzip
vary: Accept-Encoding
status: 200
strict-transport-security: max-age=31536000
content-length: 416
x-xss-protection: 1; mode=block
x-ua-compatible: IE=edge,chrome=1
last-modified: Wed, 20 Jul 2016 17:19:47 GMT
server: Apache/2.4.33 (Unix) OpenSSL/1.0.2k-fips mod_jk/1.2.43
date: Mon, 21 Oct 2019 13:18:54 GMT
access-control-max-age: 1000
access-control-allow-methods: POST, GET, OPTIONS, PUT
content-type: image/svg+xml
access-control-allow-origin: *
cache-control: public, max-age=152540
accept-ranges: bytes
access-control-allow-headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token

GET
H2 200 cse_element__en.js Show response
www.google.com/cse/static/element/b5752d27691147d6/ 256 KB
85 KB 6ms
6ms Script
text/javascript 2a00:1450:4001:81d::2004
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://www.google.com/cse/static/element/b5752d27691147d6/cse_element__en.js?usqp=CAI%3D

Requested by

Host: cse.google.com
URL: https://cse.google.com/cse/cse.js?cx=009668004808822005412:yju97b8czpm

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

sffe /

Resource Hash

f50798458e958d44022e68ed50eaf58ee47256a163f3022681fe1c899139d612

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 12:20:46 GMT
content-encoding: gzip
x-content-type-options: nosniff
last-modified: Fri, 20 Sep 2019 16:22:21 GMT
server: sffe
age: 3488
vary: Accept-Encoding
content-type: text/javascript
status: 200
cache-control: public, max-age=31536000
accept-ranges: bytes
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 86564
x-xss-protection: 0
expires: Tue, 20 Oct 2020 12:20:46 GMT

GET
H2 200 default+en.css
www.google.com/cse/static/element/b5752d27691147d6/ 40 KB
9 KB 7ms
7ms Stylesheet
text/css 2a00:1450:4001:81d::2004
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://www.google.com/cse/static/element/b5752d27691147d6/default+en.css

Requested by

Host: cse.google.com
URL: https://cse.google.com/cse/cse.js?cx=009668004808822005412:yju97b8czpm

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

sffe /

Resource Hash

40a20291f9b526cba58796a4bbd0256d5663313e02c9d5ab5a842476562b3108

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 12:20:43 GMT
content-encoding: gzip
x-content-type-options: nosniff
last-modified: Fri, 20 Sep 2019 16:22:21 GMT
server: sffe
age: 3491
vary: Accept-Encoding
content-type: text/css
status: 200
cache-control: public, max-age=31536000
accept-ranges: bytes
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 9042
x-xss-protection: 0
expires: Tue, 20 Oct 2020 12:20:43 GMT

GET
H2 200 default.css
www.google.com/cse/static/style/look/v3/ 12 KB
3 KB 7ms
6ms Stylesheet
text/css 2a00:1450:4001:81d::2004
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://www.google.com/cse/static/style/look/v3/default.css

Requested by

Host: cse.google.com
URL: https://cse.google.com/cse/cse.js?cx=009668004808822005412:yju97b8czpm

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

sffe /

Resource Hash

8c5519ff6e93dfefc21c8b9c586ceef2060b2161e6be946d5b704341456ef053

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:10:41 GMT
content-encoding: gzip
x-content-type-options: nosniff
last-modified: Tue, 07 May 2019 14:00:00 GMT
server: sffe
age: 493
vary: Accept-Encoding
content-type: text/css
status: 200
cache-control: public, max-age=3000
accept-ranges: bytes
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 2805
x-xss-protection: 0
expires: Mon, 21 Oct 2019 14:00:41 GMT

GET
H2 200 satellite-5c4d601564746d128d00351a.js Show response
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/ 2 KB
1 KB 6ms
5ms Script
application/x-javascript 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5c4d601564746d128d00351a.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash: 775babc192dd84c190b44f9612ad8a9de10a522c9a178e7f37a623b13974582b

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:55 GMT
content-encoding: gzip
last-modified: Thu, 17 Oct 2019 18:01:33 GMT
server: AkamaiNetStorage
etag: "79d2fab98e026e15277357ab3735e2ec:1571335293.959717"
vary: Accept-Encoding
content-type: application/x-javascript
status: 200
cache-control: max-age=3600
accept-ranges: bytes
timing-allow-origin: *
content-length: 843
expires: Mon, 21 Oct 2019 14:18:55 GMT

GET
H2 200 satellite-5c86baad64746d44c9006139.js Show response
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/ 2 KB
1 KB 8ms
8ms Script
application/x-javascript 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5c86baad64746d44c9006139.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash: 9093f80f7653038c751be64d054f6159875ac0f6f99935c4008bf3f705abdbee

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:55 GMT
content-encoding: gzip
last-modified: Thu, 17 Oct 2019 18:01:34 GMT
server: AkamaiNetStorage
etag: "5d575cbc07dd1ec8409e5003819443cb:1571335294.197582"
vary: Accept-Encoding
content-type: application/x-javascript
status: 200
cache-control: max-age=3600
accept-ranges: bytes
timing-allow-origin: *
content-length: 856
expires: Mon, 21 Oct 2019 14:18:55 GMT

GET
H2 200 js Show response
www.googletagmanager.com/gtag/ 74 KB
28 KB 16ms
15ms Script
application/javascript 2a00:1450:4001:814::2008
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://www.googletagmanager.com/gtag/js?id=AW-956680084

Requested by

Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:814::2008 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

Google Tag Manager /

Resource Hash

656e1fb71a24f4d230a9ce9ff572e6c7e52382d7bbe666dafb10c12fc2799210

Security Headers

Name	Value
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:55 GMT
content-encoding: br
last-modified: Mon, 21 Oct 2019 12:00:00 GMT
server: Google Tag Manager
access-control-allow-headers: Cache-Control
status: 200
vary: Accept-Encoding
content-type: application/javascript; charset=UTF-8
access-control-allow-origin: http://www.googletagmanager.com
cache-control: private, max-age=900
access-control-allow-credentials: true
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 28467
x-xss-protection: 0
expires: Mon, 21 Oct 2019 13:18:55 GMT

GET
H2 200 satellite-5a1c307e64746d671f007214.js Show response
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/ 970 B
739 B 11ms
10ms Script
application/x-javascript 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5a1c307e64746d671f007214.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash: db0031471b3f9181ff21d83674674ac3dd7c128531fae90bc274ad0e17c58c37

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:55 GMT
content-encoding: gzip
last-modified: Thu, 17 Oct 2019 18:01:33 GMT
server: AkamaiNetStorage
etag: "e98792ce8e8b853475368de93200623c:1571335293.681528"
vary: Accept-Encoding
content-type: application/x-javascript
status: 200
cache-control: max-age=3600
accept-ranges: bytes
timing-allow-origin: *
content-length: 493
expires: Mon, 21 Oct 2019 14:18:55 GMT

GET
H2 200 satellite-57ae0e9e64746d5a2c001384.js Show response
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/ 756 B
610 B 10ms
10ms Script
application/x-javascript 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-57ae0e9e64746d5a2c001384.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash: 4c891889ca55d5cadf9e960d2e40f31f50ac0b6252417a9be7414ff2f26a3880

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:55 GMT
content-encoding: gzip
last-modified: Thu, 17 Oct 2019 18:01:30 GMT
server: AkamaiNetStorage
etag: "32b2fa1768d41f11552b05c7f7bc9543:1571335290.212682"
vary: Accept-Encoding
content-type: application/x-javascript
status: 200
cache-control: max-age=3600
accept-ranges: bytes
timing-allow-origin: *
content-length: 365
expires: Mon, 21 Oct 2019 14:18:55 GMT

GET
H2 200 satellite-57b12af264746d361f00027e.js Show response
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/ 148 B
392 B 12ms
12ms Script
application/x-javascript 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-57b12af264746d361f00027e.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash: b8eea75e456823a6e0eebfa1e4f27b56395485fff2bbf27e0344f7bf4fa8e509

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:55 GMT
content-encoding: gzip
last-modified: Thu, 17 Oct 2019 18:01:28 GMT
server: AkamaiNetStorage
etag: "a29c925184c82cbaaeea213863aa74d1:1571335288.030434"
vary: Accept-Encoding
content-type: application/x-javascript
status: 200
cache-control: max-age=3600
accept-ranges: bytes
timing-allow-origin: *
content-length: 147
expires: Mon, 21 Oct 2019 14:18:55 GMT

GET
H2 200 s-code-contents-aa1e4404cdb04849f2f22e6dd3789ac4f10a9afd.js Show response
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/ 35 KB
13 KB 14ms
13ms Script
application/x-javascript 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/s-code-contents-aa1e4404cdb04849f2f22e6dd3789ac4f10a9afd.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash: e931faaef092c8d98a58ac536216378f58e2a17a4833bbe5f9a29e5bbed849f6

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:55 GMT
content-encoding: gzip
last-modified: Thu, 17 Oct 2019 18:01:22 GMT
server: AkamaiNetStorage
etag: "0c13f2b0bfa3779da7f5bdb2ff4d1d29:1571335282.412724"
vary: Accept-Encoding
content-type: application/x-javascript
status: 200
cache-control: max-age=3600
accept-ranges: bytes
timing-allow-origin: *
content-length: 13480
expires: Mon, 21 Oct 2019 14:18:55 GMT

GET
H2 200 gtm.js Show response
www.googletagmanager.com/ 248 KB
48 KB 18ms
18ms Script
application/javascript 2a00:1450:4001:814::2008
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://www.googletagmanager.com/gtm.js?id=GTM-MHNPL3

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:814::2008 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

Google Tag Manager /

Resource Hash

2e4f5dd09499f2da4d8350e694d389f5837bc9a97addae7785a708a1867551a2

Security Headers

Name	Value
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:55 GMT
content-encoding: br
last-modified: Mon, 21 Oct 2019 12:00:00 GMT
server: Google Tag Manager
access-control-allow-headers: Cache-Control
status: 200
vary: Accept-Encoding
content-type: application/javascript; charset=UTF-8
access-control-allow-origin: http://www.googletagmanager.com
cache-control: private, max-age=900
access-control-allow-credentials: true
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 48762
x-xss-protection: 0
expires: Mon, 21 Oct 2019 13:18:55 GMT

GET
H2 200 pntheon.min.js Show response
secure.rmulus.com/ 9 KB
9 KB 43ms
9ms Script
application/javascript 143.204.101.123
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL: https://secure.rmulus.com/pntheon.min.js?_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pqStr=enabled&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=active&_pclIp=active&_pqStr=active&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb|nvrg6&_pfbAids=340159566928684|437764526963678&_pliPids=1318724|4751&_pawAids=AW-819694878|AW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5c4d601564746d128d00351a.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 143.204.101.123 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS: server-143-204-101-123.fra50.r.cloudfront.net
Software: AmazonS3 /
Resource Hash: 8c785b78817298c70c27829e6903d75fac181ed591e3260c4b1fec35f0cd03c0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:04:39 GMT
via: 1.1 1b73451818d2dd47a574604c0b84f692.cloudfront.net (CloudFront)
last-modified: Mon, 11 Mar 2019 19:34:03 GMT
server: AmazonS3
age: 857
etag: "0e3d80db82062b64ac3e71d661e18282"
x-cache: Hit from cloudfront
content-type: application/javascript
status: 200
cache-control: max-age=3600
x-amz-cf-pop: FRA50-C1
accept-ranges: bytes
content-length: 9338
x-amz-cf-id: RU7TcYHwdg5UnfP2dMMKZscgCzCZ1_qxWrhzhOJGCZfwiCBWfIdYkQ==

GET
H/1.1 204
No Content 162880915395_1571663933734.gif
forums.juniper.net/beacon/ 0
385 B 518ms
165ms Image
image/gif 208.74.207.25
NeuStar

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://forums.juniper.net/beacon/162880915395_1571663933734.gif

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

HTTP/1.1

Security

TLS 1.2, ECDHE_RSA, AES_256_GCM

Server

208.74.207.25 , United States, ASN19905 (NEUSTAR-AS6 - NeuStar, Inc., US),

Reverse DNS

jnet.lithium.com

Software

Apache /

Resource Hash

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000;includeSubDomains

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Pragma: no-cache
Date: Mon, 21 Oct 2019 13:18:56 GMT
Last-Modified: Fri, 02 Nov 2007 00:36:01 GMT
Server: Apache
Strict-Transport-Security: max-age=31536000;includeSubDomains
Content-Type: image/gif
Cache-Control: private, no-cache, no-cache="Set-Cookie", proxy-revalidate
Connection: close
Content-Length: 0
Expires: Thu, 22 Jan 1976 08:28:00 GMT

GET
H2 200 satellite-5955f42064746d6e6f0053bb.js Show response
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/ 378 B
529 B 7ms
6ms Script
application/x-javascript 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5955f42064746d6e6f0053bb.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash: 7b08b6c86fb4d51c3e96dd3f06ed35c02b7f0662404fb6b14b9b2b0425a9e28a

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:55 GMT
content-encoding: gzip
last-modified: Thu, 17 Oct 2019 18:01:26 GMT
server: AkamaiNetStorage
etag: "3b6d86978dcd31eae399835883bb4dfa:1571335286.733543"
vary: Accept-Encoding
content-type: application/x-javascript
status: 200
cache-control: max-age=3600
accept-ranges: bytes
timing-allow-origin: *
content-length: 283
expires: Mon, 21 Oct 2019 14:18:55 GMT

GET
H2 200 satellite-5caeb27864746d4fde0010d0.html
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/ Frame 8B9A 0
0 38ms
5ms Document
text/html 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5caeb27864746d4fde0010d0.html
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash

Request headers

:method: GET
:authority: assets.adobedtm.com
:scheme: https
:path: /998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5caeb27864746d4fde0010d0.html
pragma: no-cache
cache-control: no-cache
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode: nested-navigate
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site: cross-site
referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
accept-encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode: nested-navigate
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Response headers

status: 200
accept-ranges: bytes
content-type: text/html
etag: "99efb13f2ce40bcc3d8c60d4557d2185:1571241462.172506"
last-modified: Wed, 16 Oct 2019 15:57:42 GMT
server: AkamaiNetStorage
vary: Accept-Encoding
content-encoding: gzip
content-length: 810
cache-control: max-age=3600
expires: Mon, 21 Oct 2019 14:18:55 GMT
date: Mon, 21 Oct 2019 13:18:55 GMT
timing-allow-origin: *

GET
H2 200 satellite-5d487bc864746d25bd00073a.html
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/ Frame 489D 0
0 38ms
6ms Document
text/html 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5d487bc864746d25bd00073a.html
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash

Request headers

:method: GET
:authority: assets.adobedtm.com
:scheme: https
:path: /998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5d487bc864746d25bd00073a.html
pragma: no-cache
cache-control: no-cache
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode: nested-navigate
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site: cross-site
referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
accept-encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode: nested-navigate
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Response headers

status: 200
accept-ranges: bytes
content-type: text/html
etag: "6f794f7bf8d2cbee9f48532e60fe0435:1571335284.152642"
last-modified: Thu, 17 Oct 2019 18:01:24 GMT
server: AkamaiNetStorage
vary: Accept-Encoding
content-encoding: gzip
cache-control: max-age=3600
expires: Mon, 21 Oct 2019 14:18:55 GMT
date: Mon, 21 Oct 2019 13:18:55 GMT
content-length: 654
timing-allow-origin: *

GET
H2 200 adsct Show response
analytics.twitter.com/i/ 31 B
221 B 169ms
131ms Script
application/javascript 104.244.42.67
Twitter Inc.

General

Check archive.org

Show headers Download Go to

Full URL

https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o1lnh&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0&tpx_cb=twttr.conversion.loadPixels&tw_document_href=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram

Requested by

Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

104.244.42.67 , United States, ASN13414 (TWITTER - Twitter Inc., US),

Reverse DNS

Software

tsa_o /

Resource Hash

df3e003cc30e9bdd0313100e8ee5d468070b4b34d11ad355f276a356d4b9c7bf

Security Headers

Name	Value
Strict-Transport-Security	max-age=631138519
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:56 GMT
content-encoding: gzip
x-content-type-options: nosniff
p3p: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status: 200, 200 OK
x-twitter-response-tags: BouncerCompliant
strict-transport-security: max-age=631138519
content-length: 57
x-xss-protection: 0
x-response-time: 125
pragma: no-cache
last-modified: Mon, 21 Oct 2019 13:18:56 GMT
server: tsa_o
x-frame-options: SAMEORIGIN
content-type: application/javascript;charset=utf-8
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash: b72d2a40f7abbe035d79f11461ece10a
x-transaction: 007645c700485450
expires: Tue, 31 Mar 1981 05:00:00 GMT

GET
H2 200 adsct Show response
analytics.twitter.com/i/ 31 B
221 B 167ms
131ms Script
application/javascript 104.244.42.67
Twitter Inc.

General

Check archive.org

Show headers Download Go to

Full URL

Requested by

Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

104.244.42.67 , United States, ASN13414 (TWITTER - Twitter Inc., US),

Reverse DNS

Software

tsa_o /

Resource Hash

df3e003cc30e9bdd0313100e8ee5d468070b4b34d11ad355f276a356d4b9c7bf

Security Headers

Name	Value
Strict-Transport-Security	max-age=631138519
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:56 GMT
content-encoding: gzip
x-content-type-options: nosniff
p3p: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status: 200, 200 OK
x-twitter-response-tags: BouncerCompliant
strict-transport-security: max-age=631138519
content-length: 57
x-xss-protection: 0
x-response-time: 123
pragma: no-cache
last-modified: Mon, 21 Oct 2019 13:18:56 GMT
server: tsa_o
x-frame-options: SAMEORIGIN
content-type: application/javascript;charset=utf-8
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash: b72d2a40f7abbe035d79f11461ece10a
x-transaction: 0037964200d30515
expires: Tue, 31 Mar 1981 05:00:00 GMT

GET
H2 200 adsct Show response
analytics.twitter.com/i/ 31 B
633 B 161ms
126ms Script
application/javascript 104.244.42.67
Twitter Inc.

General

Check archive.org

Show headers Download Go to

Full URL

Requested by

Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

104.244.42.67 , United States, ASN13414 (TWITTER - Twitter Inc., US),

Reverse DNS

Software

tsa_o /

Resource Hash

df3e003cc30e9bdd0313100e8ee5d468070b4b34d11ad355f276a356d4b9c7bf

Security Headers

Name	Value
Strict-Transport-Security	max-age=631138519
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:56 GMT
content-encoding: gzip
x-content-type-options: nosniff
p3p: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status: 200, 200 OK
x-twitter-response-tags: BouncerCompliant
strict-transport-security: max-age=631138519
content-length: 57
x-xss-protection: 0
x-response-time: 117
pragma: no-cache
last-modified: Mon, 21 Oct 2019 13:18:56 GMT
server: tsa_o
x-frame-options: SAMEORIGIN
content-type: application/javascript;charset=utf-8
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash: b72d2a40f7abbe035d79f11461ece10a
x-transaction: 0020f90800e6dd6a
expires: Tue, 31 Mar 1981 05:00:00 GMT

GET
H2 200 adsct Show response
analytics.twitter.com/i/ 31 B
220 B 171ms
137ms Script
application/javascript 104.244.42.67
Twitter Inc.

General

Check archive.org

Show headers Download Go to

Full URL

https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o29di&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0&tpx_cb=twttr.conversion.loadPixels&tw_document_href=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram

Requested by

Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

104.244.42.67 , United States, ASN13414 (TWITTER - Twitter Inc., US),

Reverse DNS

Software

tsa_o /

Resource Hash

df3e003cc30e9bdd0313100e8ee5d468070b4b34d11ad355f276a356d4b9c7bf

Security Headers

Name	Value
Strict-Transport-Security	max-age=631138519
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:56 GMT
content-encoding: gzip
x-content-type-options: nosniff
p3p: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status: 200, 200 OK
x-twitter-response-tags: BouncerCompliant
strict-transport-security: max-age=631138519
content-length: 57
x-xss-protection: 0
x-response-time: 126
pragma: no-cache
last-modified: Mon, 21 Oct 2019 13:18:56 GMT
server: tsa_o
x-frame-options: SAMEORIGIN
content-type: application/javascript;charset=utf-8
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash: b72d2a40f7abbe035d79f11461ece10a
x-transaction: 0000b98e00e61af4
expires: Tue, 31 Mar 1981 05:00:00 GMT

GET
H2 200 adsct Show response
analytics.twitter.com/i/ 31 B
220 B 162ms
127ms Script
application/javascript 104.244.42.67
Twitter Inc.

General

Check archive.org

Show headers Download Go to

Full URL

https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o2i9x&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=0&tpx_cb=twttr.conversion.loadPixels&tw_document_href=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram

Requested by

Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

104.244.42.67 , United States, ASN13414 (TWITTER - Twitter Inc., US),

Reverse DNS

Software

tsa_o /

Resource Hash

df3e003cc30e9bdd0313100e8ee5d468070b4b34d11ad355f276a356d4b9c7bf

Security Headers

Name	Value
Strict-Transport-Security	max-age=631138519
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:56 GMT
content-encoding: gzip
x-content-type-options: nosniff
p3p: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status: 200, 200 OK
x-twitter-response-tags: BouncerCompliant
strict-transport-security: max-age=631138519
content-length: 57
x-xss-protection: 0
x-response-time: 119
pragma: no-cache
last-modified: Mon, 21 Oct 2019 13:18:56 GMT
server: tsa_o
x-frame-options: SAMEORIGIN
content-type: application/javascript;charset=utf-8
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash: b72d2a40f7abbe035d79f11461ece10a
x-transaction: 00b8592f00501d1b
expires: Tue, 31 Mar 1981 05:00:00 GMT

GET
DATA 200
OK truncated
/ 667 B
0 Image
image/jpeg

General

Check archive.org

Show headers Download Go to Show image

Full URL: data:truncated
Protocol: DATA
Server: -, , ASN (),
Reverse DNS
Software: /
Resource Hash: edd8db5c29b96b7a290a5e266d426dca85541b7cd7a62b180e5ec89dc635f05f

Request headers

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Content-Type: image/jpeg

GET
H/1.1 200
OK elqCfg.min.js Show response
img.en25.com/i/ 6 KB
3 KB 32ms
10ms Script
application/x-javascript 95.100.78.166
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL

https://img.en25.com/i/elqCfg.min.js

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

HTTP/1.1

Security

TLS 1.2, ECDHE_RSA, AES_256_GCM

Server

95.100.78.166 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),

Reverse DNS

a95-100-78-166.deploy.static.akamaitechnologies.com

Software

/ ASP.NET

Resource Hash

6b4ebd6049c806e3eef1bd770b2d8b4fdd75803861ead3584ee753e41988efae

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains
X-Content-Type-Options	nosniff

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Encoding: gzip
X-Content-Type-Options: nosniff
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR DEVa TAIa OUR BUS PHY ONL UNI COM NAV CNT STA",
Connection: keep-alive
Content-Length: 2115
ETag: "12d7dac15842d51:0"
Pragma: no-cache
Last-Modified: Wed, 24 Jul 2019 19:48:25 GMT
Date: Mon, 21 Oct 2019 13:18:55 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
Cache-Control: no-cache, no-store
Accept-Ranges: bytes
Expires: Mon, 21 Oct 2019 13:18:55 GMT

GET
H2 200 async-ads.js Show response
cse.google.com/adsense/search/ 165 KB
57 KB 46ms
39ms Script
text/javascript 2a00:1450:4001:800::200e
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://cse.google.com/adsense/search/async-ads.js

Requested by

Host: www.google.com
URL: https://www.google.com/cse/static/element/b5752d27691147d6/cse_element__en.js?usqp=CAI%3D

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:800::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

sffe /

Resource Hash

b6b12491bd3384604967dba5b6d0d4430484097b7982a988bf78aae31bf9ff76

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:55 GMT
content-encoding: gzip
x-content-type-options: nosniff
server: sffe
etag: "10003670776107828456"
vary: Accept-Encoding
content-type: text/javascript; charset=UTF-8
status: 200
cache-control: private, max-age=3600
accept-ranges: bytes
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
x-xss-protection: 0
expires: Mon, 21 Oct 2019 13:18:55 GMT

GET
H2 204 generate_204
www.googleapis.com/ 0
143 B 32ms
5ms Image
text/plain 2a00:1450:4001:81c::200a
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://www.googleapis.com/generate_204
Requested by: Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2a00:1450:4001:81c::200a Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software: /
Resource Hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

status: 204
date: Mon, 21 Oct 2019 13:18:56 GMT
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 0

GET
H2 200 googlelogo_grey_46x15dp.png
www.google.com/cse/static/images/1x/ 919 B
1 KB 9ms
9ms Image
image/png 2a00:1450:4001:81d::2004
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google.com/cse/static/images/1x/googlelogo_grey_46x15dp.png

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

sffe /

Resource Hash

a844cdc48c7591822e45128a138f1dbba5753a3ca9992bd71c36758d51d0b68e

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Fri, 11 Oct 2019 07:09:42 GMT
x-content-type-options: nosniff
last-modified: Tue, 13 Dec 2016 15:00:00 GMT
server: sffe
age: 886153
content-type: image/png
status: 200
cache-control: public, max-age=31536000
accept-ranges: bytes
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 919
x-xss-protection: 0
expires: Sat, 10 Oct 2020 07:09:42 GMT

GET
H2 204 generate_204
clients1.google.com/ 0
42 B 8ms
7ms Image
text/plain 2a00:1450:4001:800::200e
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://clients1.google.com/generate_204
Requested by: Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol: H2
Security: TLS 1.3, , AES_128_GCM
Server: 2a00:1450:4001:800::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),
Reverse DNS
Software: /
Resource Hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

status: 204
date: Mon, 21 Oct 2019 13:18:55 GMT
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 0

GET
H2 200 pntheon.min.js Show response
secure.rmulus.com/ 9 KB
9 KB 19ms
11ms Script
application/javascript 143.204.101.123
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL: https://secure.rmulus.com/pntheon.min.js?_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pqStr=enabled&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=active&_pclIp=active&_pqStr=active&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb|nvrg6&_pfbAids=340159566928684|437764526963678&_pliPids=1318724|4751&_pawAids=AW-819694878|AW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5c86baad64746d44c9006139.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 143.204.101.123 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS: server-143-204-101-123.fra50.r.cloudfront.net
Software: AmazonS3 /
Resource Hash: 8c785b78817298c70c27829e6903d75fac181ed591e3260c4b1fec35f0cd03c0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 02:54:44 GMT
via: 1.1 1b73451818d2dd47a574604c0b84f692.cloudfront.net (CloudFront)
last-modified: Mon, 11 Mar 2019 19:34:03 GMT
server: AmazonS3
x-amz-cf-pop: FRA50-C1
etag: "0e3d80db82062b64ac3e71d661e18282"
x-cache: Hit from cloudfront
content-type: application/javascript
status: 200
cache-control: max-age=3600
accept-ranges: bytes
content-length: 9338
x-amz-cf-id: SrcIVxm58Di946dD9L0ZzAYKk2XN6_Im0InmDC7vUnBQqvvjIHYzGg==

GET
H2 200 s4364113760050
junipernetworks.d2.sc.omtrdc.net/b/ss/jnprod/1/JS-2.12.0-D7QN/ 43 B
244 B 59ms
57ms Image
image/gif 52.49.100.189
Amazon.com

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://junipernetworks.d2.sc.omtrdc.net/b/ss/jnprod/1/JS-2.12.0-D7QN/s4364113760050?AQB=1&ndh=1&pf=1&t=21%2F9%2F2019%2015%3A18%3A55%201%20-120&sdid=526E1CAC99412436-0A4138FF57CADCDD&D=D%3D&mid=35836098749383461002240898189079157993&aamlh=6&ce=UTF-8&pageName=forums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&g=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&aamb=6G1ynYcLPuiQxYZrsz_pkqfLG9yMXBpb2zX5dvJdYQJzPXImdj0y&c1=forums.juniper.net&v5=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&v15=D%3DpageName&v30=ISP%20Visitor&v31=ISP%20Visitor&v32=ISP%20Visitor&v33=ISP%20Visitor&v34=ISP%20Visitor&v35=ISP%20Visitor&v36=ISP%20Visitor&v37=ISP%20Visitor&v38=ISP%20Visitor&v39=ISP%20Visitor&v40=ISP%20Visitor&v41=ISP%20Visitor&v42=ISP%20Visitor&v43=ISP%20Visitor&v44=ISP%20Visitor&v45=Bot&v46=ISP%20Visitor&v84=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&s=1600x1200&c=24&j=1.6&v=N&k=Y&bw=1600&bh=1200&mcorgid=D206123F524450F50A490D45%40AdobeOrg&AQE=1

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

52.49.100.189 Dublin, Ireland, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),

Reverse DNS

ec2-52-49-100-189.eu-west-1.compute.amazonaws.com

Software

jag /

Resource Hash

a1ecbaed793a1f564c49c671f2dd0ce36f858534ef6d26b55783a06b884cc506

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	1; mode=block

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:55 GMT
x-content-type-options: nosniff
x-c: master-1047.I1d1c81.M0-302
p3p: CP="This is not a P3P policy"
status: 200
content-length: 43
x-xss-protection: 1; mode=block
pragma: no-cache
last-modified: Tue, 22 Oct 2019 13:18:56 GMT
server: jag
xserver: anedge-64d5676c7b-d6dbt
etag: 3375122602796613632-4614826555019093777
vary: *
content-type: image/gif;charset=utf-8
access-control-allow-origin: *
cache-control: no-cache, no-store, max-age=0, no-transform, private
expires: Sun, 20 Oct 2019 13:18:56 GMT

GET
H2 200 pntheon.min.js Show response
secure.rmulus.com/ 9 KB
9 KB 7ms
6ms Script
application/javascript 143.204.101.123
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL: https://secure.rmulus.com/pntheon.min.js?_pclientId=jnpr&_peventName=pgvw&_pdataSource=web&_pqStr=enabled&jnpr_vID=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5a1c307e64746d671f007214.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 143.204.101.123 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS: server-143-204-101-123.fra50.r.cloudfront.net
Software: AmazonS3 /
Resource Hash: 8c785b78817298c70c27829e6903d75fac181ed591e3260c4b1fec35f0cd03c0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:55 GMT
via: 1.1 1b73451818d2dd47a574604c0b84f692.cloudfront.net (CloudFront)
last-modified: Mon, 11 Mar 2019 19:34:03 GMT
server: AmazonS3
age: 858
etag: "0e3d80db82062b64ac3e71d661e18282"
x-cache: Hit from cloudfront
content-type: application/javascript
status: 200
cache-control: max-age=3600
x-amz-cf-pop: FRA50-C1
accept-ranges: bytes
content-length: 9338
x-amz-cf-id: v4dZz83a117tSBKBjOHBZ8tSsy9o0lOMr8oydjSgCVZCnhpUSbiWXA==

GET
H2

200

activityi;dc_pre=COPm97S4reUCFdCA3godGKEBlg;src=5922977;type=pageview;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-St...
5922977.fls.doubleclick.net/ Frame 5B21
Redirect Chain

https://5922977.fls.doubleclick.net/activityi;src=5922977;type=pageview;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-...
https://5922977.fls.doubleclick.net/activityi;dc_pre=COPm97S4reUCFdCA3godGKEBlg;src=5922977;type=pageview;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.n...

0
0

18ms
16ms

Document
text/html

172.217.18.102
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://5922977.fls.doubleclick.net/activityi;dc_pre=COPm97S4reUCFdCA3godGKEBlg;src=5922977;type=pageview;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=2656885376668.787?

Requested by

Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-57b12a8364746d4d41000291.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

172.217.18.102 , United States, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

fra16s42-in-f6.1e100.net

Software

cafe /

Resource Hash

Security Headers

Name	Value
Strict-Transport-Security	max-age=21600
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

:method: GET
:authority: 5922977.fls.doubleclick.net
:scheme: https
:path: /activityi;dc_pre=COPm97S4reUCFdCA3godGKEBlg;src=5922977;type=pageview;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=2656885376668.787?
pragma: no-cache
cache-control: no-cache
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode: nested-navigate
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site: cross-site
referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
accept-encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode: nested-navigate
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Response headers

status: 200
p3p: policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
timing-allow-origin: *
date: Mon, 21 Oct 2019 13:18:56 GMT
expires: Fri, 01 Jan 1990 00:00:00 GMT
cache-control: no-cache, must-revalidate
strict-transport-security: max-age=21600
content-type: text/html; charset=UTF-8
pragma: no-cache
x-content-type-options: nosniff
content-encoding: gzip
server: cafe
content-length: 496
x-xss-protection: 0
set-cookie: test_cookie=CheckForPermission; expires=Mon, 21-Oct-2019 13:33:56 GMT; path=/; domain=.doubleclick.net
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000

Redirect headers

status: 302
p3p: policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
timing-allow-origin: *
date: Mon, 21 Oct 2019 13:18:56 GMT
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
cache-control: no-cache, must-revalidate
follow-only-when-prerender-shown: 1
strict-transport-security: max-age=21600
location: https://5922977.fls.doubleclick.net/activityi;dc_pre=COPm97S4reUCFdCA3godGKEBlg;src=5922977;type=pageview;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=2656885376668.787?
content-type: text/html; charset=UTF-8
x-content-type-options: nosniff
server: cafe
content-length: 0
x-xss-protection: 0
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000

GET
H2

200

activityi;dc_pre=CJH89rS4reUCFY36dwodplMGuA;src=3872718;type=gojpnet;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Ste...
3872718.fls.doubleclick.net/ Frame 2269
Redirect Chain

https://3872718.fls.doubleclick.net/activityi;src=3872718;type=gojpnet;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-S...
https://3872718.fls.doubleclick.net/activityi;dc_pre=CJH89rS4reUCFY36dwodplMGuA;src=3872718;type=gojpnet;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.ne...

0
0

18ms
18ms

Document
text/html

216.58.205.230
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://3872718.fls.doubleclick.net/activityi;dc_pre=CJH89rS4reUCFY36dwodplMGuA;src=3872718;type=gojpnet;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=5530350572044.805?

Requested by

Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-57b12a8364746d4d41000291.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

216.58.205.230 Mountain View, United States, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

fra15s24-in-f230.1e100.net

Software

cafe /

Resource Hash

Security Headers

Name	Value
Strict-Transport-Security	max-age=21600
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

:method: GET
:authority: 3872718.fls.doubleclick.net
:scheme: https
:path: /activityi;dc_pre=CJH89rS4reUCFY36dwodplMGuA;src=3872718;type=gojpnet;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=5530350572044.805?
pragma: no-cache
cache-control: no-cache
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode: nested-navigate
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site: cross-site
referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
accept-encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode: nested-navigate
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Response headers

status: 200
p3p: policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
timing-allow-origin: *
date: Mon, 21 Oct 2019 13:18:56 GMT
expires: Fri, 01 Jan 1990 00:00:00 GMT
cache-control: no-cache, must-revalidate
strict-transport-security: max-age=21600
content-type: text/html; charset=UTF-8
pragma: no-cache
x-content-type-options: nosniff
content-encoding: gzip
server: cafe
content-length: 497
x-xss-protection: 0
set-cookie: test_cookie=CheckForPermission; expires=Mon, 21-Oct-2019 13:33:56 GMT; path=/; domain=.doubleclick.net
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000

Redirect headers

status: 302
p3p: policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
timing-allow-origin: *
date: Mon, 21 Oct 2019 13:18:56 GMT
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
cache-control: no-cache, must-revalidate
follow-only-when-prerender-shown: 1
strict-transport-security: max-age=21600
location: https://3872718.fls.doubleclick.net/activityi;dc_pre=CJH89rS4reUCFY36dwodplMGuA;src=3872718;type=gojpnet;cat=pagev0;u1=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936;u2=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram;u5=;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;ord=5530350572044.805?
content-type: text/html; charset=UTF-8
x-content-type-options: nosniff
server: cafe
content-length: 0
x-xss-protection: 0
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000

GET
H2 200 conversion_async.js Show response
www.googleadservices.com/pagead/ 24 KB
9 KB 16ms
16ms Script
text/javascript 216.58.207.66
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://www.googleadservices.com/pagead/conversion_async.js

Requested by

Host: www.googletagmanager.com
URL: https://www.googletagmanager.com/gtag/js?id=AW-956680084

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

216.58.207.66 Mountain View, United States, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

fra16s25-in-f2.1e100.net

Software

cafe /

Resource Hash

04cc99186aa1ed2c9e0989ad7f6a2e180508c8656caef8cd2b153fa8dbba9038

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:56 GMT
content-encoding: gzip
x-content-type-options: nosniff
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
content-disposition: attachment; filename="f.txt"
alt-svc: quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 9198
x-xss-protection: 0
server: cafe
etag: 4566352449703540938
vary: Accept-Encoding
content-type: text/javascript; charset=UTF-8
cache-control: private, max-age=3600
timing-allow-origin: *
expires: Mon, 21 Oct 2019 13:18:56 GMT

GET
H2 200 analytics.js Show response
www.google-analytics.com/ 43 KB
17 KB 6ms
6ms Script
text/javascript 2a00:1450:4001:814::200e
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://www.google-analytics.com/analytics.js

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:814::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

Golfe2 /

Resource Hash

dbb67c620eaabf6679a314db18d3ae43037aef71ab27422e6feec08ee987cc0a

Security Headers

Name	Value
Strict-Transport-Security	max-age=10886400; includeSubDomains; preload
X-Content-Type-Options	nosniff

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

strict-transport-security: max-age=10886400; includeSubDomains; preload
content-encoding: gzip
x-content-type-options: nosniff
last-modified: Mon, 19 Aug 2019 17:22:41 GMT
server: Golfe2
age: 5087
date: Mon, 21 Oct 2019 11:54:09 GMT
vary: Accept-Encoding
content-type: text/javascript
status: 200
cache-control: public, max-age=7200
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 17803
expires: Mon, 21 Oct 2019 13:54:09 GMT

GET
H2 200 wRPiG49f.min.js Show response
scripts.demandbase.com/ 57 KB
15 KB 11ms
8ms Script
application/javascript 13.224.196.121
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL: https://scripts.demandbase.com/wRPiG49f.min.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5955f42064746d6e6f0053bb.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 13.224.196.121 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS: server-13-224-196-121.fra2.r.cloudfront.net
Software: AmazonS3 /
Resource Hash: 994f862399526907874323d0bf282947d8c1b6e01c2ef047da2b5521e88eba5b

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

x-amz-version-id: A.YxmHS1afpEPfcAb8JPNPnT_ezOR3oU
content-encoding: gzip
last-modified: Tue, 15 Oct 2019 15:25:03 GMT
server: AmazonS3
age: 596
date: Mon, 21 Oct 2019 13:09:01 GMT
vary: Accept-Encoding
x-cache: Hit from cloudfront
content-type: application/javascript
status: 200
cache-control: public, max-age=3600
x-amz-cf-pop: FRA2-C1
x-amz-cf-id: 76coy_bpIwzNt8MH96da5yYNozrmP-jCNA1XXvMEuFIrWjQOJK3kQw==
via: 1.1 172e63b20fb363ed969de28ae3937e21.cloudfront.net (CloudFront)

GET
H/1.1 200
OK jnpr Show response
lookups.rmulus.com/pntheon/ip/ 408 B
597 B 626ms
346ms XHR
text/html 34.201.194.177
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL: https://lookups.rmulus.com/pntheon/ip/jnpr
Requested by: Host: secure.rmulus.com
URL: https://secure.rmulus.com/pntheon.min.js?_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pqStr=enabled&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=active&_pclIp=active&_pqStr=active&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb|nvrg6&_pfbAids=340159566928684|437764526963678&_pliPids=1318724|4751&_pawAids=AW-819694878|AW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol: HTTP/1.1
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 34.201.194.177 Ashburn, United States, ASN14618 (AMAZON-AES - Amazon.com, Inc., US),
Reverse DNS: ec2-34-201-194-177.compute-1.amazonaws.com
Software: Apache /
Resource Hash: 2e982e3c73e6f28505203e3efd647293555d1b34940f19626bd054bd6f2efc57

Request headers

Sec-Fetch-Mode: cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Access-Control-Allow-Origin: *
Date: Mon, 21 Oct 2019 13:18:56 GMT
Server: Apache
Connection: keep-alive
Content-Length: 408
Content-Type: text/html; charset=UTF-8

GET
H/1.1

200
OK

37366
tags.bluekai.com/site/
Redirect Chain

https://s1229.t.eloqua.com/visitor/v200/svrGP?pps=3&siteid=1229&ref2=elqNone&tzo=-60&ms=99&optin=disabled
https://s1229.t.eloqua.com/visitor/v200/svrGP.aspx?pps=3&siteid=1229&ref2=elqNone&tzo=-60&ms=99&optin=disabled&elqCookie=1
https://tags.bluekai.com/site/37366?vid=679a745650d24cc085eb77d8965b2862

62 B
745 B

169ms
169ms

Image
image/gif

104.111.241.32
Akamai Technologies

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://tags.bluekai.com/site/37366?vid=679a745650d24cc085eb77d8965b2862
Requested by: Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol: HTTP/1.1
Security: TLS 1.2, ECDHE_ECDSA, AES_256_GCM
Server: 104.111.241.32 , Netherlands, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a104-111-241-32.deploy.static.akamaitechnologies.com
Software: /
Resource Hash: 0af3aae90b7de9fdceee2ab421378ea2f54c74be81ef43fc6c1790a032755d80

Request headers

Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date: Mon, 21 Oct 2019 13:18:56 GMT
Connection: keep-alive
P3P: CP="NOI DSP COR CUR ADMo DEVo PSAo PSDo OUR SAMo BUS UNI NAV", policyref="http://tags.bluekai.com/w3c/p3p.xml"
Content-Length: 62
BK-Server: 20d6
Content-Type: image/gif

Redirect headers

Pragma: no-cache
Strict-Transport-Security: max-age=31536000;
X-Content-Type-Options: nosniff
Date: Mon, 21 Oct 2019 13:18:57 GMT
P3P: CP="IDC DSP COR DEVa TAIa OUR BUS PHY ONL UNI COM NAV CNT STA",
Location: //tags.bluekai.com/site/37366?vid=679a745650d24cc085eb77d8965b2862
Cache-Control: private,no-cache, no-store
Content-Type: text/html; charset=utf-8
Content-Length: 183
Expires: -1

GET
H/1.1 200
OK jnpr Show response
lookups.rmulus.com/pntheon/ip/ 408 B
597 B 646ms
367ms XHR
text/html 34.201.194.177
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL: https://lookups.rmulus.com/pntheon/ip/jnpr
Requested by: Host: secure.rmulus.com
URL: https://secure.rmulus.com/pntheon.min.js?_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pqStr=enabled&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=active&_pclIp=active&_pqStr=active&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb|nvrg6&_pfbAids=340159566928684|437764526963678&_pliPids=1318724|4751&_pawAids=AW-819694878|AW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol: HTTP/1.1
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 34.201.194.177 Ashburn, United States, ASN14618 (AMAZON-AES - Amazon.com, Inc., US),
Reverse DNS: ec2-34-201-194-177.compute-1.amazonaws.com
Software: Apache /
Resource Hash: 2e982e3c73e6f28505203e3efd647293555d1b34940f19626bd054bd6f2efc57

Request headers

Sec-Fetch-Mode: cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Access-Control-Allow-Origin: *
Date: Mon, 21 Oct 2019 13:18:56 GMT
Server: Apache
Connection: keep-alive
Content-Length: 408
Content-Type: text/html; charset=UTF-8

GET
H2 200 /
secure.rmulus.com/ Frame F684 0
0 37ms
37ms Document
text/html 143.204.101.123
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL: https://secure.rmulus.com/?_pevId=x6EmWOEL6OyACr3CNgUaa8BgLIQkgHGj-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=enabled&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dpgvw%26_pdataSource%3Dweb%26_pqStr%3Denabled%26jnpr_vID%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=pgvw&_pdataSource=web&jnpr_vID=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pidSource=secure.rmulus.com&_pidName=rmulusId&_pclIp=disabled&_plkpPrfl=disabled
Requested by: Host: secure.rmulus.com
URL: https://secure.rmulus.com/pntheon.min.js?_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pqStr=enabled&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=active&_pclIp=active&_pqStr=active&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb|nvrg6&_pfbAids=340159566928684|437764526963678&_pliPids=1318724|4751&_pawAids=AW-819694878|AW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 143.204.101.123 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS: server-143-204-101-123.fra50.r.cloudfront.net
Software: AmazonS3 /
Resource Hash

Request headers

:method: GET
:authority: secure.rmulus.com
:scheme: https
:path: /?_pevId=x6EmWOEL6OyACr3CNgUaa8BgLIQkgHGj-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=enabled&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dpgvw%26_pdataSource%3Dweb%26_pqStr%3Denabled%26jnpr_vID%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=pgvw&_pdataSource=web&jnpr_vID=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pidSource=secure.rmulus.com&_pidName=rmulusId&_pclIp=disabled&_plkpPrfl=disabled
pragma: no-cache
cache-control: no-cache
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode: nested-navigate
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site: cross-site
referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
accept-encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode: nested-navigate
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Response headers

status: 200
content-type: text/html
content-length: 10988
last-modified: Tue, 17 Sep 2019 20:54:41 GMT
accept-ranges: bytes
server: AmazonS3
date: Mon, 21 Oct 2019 13:16:42 GMT
etag: "08de75273b3f0e392260aff0b5943cb6"
cache-control: max-age=3600
x-cache: Hit from cloudfront
via: 1.1 1b73451818d2dd47a574604c0b84f692.cloudfront.net (CloudFront)
x-amz-cf-pop: FRA50-C1
x-amz-cf-id: 2jrto8ItF_S9ARYXEHeWUckLFjMDKWrpTegqzWCfAjSyDwftLYHUng==
age: 135

GET
H2 200 collect
www.google-analytics.com/ 35 B
99 B 6ms
5ms Image
image/gif 2a00:1450:4001:814::200e
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google-analytics.com/collect?v=1&_v=j79&a=997604986&t=pageview&_s=1&dl=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&ul=en-us&de=UTF-8&dt=Page%20not%20found%20-%20J-Net%20Community&sd=24-bit&sr=1600x1200&vp=1600x1200&je=0&_u=YGDAgEAB~&jid=2105878077&gjid=1782864985&cid=1588292560.1571663936&tid=UA-2343305-4&_gid=1491227351.1571663936&z=1031613913

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:814::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

Golfe2 /

Resource Hash

8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

Security Headers

Name	Value
X-Content-Type-Options	nosniff

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Fri, 11 Oct 2019 14:20:40 GMT
x-content-type-options: nosniff
last-modified: Sun, 17 May 1998 03:00:00 GMT
server: Golfe2
age: 860296
status: 200
content-type: image/gif
access-control-allow-origin: *
cache-control: no-cache, no-store, must-revalidate
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 35
expires: Mon, 01 Jan 1990 00:00:00 GMT

GET
H2 200 collect
stats.g.doubleclick.net/r/ 35 B
102 B 16ms
15ms Image
image/gif 2a00:1450:400c:c00::9a
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://stats.g.doubleclick.net/r/collect?t=dc&aip=1&_r=3&v=1&_v=j79&tid=UA-2343305-4&cid=1588292560.1571663936&jid=2105878077&gjid=1782864985&_gid=1491227351.1571663936&_u=YGDAgEAB~&z=570881387

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:400c:c00::9a Brussels, Belgium, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

Golfe2 /

Resource Hash

8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

Security Headers

Name	Value
Strict-Transport-Security	max-age=10886400; includeSubDomains; preload
X-Content-Type-Options	nosniff

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
strict-transport-security: max-age=10886400; includeSubDomains; preload
x-content-type-options: nosniff
last-modified: Sun, 17 May 1998 03:00:00 GMT
server: Golfe2
date: Mon, 21 Oct 2019 13:18:56 GMT
status: 200
content-type: image/gif
access-control-allow-origin: *
cache-control: no-cache, no-store, must-revalidate
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 35
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 collect
www.google-analytics.com/ 35 B
93 B 6ms
5ms Image
image/gif 2a00:1450:4001:814::200e
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google-analytics.com/collect?v=1&_v=j79&a=997604986&t=pageview&_s=1&dl=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&ul=en-us&de=UTF-8&dt=Page%20not%20found%20-%20J-Net%20Community&sd=24-bit&sr=1600x1200&vp=1600x1200&je=0&_u=YGDAgEAB~&jid=824571634&gjid=1638796004&cid=1588292560.1571663936&tid=UA-2343305-1&_gid=1491227351.1571663936&cd5=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&cd19=gtm%20%2B%20dtm&z=717810465

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:814::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

Golfe2 /

Resource Hash

8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

Security Headers

Name	Value
X-Content-Type-Options	nosniff

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Fri, 11 Oct 2019 14:20:40 GMT
x-content-type-options: nosniff
last-modified: Sun, 17 May 1998 03:00:00 GMT
server: Golfe2
age: 860296
status: 200
content-type: image/gif
access-control-allow-origin: *
cache-control: no-cache, no-store, must-revalidate
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 35
expires: Mon, 01 Jan 1990 00:00:00 GMT

GET
H2

200

ga-audiences
www.google.de/ads/
Redirect Chain

https://stats.g.doubleclick.net/r/collect?t=dc&aip=1&_r=3&v=1&_v=j79&tid=UA-2343305-1&cid=1588292560.1571663936&jid=824571634&gjid=1638796004&_gid=1491227351.1571663936&_u=YGDAgEAB~&z=358956172
https://www.google.com/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-2343305-1&cid=1588292560.1571663936&jid=824571634&_v=j79&z=358956172
https://www.google.de/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-2343305-1&cid=1588292560.1571663936&jid=824571634&_v=j79&z=358956172&slf_rd=1&random=1075004916

42 B
109 B

30ms
29ms

Image
image/gif

2a00:1450:4001:821::2003
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google.de/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-2343305-1&cid=1588292560.1571663936&jid=824571634&_v=j79&z=358956172&slf_rd=1&random=1075004916

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:56 GMT
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
cache-control: no-cache, no-store, must-revalidate
content-type: image/gif
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

Redirect headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:56 GMT
x-content-type-options: nosniff
server: cafe
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 302
content-type: text/html; charset=UTF-8
location: https://www.google.de/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-2343305-1&cid=1588292560.1571663936&jid=824571634&_v=j79&z=358956172&slf_rd=1&random=1075004916
cache-control: no-cache, no-store, must-revalidate
timing-allow-origin: *
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 0
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 / Show response
googleads.g.doubleclick.net/pagead/viewthroughconversion/956680084/ 2 KB
1 KB 152ms
151ms Script
text/javascript 2a00:1450:4001:818::2002
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://googleads.g.doubleclick.net/pagead/viewthroughconversion/956680084/?random=1571663936175&cv=9&fst=1571663936175&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&ig=1&data=event%3Dgtag.config&frm=0&url=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&tiba=Page%20not%20found%20-%20J-Net%20Community&async=1&rfmt=3&fmt=4

Requested by

Host: www.googleadservices.com
URL: https://www.googleadservices.com/pagead/conversion_async.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:818::2002 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

7bde86f22329283dc816191116fb2c332cfdb506928e6551cae7273356d8d238

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:56 GMT
content-encoding: gzip
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
status: 200
cache-control: no-cache, must-revalidate
content-disposition: attachment; filename="f.txt"
content-type: text/javascript; charset=UTF-8
alt-svc: quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 1011
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 ip.json Show response
api.company-target.com/api/v2/ 423 B
926 B 131ms
69ms XHR
application/json 143.204.101.126
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL: https://api.company-target.com/api/v2/ip.json?referrer=&page=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&page_title=Page%20not%20found%20-%20J-Net%20Community&key=b04729caf27be3d1f33d91242883c6cd22de73c9&src=tag
Requested by: Host: scripts.demandbase.com
URL: https://scripts.demandbase.com/wRPiG49f.min.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 143.204.101.126 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS: server-143-204-101-126.fra50.r.cloudfront.net
Software: nginx /
Resource Hash: 5b4f7ddf2cbd5ef8611f5fd90529a7c0b42bedb4c6f5a8f08d1c328b55043372

Request headers

Sec-Fetch-Mode: cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:56 GMT
content-encoding: gzip
x-amz-cf-pop: FRA50-C1
x-cache: Miss from cloudfront
status: 200
access-control-max-age: 1728000
request-id: 6f08852f-6bd2-4dac-acb4-2210f34a3f1c
x-amz-cf-id: JmrDMf5AcCUJxs6tAgm06sGZRGbBBJoR8CzauiFaRjd6UTsTErs8PA==
pragma: no-cache
access-control-allow-origin: https://forums.juniper.net
server: nginx
vary: Accept-Encoding, Origin
access-control-allow-methods: GET, POST, OPTIONS
content-type: application/json;charset=utf-8
via: 1.1 d55780b776b171387055eca956ae29a9.cloudfront.net (CloudFront)
access-control-expose-headers
cache-control: no-cache, no-store, max-age=0, must-revalidate
access-control-allow-credentials: true
api-version: v2
access-control-allow-headers: DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
identification-source: CENTRAL
expires: Sun, 20 Oct 2019 13:18:56 GMT

GET
H2 200 ip.json Show response
api.company-target.com/api/v2/ 423 B
927 B 129ms
67ms XHR
application/json 143.204.101.126
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL: https://api.company-target.com/api/v2/ip.json?referrer=&page=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&page_title=Page%20not%20found%20-%20J-Net%20Community&key=2f583737f4267c258cb4cda0abb7f0add09816ce&src=tag
Requested by: Host: scripts.demandbase.com
URL: https://scripts.demandbase.com/wRPiG49f.min.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 143.204.101.126 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS: server-143-204-101-126.fra50.r.cloudfront.net
Software: nginx /
Resource Hash: 5b4f7ddf2cbd5ef8611f5fd90529a7c0b42bedb4c6f5a8f08d1c328b55043372

Request headers

Sec-Fetch-Mode: cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:56 GMT
content-encoding: gzip
x-amz-cf-pop: FRA50-C1
x-cache: Miss from cloudfront
status: 200
access-control-max-age: 1728000
request-id: 7bf7097f-4065-45e8-9e2a-d1cae60cc3c7
x-amz-cf-id: nooeqNMj4VasaG3WO2FWCDAgEJliYSwkA3RpfZQ5nI6nbpBAkeOZAA==
pragma: no-cache
access-control-allow-origin: https://forums.juniper.net
server: nginx
vary: Accept-Encoding, Origin
access-control-allow-methods: GET, POST, OPTIONS
content-type: application/json;charset=utf-8
via: 1.1 d55780b776b171387055eca956ae29a9.cloudfront.net (CloudFront)
access-control-expose-headers
cache-control: no-cache, no-store, max-age=0, must-revalidate
access-control-allow-credentials: true
api-version: v2
access-control-allow-headers: DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type
identification-source: CENTRAL
expires: Sun, 20 Oct 2019 13:18:56 GMT

GET
H/1.1

200
OK

validateCookie
segments.company-target.com/
Redirect Chain

https://match.prod.bidr.io/cookie-sync/demandbase
https://match.prod.bidr.io/cookie-sync/demandbase?_bee_ppp=1
https://segments.company-target.com/log?vendor=choca&user_id=AAIRN067W2EAAD8-oGx-9g
https://segments.company-target.com/validateCookie?vendor=choca&user_id=AAIRN067W2EAAD8-oGx-9g&verifyHash=c98c9f6f68c4dea536d7f502bae74584fd247a32

26 B
405 B

94ms
94ms

Image
image/gif

54.230.95.207
Amazon.com

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://segments.company-target.com/validateCookie?vendor=choca&user_id=AAIRN067W2EAAD8-oGx-9g&verifyHash=c98c9f6f68c4dea536d7f502bae74584fd247a32
Requested by: Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol: HTTP/1.1
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 54.230.95.207 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS: server-54-230-95-207.fra2.r.cloudfront.net
Software: /
Resource Hash: 3b7b8a4b411ddf8db9bacc2f3aabf406f8e4c0c087829b336ca331c40adfdff1

Request headers

Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Date: Mon, 21 Oct 2019 13:18:56 GMT
Via: 1.1 7e6ac12144acebd1fc302708f2ecfad6.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: FRA2
Vary: Origin
X-Cache: Miss from cloudfront
Content-Type: image/gif
Transfer-Encoding: chunked
Connection: keep-alive
trace-id: 41753079f94b2a42
X-Amz-Cf-Id: z9c-stADGr14aQrVNH14t5kfVKwrJmoQC_0WWR0uvSOYKRmpNsJItg==

Redirect headers

Date: Mon, 21 Oct 2019 13:18:56 GMT
Via: 1.1 7e6ac12144acebd1fc302708f2ecfad6.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: FRA2
Vary: Origin
X-Cache: Miss from cloudfront
Location: /validateCookie?vendor=choca&user_id=AAIRN067W2EAAD8-oGx-9g&verifyHash=c98c9f6f68c4dea536d7f502bae74584fd247a32
Connection: keep-alive
trace-id: 03e766abe7d405a1
Content-Length: 0
X-Amz-Cf-Id: iZi25IPojJaCCaTAI6LoM6g4CzJbVs773axEX3g5DPCfq-r9dpeHTg==

GET
H2 200 collect
www.google-analytics.com/ 35 B
93 B 6ms
6ms Image
image/gif 2a00:1450:4001:814::200e
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google-analytics.com/collect?v=1&_v=j79&a=997604986&t=event&ni=1&_s=2&dl=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&ul=en-us&de=UTF-8&dt=Page%20not%20found%20-%20J-Net%20Community&sd=24-bit&sr=1600x1200&vp=1600x1200&je=0&ec=Demandbase&ea=API%20Resolution&el=IP%20API&_u=aGDAgEAB~&jid=&gjid=&cid=1588292560.1571663936&tid=UA-2343305-1&_gid=1491227351.1571663936&cd5=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&cd19=gtm%20%2B%20dtm&cd6=(Non-Company%20Visitor)&cd7=(Non-Company%20Visitor)&cd8=(Non-Company%20Visitor)&cd9=Bot&cd10=(Non-Company%20Visitor)&cd11=(Non-Company%20Visitor)&cd12=(Non-Company%20Visitor)&cd13=(Non-Company%20Visitor)&cd14=(Non-Company%20Visitor)&cd15=(Non-Company%20Visitor)&cd16=(Non-Company%20Visitor)&cd17=(Non-Company%20Visitor)&cd18=Germany&z=205781812

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:814::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

Golfe2 /

Resource Hash

8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

Security Headers

Name	Value
X-Content-Type-Options	nosniff

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Fri, 11 Oct 2019 14:20:40 GMT
x-content-type-options: nosniff
last-modified: Sun, 17 May 1998 03:00:00 GMT
server: Golfe2
age: 860296
status: 200
content-type: image/gif
access-control-allow-origin: *
cache-control: no-cache, no-store, must-revalidate
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 35
expires: Mon, 01 Jan 1990 00:00:00 GMT

GET
H2 200 /
www.google.com/pagead/1p-user-list/956680084/ 42 B
122 B 30ms
29ms Image
image/gif 2a00:1450:4001:81d::2004
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google.com/pagead/1p-user-list/956680084/?random=1571663936175&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=0&url=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&tiba=Page%20not%20found%20-%20J-Net%20Community&async=1&fmt=3&is_vtc=1&random=4165226488&resp=GooglemKTybQhCsO&rmt_tld=0&ipr=y

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Security Headers

Name	Value
Content-Security-Policy	script-src 'none'; object-src 'none'
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:56 GMT
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
cache-control: no-cache, no-store, must-revalidate
content-security-policy: script-src 'none'; object-src 'none'
content-type: image/gif
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 /
www.google.de/pagead/1p-user-list/956680084/ 42 B
110 B 21ms
21ms Image
image/gif 2a00:1450:4001:821::2003
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google.de/pagead/1p-user-list/956680084/?random=1571663936175&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=0&url=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&tiba=Page%20not%20found%20-%20J-Net%20Community&async=1&fmt=3&is_vtc=1&random=4165226488&resp=GooglemKTybQhCsO&rmt_tld=1&ipr=y

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Security Headers

Name	Value
Content-Security-Policy	script-src 'none'; object-src 'none'
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:56 GMT
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
cache-control: no-cache, no-store, must-revalidate
content-security-policy: script-src 'none'; object-src 'none'
content-type: image/gif
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H/1.1 200
OK profiler Show response
lookups.rmulus.com/pntheon/profiles/ 25 B
205 B 113ms
112ms XHR
application/json 34.201.194.177
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL: https://lookups.rmulus.com/pntheon/profiles/profiler?_pclientId=jnpr&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vid&_plkpPrfl=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Requested by: Host: secure.rmulus.com
URL: https://secure.rmulus.com/pntheon.min.js?_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pqStr=enabled&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=active&_pclIp=active&_pqStr=active&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb|nvrg6&_pfbAids=340159566928684|437764526963678&_pliPids=1318724|4751&_pawAids=AW-819694878|AW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol: HTTP/1.1
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 34.201.194.177 Ashburn, United States, ASN14618 (AMAZON-AES - Amazon.com, Inc., US),
Reverse DNS: ec2-34-201-194-177.compute-1.amazonaws.com
Software: Apache /
Resource Hash: 851bd834d24a84c0f4780789e868a65f9db8d9655a7a0cac039dbf3b65ad873f

Request headers

Sec-Fetch-Mode: cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Access-Control-Allow-Origin: *
Date: Mon, 21 Oct 2019 13:18:56 GMT
Server: Apache
Connection: keep-alive
Content-Length: 25
Content-Type: application/json

GET
H/1.1 200
OK profiler Show response
lookups.rmulus.com/pntheon/profiles/ 25 B
205 B 124ms
123ms XHR
application/json 34.201.194.177
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL: https://lookups.rmulus.com/pntheon/profiles/profiler?_pclientId=jnpr&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pmatchedip&_plkpPrfl=144.76.109.30
Requested by: Host: secure.rmulus.com
URL: https://secure.rmulus.com/pntheon.min.js?_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pqStr=enabled&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=active&_pclIp=active&_pqStr=active&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb|nvrg6&_pfbAids=340159566928684|437764526963678&_pliPids=1318724|4751&_pawAids=AW-819694878|AW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol: HTTP/1.1
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 34.201.194.177 Ashburn, United States, ASN14618 (AMAZON-AES - Amazon.com, Inc., US),
Reverse DNS: ec2-34-201-194-177.compute-1.amazonaws.com
Software: Apache /
Resource Hash: 851bd834d24a84c0f4780789e868a65f9db8d9655a7a0cac039dbf3b65ad873f

Request headers

Sec-Fetch-Mode: cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

Access-Control-Allow-Origin: *
Date: Mon, 21 Oct 2019 13:18:56 GMT
Server: Apache
Connection: keep-alive
Content-Length: 25
Content-Type: application/json

GET
H2 200 / Show response
research.juniper.net/ Frame 3286 11 KB
11 KB 37ms
7ms Document
text/html 143.204.101.123
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Requested by: Host: secure.rmulus.com
URL: https://secure.rmulus.com/pntheon.min.js?_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pqStr=enabled&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=active&_pclIp=active&_pqStr=active&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb|nvrg6&_pfbAids=340159566928684|437764526963678&_pliPids=1318724|4751&_pawAids=AW-819694878|AW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 143.204.101.123 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS: server-143-204-101-123.fra50.r.cloudfront.net
Software: AmazonS3 /
Resource Hash: 39d48454cc249ca68918b13d93558d1027516393b06df1c104557532da1bc02e

Request headers

:method: GET
:authority: research.juniper.net
:scheme: https
:path: /?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
pragma: no-cache
cache-control: no-cache
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode: nested-navigate
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site: same-site
referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
accept-encoding: gzip, deflate, br
cookie: jnpr_vID=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936; s_cc=true; _gcl_au=1.1.1602773843.1571663936; _ga=GA1.2.1588292560.1571663936; _gid=GA1.2.1491227351.1571663936; _gat_b=1; _gat_jn=1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode: nested-navigate
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Response headers

status: 200
content-type: text/html
content-length: 10988
last-modified: Tue, 17 Sep 2019 20:54:41 GMT
accept-ranges: bytes
server: AmazonS3
date: Mon, 21 Oct 2019 13:17:01 GMT
etag: "08de75273b3f0e392260aff0b5943cb6"
cache-control: max-age=3600
x-cache: Hit from cloudfront
via: 1.1 1b73451818d2dd47a574604c0b84f692.cloudfront.net (CloudFront)
x-amz-cf-pop: FRA50-C1
x-amz-cf-id: 2d2lmLW8oZ-4x09mO5l6DadVbpFyjCOpHkGawp23Y0NYWGbX2f5ORA==
age: 907

GET
H2 200 / Show response
research.juniper.net/ Frame 436D 11 KB
11 KB 7ms
6ms Document
text/html 143.204.101.123
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Requested by: Host: secure.rmulus.com
URL: https://secure.rmulus.com/pntheon.min.js?_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pqStr=enabled&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=active&_pclIp=active&_pqStr=active&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb|nvrg6&_pfbAids=340159566928684|437764526963678&_pliPids=1318724|4751&_pawAids=AW-819694878|AW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 143.204.101.123 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS: server-143-204-101-123.fra50.r.cloudfront.net
Software: AmazonS3 /
Resource Hash: 39d48454cc249ca68918b13d93558d1027516393b06df1c104557532da1bc02e

Request headers

:method: GET
:authority: research.juniper.net
:scheme: https
:path: /?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
pragma: no-cache
cache-control: no-cache
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode: nested-navigate
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site: same-site
referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
accept-encoding: gzip, deflate, br
cookie: jnpr_vID=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936; s_cc=true; _gcl_au=1.1.1602773843.1571663936; _ga=GA1.2.1588292560.1571663936; _gid=GA1.2.1491227351.1571663936; _gat_b=1; _gat_jn=1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode: nested-navigate
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Response headers

status: 200
content-type: text/html
content-length: 10988
last-modified: Tue, 17 Sep 2019 20:54:41 GMT
accept-ranges: bytes
server: AmazonS3
date: Mon, 21 Oct 2019 13:17:01 GMT
etag: "08de75273b3f0e392260aff0b5943cb6"
cache-control: max-age=3600
x-cache: Hit from cloudfront
via: 1.1 1b73451818d2dd47a574604c0b84f692.cloudfront.net (CloudFront)
x-amz-cf-pop: FRA50-C1
x-amz-cf-id: r8V80_1Fd2VXhtraiFYFS7mfO5Ir5PGtMh2vzl3pI8XgbCvRP7hnkQ==
age: 907

GET
H2 200 _pclPrint.min.js Show response
research.juniper.net/ Frame 3286 38 KB
39 KB 9ms
9ms Script
application/javascript 143.204.101.123
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL: https://research.juniper.net/_pclPrint.min.js
Requested by: Host: research.juniper.net
URL: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 143.204.101.123 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS: server-143-204-101-123.fra50.r.cloudfront.net
Software: AmazonS3 /
Resource Hash: c5aff3477022f781ee765989cdf6abbdd986f331064c59f5655fab8c6f9796c7

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 12:31:24 GMT
via: 1.1 1b73451818d2dd47a574604c0b84f692.cloudfront.net (CloudFront)
last-modified: Tue, 23 Jul 2019 21:53:49 GMT
server: AmazonS3
age: 2853
etag: "2b2becfbac440238e8ca3a6f7a3b2c50"
x-cache: Hit from cloudfront
content-type: application/javascript
status: 200
cache-control: max-age=3600
x-amz-cf-pop: FRA50-C1
accept-ranges: bytes
content-length: 39179
x-amz-cf-id: qmVCQPG8LmUjQCxWs9c7gBRZRN0wgevndJvmfS_14t1d7d-SajtFPQ==

GET
H2 200 _pclPrint.min.js Show response
research.juniper.net/ Frame 436D 38 KB
39 KB 12ms
12ms Script
application/javascript 143.204.101.123
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL: https://research.juniper.net/_pclPrint.min.js
Requested by: Host: research.juniper.net
URL: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 143.204.101.123 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS: server-143-204-101-123.fra50.r.cloudfront.net
Software: AmazonS3 /
Resource Hash: c5aff3477022f781ee765989cdf6abbdd986f331064c59f5655fab8c6f9796c7

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 12:31:24 GMT
via: 1.1 1b73451818d2dd47a574604c0b84f692.cloudfront.net (CloudFront)
last-modified: Tue, 23 Jul 2019 21:53:49 GMT
server: AmazonS3
age: 2853
etag: "2b2becfbac440238e8ca3a6f7a3b2c50"
x-cache: Hit from cloudfront
content-type: application/javascript
status: 200
cache-control: max-age=3600
x-amz-cf-pop: FRA50-C1
accept-ranges: bytes
content-length: 39179
x-amz-cf-id: 66ZzXLQDG_K-H2WZk-ISIzG3RNRf7YsDYKjokfDeOCoFpXMcivCv6A==

GET
H2 200 js Show response
www.googletagmanager.com/gtag/ Frame 3286 74 KB
28 KB 17ms
16ms Script
application/javascript 2a00:1450:4001:814::2008
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://www.googletagmanager.com/gtag/js?id=AW-819694878

Requested by

Host: research.juniper.net
URL: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:814::2008 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

Google Tag Manager /

Resource Hash

acbde4a5a6ca3a99092c40c7d64b1e6a3c170a991a1ae98dd28b590cec53a7c0

Security Headers

Name	Value
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: br
last-modified: Mon, 21 Oct 2019 12:00:00 GMT
server: Google Tag Manager
access-control-allow-headers: Cache-Control
status: 200
vary: Accept-Encoding
content-type: application/javascript; charset=UTF-8
access-control-allow-origin: http://www.googletagmanager.com
cache-control: private, max-age=900
access-control-allow-credentials: true
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 28466
x-xss-protection: 0
expires: Mon, 21 Oct 2019 13:18:57 GMT

GET
H2 200 js Show response
www.googletagmanager.com/gtag/ Frame 3286 74 KB
28 KB 17ms
17ms Script
application/javascript 2a00:1450:4001:814::2008
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://www.googletagmanager.com/gtag/js?id=AW-956680084

Requested by

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:814::2008 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

Google Tag Manager /

Resource Hash

656e1fb71a24f4d230a9ce9ff572e6c7e52382d7bbe666dafb10c12fc2799210

Security Headers

Name	Value
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: br
last-modified: Mon, 21 Oct 2019 12:00:00 GMT
server: Google Tag Manager
access-control-allow-headers: Cache-Control
status: 200
vary: Accept-Encoding
content-type: application/javascript; charset=UTF-8
access-control-allow-origin: http://www.googletagmanager.com
cache-control: private, max-age=900
access-control-allow-credentials: true
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 28467
x-xss-protection: 0
expires: Mon, 21 Oct 2019 13:18:57 GMT

GET
H2 200 insight.min.js Show response
research.juniper.net/ Frame 3286 15 KB
15 KB 8ms
8ms Script
application/javascript 143.204.101.123
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL: https://research.juniper.net/insight.min.js
Requested by: Host: research.juniper.net
URL: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 143.204.101.123 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS: server-143-204-101-123.fra50.r.cloudfront.net
Software: AmazonS3 /
Resource Hash: c0f533082d6b784c7f939ad3fbcafc2faa6a88d96f0b076f7a0e28b431995bff

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 12:19:38 GMT
via: 1.1 1b73451818d2dd47a574604c0b84f692.cloudfront.net (CloudFront)
last-modified: Fri, 26 Jul 2019 18:43:20 GMT
server: AmazonS3
age: 3560
etag: "5b837d1dc3da4d22567332e2fe693e12"
x-cache: Hit from cloudfront
content-type: application/javascript
status: 200
cache-control: max-age=3600
x-amz-cf-pop: FRA50-C1
accept-ranges: bytes
content-length: 15282
x-amz-cf-id: wEjxZ0RV4Z7eyUaHn_kG-YO_svjNZN8yxGPucO0G4cVsoihg0V2D6g==

GET
H2 200 fbevents.js Show response
connect.facebook.net/en_US/ Frame 3286 103 KB
22 KB 6ms
6ms Script
application/x-javascript 2a03:2880:f01c:8012:face:b00c:0:3
Facebook

General

Check archive.org

Show headers Download Go to

Full URL

https://connect.facebook.net/en_US/fbevents.js

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a03:2880:f01c:8012:face:b00c:0:3 , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),

Reverse DNS

Software

Resource Hash

9404cee30e4489a7ed4d6de2dd92aa8e4386fd5ff1c81ebcea77f581952eac31

Security Headers

Name	Value
Content-Security-Policy	default-src * data: blob:;script-src .facebook.com .fbcdn.net .facebook.net .google-analytics.com .virtualearth.net .google.com 127.0.0.1:* .spotilocal.com: 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' ;connect-src .facebook.com facebook.com .fbcdn.net .facebook.net .spotilocal.com: wss://.facebook.com: https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
Strict-Transport-Security	max-age=31536000; preload; includeSubDomains
X-Content-Type-Options	nosniff
X-Frame-Options	DENY
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

strict-transport-security: max-age=31536000; preload; includeSubDomains
content-encoding: gzip
x-content-type-options: nosniff
status: 200
alt-svc: h3-23=":443"; ma=3600
content-length: 22458
x-xss-protection: 0
pragma: public
x-fb-debug: 9LbhJYzqUafrwz9qmZ4HDRNhb8q7fXt1MM5ApUMTvvWp3Z9QWj/E8lrNHMBcR5YK5sgLb/VAFeVgDSTd9xFQ7g==
x-fb-trip-id: 1850256238
x-frame-options: DENY
date: Mon, 21 Oct 2019 13:18:57 GMT
vary: Accept-Encoding
content-type: application/x-javascript; charset=utf-8
cache-control: public, max-age=1200
content-security-policy: default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
expires: Sat, 01 Jan 2000 00:00:00 GMT

GET
H2 200 uwt.js Show response
static.ads-twitter.com/ Frame 3286 5 KB
2 KB 7ms
6ms Script
application/javascript 151.101.112.157
Fastly

General

Check archive.org

Show headers Download Go to

Full URL: https://static.ads-twitter.com/uwt.js
Requested by: Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 151.101.112.157 Frankfurt am Main, Germany, ASN54113 (FASTLY - Fastly, US),
Reverse DNS
Software: /
Resource Hash: 319949c8c08b86e9c35ea542c0dc0c30cedaa9b8d3d3c3327a36c91aefbd8af5

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
age: 18364
x-cache: HIT
p3p: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status: 200
content-length: 1954
x-served-by: cache-hhn4065-HHN
last-modified: Tue, 23 Jan 2018 20:09:00 GMT
x-timer: S1571663937.066284,VS0,VE0
etag: "b7b33882a4f3ffd5cbf07434f3137166+gzip"
vary: Accept-Encoding,Host
content-type: application/javascript; charset=utf-8
via: 1.1 varnish
cache-control: no-cache
accept-ranges: bytes

GET
H2 200 /
collect.rmulus.com/ Frame 3286 43 B
367 B 7ms
7ms Image
image/gif 143.204.101.13
Amazon.com

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://collect.rmulus.com/?_pclId=3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937&_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=4c8a59ab63a77a27026bf4490e98a2f1&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&cachebuster=26710060
Requested by: Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 143.204.101.13 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS: server-143-204-101-13.fra50.r.cloudfront.net
Software: AmazonS3 /
Resource Hash: cf4724b2f736ed1a0ae6bc28f1ead963d9cd2c1fd87b6ef32e7799fc1c5c8bda

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Fri, 18 Oct 2019 15:35:22 GMT
via: 1.1 c6702f5f3b6e77da6f394e67ef1a6aab.cloudfront.net (CloudFront)
last-modified: Mon, 16 Jan 2017 04:49:32 GMT
server: AmazonS3
age: 77937
etag: "ad4b0f606e0f8465bc4c4c170b37e1a3"
x-cache: Hit from cloudfront
content-type: image/gif
status: 200
x-amz-cf-pop: FRA50-C1
accept-ranges: bytes
content-length: 43
x-amz-cf-id: kL6Cr30P63m5mFrJwMR-kI16Le_Zoa5E4zV_pB8WQAioMJgUVj3GOw==

GET
H2 200 js Show response
www.googletagmanager.com/gtag/ Frame 436D 74 KB
28 KB 16ms
16ms Script
application/javascript 2a00:1450:4001:814::2008
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://www.googletagmanager.com/gtag/js?id=AW-819694878

Requested by

Host: research.juniper.net
URL: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:814::2008 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

Google Tag Manager /

Resource Hash

acbde4a5a6ca3a99092c40c7d64b1e6a3c170a991a1ae98dd28b590cec53a7c0

Security Headers

Name	Value
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: br
last-modified: Mon, 21 Oct 2019 12:00:00 GMT
server: Google Tag Manager
access-control-allow-headers: Cache-Control
status: 200
vary: Accept-Encoding
content-type: application/javascript; charset=UTF-8
access-control-allow-origin: http://www.googletagmanager.com
cache-control: private, max-age=900
access-control-allow-credentials: true
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 28466
x-xss-protection: 0
expires: Mon, 21 Oct 2019 13:18:57 GMT

GET
H2 200 js Show response
www.googletagmanager.com/gtag/ Frame 436D 74 KB
28 KB 30ms
30ms Script
application/javascript 2a00:1450:4001:814::2008
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://www.googletagmanager.com/gtag/js?id=AW-956680084

Requested by

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:814::2008 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

Google Tag Manager /

Resource Hash

656e1fb71a24f4d230a9ce9ff572e6c7e52382d7bbe666dafb10c12fc2799210

Security Headers

Name	Value
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: br
last-modified: Mon, 21 Oct 2019 12:00:00 GMT
server: Google Tag Manager
access-control-allow-headers: Cache-Control
status: 200
vary: Accept-Encoding
content-type: application/javascript; charset=UTF-8
access-control-allow-origin: http://www.googletagmanager.com
cache-control: private, max-age=900
access-control-allow-credentials: true
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 28467
x-xss-protection: 0
expires: Mon, 21 Oct 2019 13:18:57 GMT

GET
H2 200 insight.min.js Show response
research.juniper.net/ Frame 436D 15 KB
15 KB 9ms
9ms Script
application/javascript 143.204.101.123
Amazon.com

General

Check archive.org

Show headers Download Go to

Full URL: https://research.juniper.net/insight.min.js
Requested by: Host: research.juniper.net
URL: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 143.204.101.123 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS: server-143-204-101-123.fra50.r.cloudfront.net
Software: AmazonS3 /
Resource Hash: c0f533082d6b784c7f939ad3fbcafc2faa6a88d96f0b076f7a0e28b431995bff

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 12:19:38 GMT
via: 1.1 1b73451818d2dd47a574604c0b84f692.cloudfront.net (CloudFront)
last-modified: Fri, 26 Jul 2019 18:43:20 GMT
server: AmazonS3
age: 3560
etag: "5b837d1dc3da4d22567332e2fe693e12"
x-cache: Hit from cloudfront
content-type: application/javascript
status: 200
cache-control: max-age=3600
x-amz-cf-pop: FRA50-C1
accept-ranges: bytes
content-length: 15282
x-amz-cf-id: gR1ZjtFjfZ4YkwHsTrje_r2kXtufZ0BFhW4_5kdUWqXcw9rjztMb5A==

GET
H2 200 fbevents.js Show response
connect.facebook.net/en_US/ Frame 436D 103 KB
22 KB 6ms
6ms Script
application/x-javascript 2a03:2880:f01c:8012:face:b00c:0:3
Facebook

General

Check archive.org

Show headers Download Go to

Full URL

https://connect.facebook.net/en_US/fbevents.js

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a03:2880:f01c:8012:face:b00c:0:3 , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),

Reverse DNS

Software

Resource Hash

9404cee30e4489a7ed4d6de2dd92aa8e4386fd5ff1c81ebcea77f581952eac31

Security Headers

Name	Value
Content-Security-Policy	default-src * data: blob:;script-src .facebook.com .fbcdn.net .facebook.net .google-analytics.com .virtualearth.net .google.com 127.0.0.1:* .spotilocal.com: 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' ;connect-src .facebook.com facebook.com .fbcdn.net .facebook.net .spotilocal.com: wss://.facebook.com: https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
Strict-Transport-Security	max-age=31536000; preload; includeSubDomains
X-Content-Type-Options	nosniff
X-Frame-Options	DENY
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

strict-transport-security: max-age=31536000; preload; includeSubDomains
content-encoding: gzip
x-content-type-options: nosniff
status: 200
alt-svc: h3-23=":443"; ma=3600
content-length: 22458
x-xss-protection: 0
pragma: public
x-fb-debug: 9LbhJYzqUafrwz9qmZ4HDRNhb8q7fXt1MM5ApUMTvvWp3Z9QWj/E8lrNHMBcR5YK5sgLb/VAFeVgDSTd9xFQ7g==
x-fb-trip-id: 1850256238
x-frame-options: DENY
date: Mon, 21 Oct 2019 13:18:57 GMT
vary: Accept-Encoding
content-type: application/x-javascript; charset=utf-8
cache-control: public, max-age=1200
content-security-policy: default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
expires: Sat, 01 Jan 2000 00:00:00 GMT

GET
H2 200 uwt.js Show response
static.ads-twitter.com/ Frame 436D 5 KB
2 KB 7ms
7ms Script
application/javascript 151.101.112.157
Fastly

General

Check archive.org

Show headers Download Go to

Full URL: https://static.ads-twitter.com/uwt.js
Requested by: Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 151.101.112.157 Frankfurt am Main, Germany, ASN54113 (FASTLY - Fastly, US),
Reverse DNS
Software: /
Resource Hash: 319949c8c08b86e9c35ea542c0dc0c30cedaa9b8d3d3c3327a36c91aefbd8af5

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
age: 18364
x-cache: HIT
p3p: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status: 200
content-length: 1954
x-served-by: cache-hhn4065-HHN
last-modified: Tue, 23 Jan 2018 20:09:00 GMT
x-timer: S1571663937.087518,VS0,VE0
etag: "b7b33882a4f3ffd5cbf07434f3137166+gzip"
vary: Accept-Encoding,Host
content-type: application/javascript; charset=utf-8
via: 1.1 varnish
cache-control: no-cache
accept-ranges: bytes

GET
H2 200 /
collect.rmulus.com/ Frame 436D 43 B
368 B 8ms
7ms Image
image/gif 143.204.101.13
Amazon.com

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://collect.rmulus.com/?_pclId=3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937&_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=4c8a59ab63a77a27026bf4490e98a2f1&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&cachebuster=31422717
Requested by: Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 143.204.101.13 Seattle, United States, ASN16509 (AMAZON-02 - Amazon.com, Inc., US),
Reverse DNS: server-143-204-101-13.fra50.r.cloudfront.net
Software: AmazonS3 /
Resource Hash: cf4724b2f736ed1a0ae6bc28f1ead963d9cd2c1fd87b6ef32e7799fc1c5c8bda

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Fri, 18 Oct 2019 15:35:22 GMT
via: 1.1 c6702f5f3b6e77da6f394e67ef1a6aab.cloudfront.net (CloudFront)
last-modified: Mon, 16 Jan 2017 04:49:32 GMT
server: AmazonS3
age: 77937
etag: "ad4b0f606e0f8465bc4c4c170b37e1a3"
x-cache: Hit from cloudfront
content-type: image/gif
status: 200
x-amz-cf-pop: FRA50-C1
accept-ranges: bytes
content-length: 43
x-amz-cf-id: fERUd6f-w4tiXOagwK3795Fy7FaFIBwqfzbCINPXmk6Mcqp5kq8Vcw==

GET
H2 200 / Show response
px.ads.linkedin.com/collect/ Frame 3286 0
103 B 164ms
163ms Script
application/javascript 2a05:f500:11:101::b93f:9005
LinkedIn Corporation

General

Check archive.org

Show headers Download Go to

Full URL: https://px.ads.linkedin.com/collect/?time=1571663937092&pid=1318724%2C4751&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%2526_pclPrint%253Dtrue%2526_ptwAids%253Do1oeb%257Cnvrg6%2526_pfbAids%253D340159566928684%257C437764526963678%2526_pliPids%253D1318724%257C4751%2526_pawAids%253DAW-819694878%257CAW-956680084%2526jnpr_vId%253DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%26_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3D%257B%2522not%2520found%2522%253A%2522not%2520found%2522%257D%26_pcityName%3DUnavailable%26_pcompanyName%3DHetzner%2520Online%2520GmbH%26_pcontinentCode%3DEU%26_pcontinentName%3DEurope%26_pcountryISOCode%3DDE%26_pcountryName%3DGermany%26_platitude%3D51.2993%26_plongitude%3D9.491%26_pmatchedIP%3D144.76.109.30%26_ppostalCode%3DNone%26_pstateISOCode%3DUnavailable%26_pstateName%3DUnavailable%26_ptimeZone%3DEurope%252FBerlin%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%257Cnvrg6%26_pfbAids%3D340159566928684%257C437764526963678%26_pliPids%3D1318724%257C4751%26_pawAids%3DAW-819694878%257CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&fmt=js&s=1
Requested by: Host: research.juniper.net
URL: https://research.juniper.net/insight.min.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 2a05:f500:11:101::b93f:9005 , Ireland, ASN14413 (LINKEDIN - LinkedIn Corporation, US),
Reverse DNS
Software: Play /
Resource Hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
server: Play
vary: Accept-Encoding
x-li-fabric: prod-lor1
status: 200
x-li-proto: http/2
x-li-pop: prod-tln1
content-type: application/javascript
content-length: 20
x-li-uuid: T+9PFQaszxWAQJfU7ioAAA==

GET
H2 200 adsct Show response
analytics.twitter.com/i/ Frame 3286 31 B
163 B 119ms
117ms Script
application/javascript 104.244.42.67
Twitter Inc.

General

Check archive.org

Show headers Download Go to

Full URL

https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o1oeb&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=1&tw_document_referrer=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&tpx_cb=twttr.conversion.loadPixels&tw_document_href=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%2526_pclPrint%253Dtrue%2526_ptwAids%253Do1oeb%257Cnvrg6%2526_pfbAids%253D340159566928684%257C437764526963678%2526_pliPids%253D1318724%257C4751%2526_pawAids%253DAW-819694878%257CAW-956680084%2526jnpr_vId%253DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%26_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3D%257B%2522not%2520found%2522%253A%2522not%2520found%2522%257D%26_pcityName%3DUnavailable%26_pcompanyName%3DHetzner%2520Online%2520GmbH%26_pcontinentCode%3DEU%26_pcontinentName%3DEurope%26_pcountryISOCode%3DDE%26_pcountryName%3DGermany%26_platitude%3D51.2993%26_plongitude%3D9.491%26_pmatchedIP%3D144.76.109.30%26_ppostalCode%3DNone%26_pstateISOCode%3DUnavailable%26_pstateName%3DUnavailable%26_ptimeZone%3DEurope%252FBerlin%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%257Cnvrg6%26_pfbAids%3D340159566928684%257C437764526963678%26_pliPids%3D1318724%257C4751%26_pawAids%3DAW-819694878%257CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936

Requested by

Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

104.244.42.67 , United States, ASN13414 (TWITTER - Twitter Inc., US),

Reverse DNS

Software

tsa_o /

Resource Hash

df3e003cc30e9bdd0313100e8ee5d468070b4b34d11ad355f276a356d4b9c7bf

Security Headers

Name	Value
Strict-Transport-Security	max-age=631138519
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
x-content-type-options: nosniff
p3p: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status: 200, 200 OK
x-twitter-response-tags: BouncerCompliant
strict-transport-security: max-age=631138519
content-length: 57
x-xss-protection: 0
x-response-time: 111
pragma: no-cache
last-modified: Mon, 21 Oct 2019 13:18:57 GMT
server: tsa_o
x-frame-options: SAMEORIGIN
content-type: application/javascript;charset=utf-8
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash: b72d2a40f7abbe035d79f11461ece10a
x-transaction: 007a2624002ace85
expires: Tue, 31 Mar 1981 05:00:00 GMT

GET
H2 200 adsct Show response
analytics.twitter.com/i/ Frame 3286 31 B
112 B 131ms
129ms Script
application/javascript 104.244.42.67
Twitter Inc.

General

Check archive.org

Show headers Download Go to

Full URL

https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=nvrg6&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=1&tw_document_referrer=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&tpx_cb=twttr.conversion.loadPixels&tw_document_href=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%2526_pclPrint%253Dtrue%2526_ptwAids%253Do1oeb%257Cnvrg6%2526_pfbAids%253D340159566928684%257C437764526963678%2526_pliPids%253D1318724%257C4751%2526_pawAids%253DAW-819694878%257CAW-956680084%2526jnpr_vId%253DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%26_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3D%257B%2522not%2520found%2522%253A%2522not%2520found%2522%257D%26_pcityName%3DUnavailable%26_pcompanyName%3DHetzner%2520Online%2520GmbH%26_pcontinentCode%3DEU%26_pcontinentName%3DEurope%26_pcountryISOCode%3DDE%26_pcountryName%3DGermany%26_platitude%3D51.2993%26_plongitude%3D9.491%26_pmatchedIP%3D144.76.109.30%26_ppostalCode%3DNone%26_pstateISOCode%3DUnavailable%26_pstateName%3DUnavailable%26_ptimeZone%3DEurope%252FBerlin%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%257Cnvrg6%26_pfbAids%3D340159566928684%257C437764526963678%26_pliPids%3D1318724%257C4751%26_pawAids%3DAW-819694878%257CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936

Requested by

Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

104.244.42.67 , United States, ASN13414 (TWITTER - Twitter Inc., US),

Reverse DNS

Software

tsa_o /

Resource Hash

df3e003cc30e9bdd0313100e8ee5d468070b4b34d11ad355f276a356d4b9c7bf

Security Headers

Name	Value
Strict-Transport-Security	max-age=631138519
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
x-content-type-options: nosniff
p3p: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status: 200, 200 OK
x-twitter-response-tags: BouncerCompliant
strict-transport-security: max-age=631138519
content-length: 57
x-xss-protection: 0
x-response-time: 119
pragma: no-cache
last-modified: Mon, 21 Oct 2019 13:18:57 GMT
server: tsa_o
x-frame-options: SAMEORIGIN
content-type: application/javascript;charset=utf-8
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash: b72d2a40f7abbe035d79f11461ece10a
x-transaction: 002d81a300364069
expires: Tue, 31 Mar 1981 05:00:00 GMT

GET
H2 200 adsct
t.co/i/ Frame 3286 43 B
170 B 125ms
124ms Image
image/gif 104.244.42.197
Twitter Inc.

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://t.co/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o1oeb&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=1&tw_document_referrer=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

104.244.42.197 , United States, ASN13414 (TWITTER - Twitter Inc., US),

Reverse DNS

Software

tsa_o /

Resource Hash

ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957

Security Headers

Name	Value
Strict-Transport-Security	max-age=0
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
x-content-type-options: nosniff
status: 200, 200 OK
x-twitter-response-tags: BouncerCompliant
content-length: 65
x-xss-protection: 0
x-response-time: 116
pragma: no-cache
last-modified: Mon, 21 Oct 2019 13:18:57 GMT
server: tsa_o
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=0
content-type: image/gif;charset=utf-8
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash: c8d0b280c8bbf40823452698b765fc70
x-transaction: 00d4a608009001d6
expires: Tue, 31 Mar 1981 05:00:00 GMT

GET
H2 200 adsct
t.co/i/ Frame 3286 43 B
119 B 132ms
131ms Image
image/gif 104.244.42.197
Twitter Inc.

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://t.co/i/adsct?p_id=Twitter&p_user_id=0&txn_id=nvrg6&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=1&tw_document_referrer=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

104.244.42.197 , United States, ASN13414 (TWITTER - Twitter Inc., US),

Reverse DNS

Software

tsa_o /

Resource Hash

ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957

Security Headers

Name	Value
Strict-Transport-Security	max-age=0
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
x-content-type-options: nosniff
status: 200, 200 OK
x-twitter-response-tags: BouncerCompliant
content-length: 65
x-xss-protection: 0
x-response-time: 121
pragma: no-cache
last-modified: Mon, 21 Oct 2019 13:18:57 GMT
server: tsa_o
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=0
content-type: image/gif;charset=utf-8
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash: c8d0b280c8bbf40823452698b765fc70
x-transaction: 0059e76e00388ede
expires: Tue, 31 Mar 1981 05:00:00 GMT

GET
H2 200 340159566928684 Show response
connect.facebook.net/signals/config/ Frame 3286 280 KB
65 KB 8ms
8ms Script
application/x-javascript 2a03:2880:f01c:8012:face:b00c:0:3
Facebook

General

Check archive.org

Show headers Download Go to

Full URL

https://connect.facebook.net/signals/config/340159566928684?v=2.9.5&r=stable

Requested by

Host: connect.facebook.net
URL: https://connect.facebook.net/en_US/fbevents.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a03:2880:f01c:8012:face:b00c:0:3 , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),

Reverse DNS

Software

Resource Hash

80a19a79e29cb723295fdccd389f61b999ccb6bde709c20cf6c970e7211b253c

Security Headers

Name	Value
Content-Security-Policy	default-src * data: blob:;script-src .facebook.com .fbcdn.net .facebook.net .google-analytics.com .virtualearth.net .google.com 127.0.0.1:* .spotilocal.com: 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' ;connect-src .facebook.com facebook.com .fbcdn.net .facebook.net .spotilocal.com: wss://.facebook.com: https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
Strict-Transport-Security	max-age=31536000; preload; includeSubDomains
X-Content-Type-Options	nosniff
X-Frame-Options	DENY
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

strict-transport-security: max-age=31536000; preload; includeSubDomains
content-encoding: gzip
x-content-type-options: nosniff
status: 200
alt-svc: h3-23=":443"; ma=3600
content-length: 66234
x-xss-protection: 0
pragma: public
x-fb-debug: UQoTLa/Pw+3drt1oACzlPlQlTj7CRTvYPVjCIWfW1U0f6kMq1rkEcv4bRiLqWOjtN//xFJrxbXeTPOVC5fjQWg==
x-fb-trip-id: 1850256238
x-frame-options: DENY
date: Mon, 21 Oct 2019 13:18:57 GMT
vary: Accept-Encoding
content-type: application/x-javascript; charset=utf-8
cache-control: public, max-age=1200
content-security-policy: default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
expires: Sat, 01 Jan 2000 00:00:00 GMT

GET
H2 200 340159566928684 Show response
connect.facebook.net/signals/config/ Frame 436D 280 KB
65 KB 7ms
6ms Script
application/x-javascript 2a03:2880:f01c:8012:face:b00c:0:3
Facebook

General

Check archive.org

Show headers Download Go to

Full URL

https://connect.facebook.net/signals/config/340159566928684?v=2.9.5&r=stable

Requested by

Host: connect.facebook.net
URL: https://connect.facebook.net/en_US/fbevents.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a03:2880:f01c:8012:face:b00c:0:3 , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),

Reverse DNS

Software

Resource Hash

80a19a79e29cb723295fdccd389f61b999ccb6bde709c20cf6c970e7211b253c

Security Headers

Name	Value
Content-Security-Policy	default-src * data: blob:;script-src .facebook.com .fbcdn.net .facebook.net .google-analytics.com .virtualearth.net .google.com 127.0.0.1:* .spotilocal.com: 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' ;connect-src .facebook.com facebook.com .fbcdn.net .facebook.net .spotilocal.com: wss://.facebook.com: https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
Strict-Transport-Security	max-age=31536000; preload; includeSubDomains
X-Content-Type-Options	nosniff
X-Frame-Options	DENY
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

strict-transport-security: max-age=31536000; preload; includeSubDomains
content-encoding: gzip
x-content-type-options: nosniff
status: 200
alt-svc: h3-23=":443"; ma=3600
content-length: 66234
x-xss-protection: 0
pragma: public
x-fb-debug: UQoTLa/Pw+3drt1oACzlPlQlTj7CRTvYPVjCIWfW1U0f6kMq1rkEcv4bRiLqWOjtN//xFJrxbXeTPOVC5fjQWg==
x-fb-trip-id: 1850256238
x-frame-options: DENY
date: Mon, 21 Oct 2019 13:18:57 GMT
vary: Accept-Encoding
content-type: application/x-javascript; charset=utf-8
cache-control: public, max-age=1200
content-security-policy: default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self';
expires: Sat, 01 Jan 2000 00:00:00 GMT

GET
H2 200 conversion_async.js Show response
www.googleadservices.com/pagead/ Frame 3286 24 KB
9 KB 16ms
16ms Script
text/javascript 216.58.207.66
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://www.googleadservices.com/pagead/conversion_async.js

Requested by

Host: www.googletagmanager.com
URL: https://www.googletagmanager.com/gtag/js?id=AW-819694878

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

216.58.207.66 Mountain View, United States, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

fra16s25-in-f2.1e100.net

Software

cafe /

Resource Hash

04cc99186aa1ed2c9e0989ad7f6a2e180508c8656caef8cd2b153fa8dbba9038

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
x-content-type-options: nosniff
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
content-disposition: attachment; filename="f.txt"
alt-svc: quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 9198
x-xss-protection: 0
server: cafe
etag: 4566352449703540938
vary: Accept-Encoding
content-type: text/javascript; charset=UTF-8
cache-control: private, max-age=3600
timing-allow-origin: *
expires: Mon, 21 Oct 2019 13:18:57 GMT

GET
H2 200 / Show response
px.ads.linkedin.com/collect/ Frame 436D 0
69 B 163ms
163ms Script
application/javascript 2a05:f500:11:101::b93f:9005
LinkedIn Corporation

General

Check archive.org

Show headers Download Go to

Full URL: https://px.ads.linkedin.com/collect/?time=1571663937119&pid=1318724%2C4751&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%2526_pclPrint%253Dtrue%2526_ptwAids%253Do1oeb%257Cnvrg6%2526_pfbAids%253D340159566928684%257C437764526963678%2526_pliPids%253D1318724%257C4751%2526_pawAids%253DAW-819694878%257CAW-956680084%2526jnpr_vId%253DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%26_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3D%257B%2522not%2520found%2522%253A%2522not%2520found%2522%257D%26_pcityName%3DUnavailable%26_pcompanyName%3DHetzner%2520Online%2520GmbH%26_pcontinentCode%3DEU%26_pcontinentName%3DEurope%26_pcountryISOCode%3DDE%26_pcountryName%3DGermany%26_platitude%3D51.2993%26_plongitude%3D9.491%26_pmatchedIP%3D144.76.109.30%26_ppostalCode%3DNone%26_pstateISOCode%3DUnavailable%26_pstateName%3DUnavailable%26_ptimeZone%3DEurope%252FBerlin%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%257Cnvrg6%26_pfbAids%3D340159566928684%257C437764526963678%26_pliPids%3D1318724%257C4751%26_pawAids%3DAW-819694878%257CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&fmt=js&s=1
Requested by: Host: research.juniper.net
URL: https://research.juniper.net/insight.min.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_128_GCM
Server: 2a05:f500:11:101::b93f:9005 , Ireland, ASN14413 (LINKEDIN - LinkedIn Corporation, US),
Reverse DNS
Software: Play /
Resource Hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
server: Play
vary: Accept-Encoding
x-li-fabric: prod-lor1
status: 200
x-li-proto: http/2
x-li-pop: prod-tln1
content-type: application/javascript
content-length: 20
x-li-uuid: AhjYFgaszxVgfpK97SoAAA==

GET
H2 200 adsct Show response
analytics.twitter.com/i/ Frame 436D 31 B
118 B 130ms
129ms Script
application/javascript 104.244.42.67
Twitter Inc.

General

Check archive.org

Show headers Download Go to

Full URL

https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o1oeb&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=1&tw_document_referrer=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&tpx_cb=twttr.conversion.loadPixels&tw_document_href=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%2526_pclPrint%253Dtrue%2526_ptwAids%253Do1oeb%257Cnvrg6%2526_pfbAids%253D340159566928684%257C437764526963678%2526_pliPids%253D1318724%257C4751%2526_pawAids%253DAW-819694878%257CAW-956680084%2526jnpr_vId%253DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%26_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3D%257B%2522not%2520found%2522%253A%2522not%2520found%2522%257D%26_pcityName%3DUnavailable%26_pcompanyName%3DHetzner%2520Online%2520GmbH%26_pcontinentCode%3DEU%26_pcontinentName%3DEurope%26_pcountryISOCode%3DDE%26_pcountryName%3DGermany%26_platitude%3D51.2993%26_plongitude%3D9.491%26_pmatchedIP%3D144.76.109.30%26_ppostalCode%3DNone%26_pstateISOCode%3DUnavailable%26_pstateName%3DUnavailable%26_ptimeZone%3DEurope%252FBerlin%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%257Cnvrg6%26_pfbAids%3D340159566928684%257C437764526963678%26_pliPids%3D1318724%257C4751%26_pawAids%3DAW-819694878%257CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936

Requested by

Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

104.244.42.67 , United States, ASN13414 (TWITTER - Twitter Inc., US),

Reverse DNS

Software

tsa_o /

Resource Hash

df3e003cc30e9bdd0313100e8ee5d468070b4b34d11ad355f276a356d4b9c7bf

Security Headers

Name	Value
Strict-Transport-Security	max-age=631138519
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
x-content-type-options: nosniff
p3p: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status: 200, 200 OK
x-twitter-response-tags: BouncerCompliant
strict-transport-security: max-age=631138519
content-length: 57
x-xss-protection: 0
x-response-time: 113
pragma: no-cache
last-modified: Mon, 21 Oct 2019 13:18:57 GMT
server: tsa_o
x-frame-options: SAMEORIGIN
content-type: application/javascript;charset=utf-8
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash: b72d2a40f7abbe035d79f11461ece10a
x-transaction: 001a888b00666748
expires: Tue, 31 Mar 1981 05:00:00 GMT

GET
H2 200 adsct
t.co/i/ Frame 436D 43 B
124 B 129ms
128ms Image
image/gif 104.244.42.197
Twitter Inc.

General

Check archive.org

Show headers Download Go to Show image

Full URL

Requested by

Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

104.244.42.197 , United States, ASN13414 (TWITTER - Twitter Inc., US),

Reverse DNS

Software

tsa_o /

Resource Hash

ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957

Security Headers

Name	Value
Strict-Transport-Security	max-age=0
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
x-content-type-options: nosniff
status: 200, 200 OK
x-twitter-response-tags: BouncerCompliant
content-length: 65
x-xss-protection: 0
x-response-time: 109
pragma: no-cache
last-modified: Mon, 21 Oct 2019 13:18:57 GMT
server: tsa_o
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=0
content-type: image/gif;charset=utf-8
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash: c8d0b280c8bbf40823452698b765fc70
x-transaction: 00432d400000dd44
expires: Tue, 31 Mar 1981 05:00:00 GMT

GET
H2 200 adsct Show response
analytics.twitter.com/i/ Frame 436D 31 B
117 B 130ms
130ms Script
application/javascript 104.244.42.67
Twitter Inc.

General

Check archive.org

Show headers Download Go to

Full URL

https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=nvrg6&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0&tw_iframe_status=1&tw_document_referrer=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&tpx_cb=twttr.conversion.loadPixels&tw_document_href=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%2526_pclPrint%253Dtrue%2526_ptwAids%253Do1oeb%257Cnvrg6%2526_pfbAids%253D340159566928684%257C437764526963678%2526_pliPids%253D1318724%257C4751%2526_pawAids%253DAW-819694878%257CAW-956680084%2526jnpr_vId%253DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%26_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3D%257B%2522not%2520found%2522%253A%2522not%2520found%2522%257D%26_pcityName%3DUnavailable%26_pcompanyName%3DHetzner%2520Online%2520GmbH%26_pcontinentCode%3DEU%26_pcontinentName%3DEurope%26_pcountryISOCode%3DDE%26_pcountryName%3DGermany%26_platitude%3D51.2993%26_plongitude%3D9.491%26_pmatchedIP%3D144.76.109.30%26_ppostalCode%3DNone%26_pstateISOCode%3DUnavailable%26_pstateName%3DUnavailable%26_ptimeZone%3DEurope%252FBerlin%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%257Cnvrg6%26_pfbAids%3D340159566928684%257C437764526963678%26_pliPids%3D1318724%257C4751%26_pawAids%3DAW-819694878%257CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936

Requested by

Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

104.244.42.67 , United States, ASN13414 (TWITTER - Twitter Inc., US),

Reverse DNS

Software

tsa_o /

Resource Hash

df3e003cc30e9bdd0313100e8ee5d468070b4b34d11ad355f276a356d4b9c7bf

Security Headers

Name	Value
Strict-Transport-Security	max-age=631138519
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
x-content-type-options: nosniff
p3p: CP="CAO DSP LAW CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa OUR BUS IND UNI COM NAV INT"
status: 200, 200 OK
x-twitter-response-tags: BouncerCompliant
strict-transport-security: max-age=631138519
content-length: 57
x-xss-protection: 0
x-response-time: 114
pragma: no-cache
last-modified: Mon, 21 Oct 2019 13:18:57 GMT
server: tsa_o
x-frame-options: SAMEORIGIN
content-type: application/javascript;charset=utf-8
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash: b72d2a40f7abbe035d79f11461ece10a
x-transaction: 0098972100a8fc00
expires: Tue, 31 Mar 1981 05:00:00 GMT

GET
H2 200 adsct
t.co/i/ Frame 436D 43 B
119 B 129ms
128ms Image
image/gif 104.244.42.197
Twitter Inc.

General

Check archive.org

Show headers Download Go to Show image

Full URL

Requested by

Host: static.ads-twitter.com
URL: https://static.ads-twitter.com/uwt.js

Protocol

Security

TLS 1.2, ECDHE_RSA, AES_128_GCM

Server

104.244.42.197 , United States, ASN13414 (TWITTER - Twitter Inc., US),

Reverse DNS

Software

tsa_o /

Resource Hash

ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957

Security Headers

Name	Value
Strict-Transport-Security	max-age=0
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
x-content-type-options: nosniff
status: 200, 200 OK
x-twitter-response-tags: BouncerCompliant
content-length: 65
x-xss-protection: 0
x-response-time: 116
pragma: no-cache
last-modified: Mon, 21 Oct 2019 13:18:57 GMT
server: tsa_o
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=0
content-type: image/gif;charset=utf-8
cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
x-connection-hash: c8d0b280c8bbf40823452698b765fc70
x-transaction: 00a2e017006bdb0f
expires: Tue, 31 Mar 1981 05:00:00 GMT

GET
H2 200 conversion_async.js Show response
www.googleadservices.com/pagead/ Frame 436D 24 KB
9 KB 24ms
23ms Script
text/javascript 216.58.207.66
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://www.googleadservices.com/pagead/conversion_async.js

Requested by

Host: www.googletagmanager.com
URL: https://www.googletagmanager.com/gtag/js?id=AW-819694878

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

216.58.207.66 Mountain View, United States, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

fra16s25-in-f2.1e100.net

Software

cafe /

Resource Hash

04cc99186aa1ed2c9e0989ad7f6a2e180508c8656caef8cd2b153fa8dbba9038

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
x-content-type-options: nosniff
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
content-disposition: attachment; filename="f.txt"
alt-svc: quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 9198
x-xss-protection: 0
server: cafe
etag: 4566352449703540938
vary: Accept-Encoding
content-type: text/javascript; charset=UTF-8
cache-control: private, max-age=3600
timing-allow-origin: *
expires: Mon, 21 Oct 2019 13:18:57 GMT

POST
H2 200 /
www.facebook.com/tr/ Frame 8CEE 0
0 7ms
6ms Document
text/plain 2a03:2880:f11c:8183:face:b00c:0:25de
Facebook

General

Check archive.org

Show headers Download Go to

Full URL

https://www.facebook.com/tr/

Requested by

Host: connect.facebook.net
URL: https://connect.facebook.net/en_US/fbevents.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a03:2880:f11c:8183:face:b00c:0:25de , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),

Reverse DNS

Software

proxygen-bolt /

Resource Hash

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains

Request headers

:method: POST
:authority: www.facebook.com
:scheme: https
:path: /tr/
content-length: 3794
pragma: no-cache
cache-control: no-cache
origin: https://research.juniper.net
upgrade-insecure-requests: 1
content-type: application/x-www-form-urlencoded
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode: nested-navigate
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site: cross-site
referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
accept-encoding: gzip, deflate, br
Origin: https://research.juniper.net
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode: nested-navigate
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936

Response headers

status: 200
content-type: text/plain
access-control-allow-origin: https://research.juniper.net
access-control-allow-credentials: true
strict-transport-security: max-age=31536000; includeSubDomains
content-length: 0
server: proxygen-bolt
alt-svc: h3-23=":443"; ma=3600
date: Mon, 21 Oct 2019 13:18:57 GMT

GET
H2 200 437764526963678 Show response
connect.facebook.net/signals/config/ Frame 3286 281 KB
65 KB 6ms
6ms Script
application/x-javascript 2a03:2880:f01c:8012:face:b00c:0:3
Facebook

General

Check archive.org

Show headers Download Go to

Full URL

https://connect.facebook.net/signals/config/437764526963678?v=2.9.5&r=stable

Requested by

Host: connect.facebook.net
URL: https://connect.facebook.net/en_US/fbevents.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a03:2880:f01c:8012:face:b00c:0:3 , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),

Reverse DNS

Software

Resource Hash

711484d0904f76b29c4cbf14e3e7d11c818545fdf95c19112c2ef1bd3e0680b8

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; preload; includeSubDomains
X-Content-Type-Options	nosniff
X-Frame-Options	DENY
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

strict-transport-security: max-age=31536000; preload; includeSubDomains
content-encoding: gzip
x-content-type-options: nosniff
status: 200
alt-svc: h3-23=":443"; ma=3600
content-length: 66280
x-xss-protection: 0
pragma: public
x-fb-debug: pZGS4bnavCzec4DHVgpYFP8wBaDZBN2CpeyktdImSa4dtsBLo7y7nBaB47gPrhj16L/LKZbFI04oYBfiIMFitw==
x-fb-trip-id: 1850256238
x-frame-options: DENY
date: Mon, 21 Oct 2019 13:18:57 GMT
vary: Accept-Encoding
content-type: application/x-javascript; charset=utf-8
cache-control: public, max-age=1200
expires: Sat, 01 Jan 2000 00:00:00 GMT

POST
H2 200 /
www.facebook.com/tr/ Frame 3470 0
0 6ms
6ms Document
text/plain 2a03:2880:f11c:8183:face:b00c:0:25de
Facebook

General

Check archive.org

Show headers Download Go to

Full URL

https://www.facebook.com/tr/

Requested by

Host: connect.facebook.net
URL: https://connect.facebook.net/en_US/fbevents.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a03:2880:f11c:8183:face:b00c:0:25de , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),

Reverse DNS

Software

proxygen-bolt /

Resource Hash

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains

Request headers

:method: POST
:authority: www.facebook.com
:scheme: https
:path: /tr/
content-length: 3846
pragma: no-cache
cache-control: no-cache
origin: https://research.juniper.net
upgrade-insecure-requests: 1
content-type: application/x-www-form-urlencoded
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode: nested-navigate
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site: cross-site
referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
accept-encoding: gzip, deflate, br
Origin: https://research.juniper.net
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode: nested-navigate
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936

Response headers

status: 200
content-type: text/plain
access-control-allow-origin: https://research.juniper.net
access-control-allow-credentials: true
strict-transport-security: max-age=31536000; includeSubDomains
content-length: 0
server: proxygen-bolt
alt-svc: h3-23=":443"; ma=3600
date: Mon, 21 Oct 2019 13:18:57 GMT

GET
H2 200 437764526963678 Show response
connect.facebook.net/signals/config/ Frame 436D 281 KB
65 KB 6ms
5ms Script
application/x-javascript 2a03:2880:f01c:8012:face:b00c:0:3
Facebook

General

Check archive.org

Show headers Download Go to

Full URL

https://connect.facebook.net/signals/config/437764526963678?v=2.9.5&r=stable

Requested by

Host: connect.facebook.net
URL: https://connect.facebook.net/en_US/fbevents.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a03:2880:f01c:8012:face:b00c:0:3 , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),

Reverse DNS

Software

Resource Hash

711484d0904f76b29c4cbf14e3e7d11c818545fdf95c19112c2ef1bd3e0680b8

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; preload; includeSubDomains
X-Content-Type-Options	nosniff
X-Frame-Options	DENY
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

strict-transport-security: max-age=31536000; preload; includeSubDomains
content-encoding: gzip
x-content-type-options: nosniff
status: 200
alt-svc: h3-23=":443"; ma=3600
content-length: 66280
x-xss-protection: 0
pragma: public
x-fb-debug: pZGS4bnavCzec4DHVgpYFP8wBaDZBN2CpeyktdImSa4dtsBLo7y7nBaB47gPrhj16L/LKZbFI04oYBfiIMFitw==
x-fb-trip-id: 1850256238
x-frame-options: DENY
date: Mon, 21 Oct 2019 13:18:57 GMT
vary: Accept-Encoding
content-type: application/x-javascript; charset=utf-8
cache-control: public, max-age=1200
expires: Sat, 01 Jan 2000 00:00:00 GMT

GET
H2 200 / Show response
googleads.g.doubleclick.net/pagead/viewthroughconversion/819694878/ Frame 3286 3 KB
1 KB 20ms
20ms Script
text/javascript 2a00:1450:4001:818::2002
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://googleads.g.doubleclick.net/pagead/viewthroughconversion/819694878/?random=1571663937199&cv=9&fst=1571663937199&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&ig=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&rfmt=3&fmt=4

Requested by

Host: www.googleadservices.com
URL: https://www.googleadservices.com/pagead/conversion_async.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:818::2002 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

f3572da14ecd1438b014367bee13c3f32b1bbce41a0ea16254a3455c64b064f2

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
status: 200
cache-control: no-cache, must-revalidate
content-disposition: attachment; filename="f.txt"
content-type: text/javascript; charset=UTF-8
alt-svc: quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 1228
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 / Show response
googleads.g.doubleclick.net/pagead/viewthroughconversion/819694878/ Frame 3286 7 KB
2 KB 22ms
22ms Script
text/javascript 2a00:1450:4001:818::2002
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://googleads.g.doubleclick.net/pagead/viewthroughconversion/819694878/?random=1571663937200&cv=9&fst=1571663937200&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&ig=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts%26_plkpKey%5C%3Djnpr_vId%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts%3B_plkpKey%3Djnpr_vId%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&rfmt=3&fmt=4

Requested by

Host: www.googleadservices.com
URL: https://www.googleadservices.com/pagead/conversion_async.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:818::2002 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

3a97f850111de83f07a53261de9a8a1dfa6823a4ea63ee414a9f3533c247b3ef

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
status: 200
cache-control: no-cache, must-revalidate
content-disposition: attachment; filename="f.txt"
content-type: text/javascript; charset=UTF-8
alt-svc: quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 1827
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2

200

/
www.google.de/pagead/1p-user-list/956680084/ Frame 3286
Redirect Chain

https://googleads.g.doubleclick.net/pagead/viewthroughconversion/956680084/?random=1571663937200&cv=9&fst=1571663937200&num=1&fmt=3&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=12...
https://www.google.com/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java...
https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=...

42 B
110 B

37ms
37ms

Image
image/gif

2a00:1450:4001:821::2003
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Security Headers

Name	Value
Content-Security-Policy	script-src 'none'; object-src 'none'
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
cache-control: no-cache, no-store, must-revalidate
content-security-policy: script-src 'none'; object-src 'none'
content-type: image/gif
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

Redirect headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options: nosniff
server: cafe
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 302
content-type: image/gif
location: https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=3031433607&resp=GooglemKTybQhCsO&ipr=y
cache-control: no-cache, no-store, must-revalidate
content-security-policy: script-src 'none'; object-src 'none'
timing-allow-origin: *
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2

200

/
www.google.de/pagead/1p-user-list/956680084/ Frame 3286
Redirect Chain

https://googleads.g.doubleclick.net/pagead/viewthroughconversion/956680084/?random=1571663937200&cv=9&fst=1571663937200&num=1&fmt=3&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=12...
https://www.google.com/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java...
https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=...

42 B
110 B

23ms
23ms

Image
image/gif

2a00:1450:4001:821::2003
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts%26_plkpKey%5C%3Djnpr_vId%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts%3B_plkpKey%3Djnpr_vId%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=2817242393&resp=GooglemKTybQhCsO&ipr=y

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Security Headers

Name	Value
Content-Security-Policy	script-src 'none'; object-src 'none'
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
cache-control: no-cache, no-store, must-revalidate
content-security-policy: script-src 'none'; object-src 'none'
content-type: image/gif
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

Redirect headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options: nosniff
server: cafe
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 302
content-type: image/gif
location: https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937200&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts%26_plkpKey%5C%3Djnpr_vId%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts%3B_plkpKey%3Djnpr_vId%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=2817242393&resp=GooglemKTybQhCsO&ipr=y
cache-control: no-cache, no-store, must-revalidate
content-security-policy: script-src 'none'; object-src 'none'
timing-allow-origin: *
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 / Show response
googleads.g.doubleclick.net/pagead/viewthroughconversion/819694878/ Frame 436D 3 KB
1 KB 20ms
19ms Script
text/javascript 2a00:1450:4001:818::2002
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://googleads.g.doubleclick.net/pagead/viewthroughconversion/819694878/?random=1571663937203&cv=9&fst=1571663937203&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&ig=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&rfmt=3&fmt=4

Requested by

Host: www.googleadservices.com
URL: https://www.googleadservices.com/pagead/conversion_async.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:818::2002 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

21ac54b2dfa107c2c34e22763929c410c38b8b8dc586cb34221b708735da39b2

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
status: 200
cache-control: no-cache, must-revalidate
content-disposition: attachment; filename="f.txt"
content-type: text/javascript; charset=UTF-8
alt-svc: quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 1237
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 / Show response
googleads.g.doubleclick.net/pagead/viewthroughconversion/819694878/ Frame 436D 7 KB
2 KB 22ms
22ms Script
text/javascript 2a00:1450:4001:818::2002
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://googleads.g.doubleclick.net/pagead/viewthroughconversion/819694878/?random=1571663937204&cv=9&fst=1571663937204&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&ig=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%5C%3D_pclIp._pmatchedIP%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts_ip%3B_plkpKey%3D_pclIp._pmatchedIP%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&rfmt=3&fmt=4

Requested by

Host: www.googleadservices.com
URL: https://www.googleadservices.com/pagead/conversion_async.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:818::2002 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

373fe54362c261716e6033ea509f22416fa0f09dae64dbdc7cd7219af8cff89e

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
status: 200
cache-control: no-cache, must-revalidate
content-disposition: attachment; filename="f.txt"
content-type: text/javascript; charset=UTF-8
alt-svc: quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 1834
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 / Show response
googleads.g.doubleclick.net/pagead/viewthroughconversion/956680084/ Frame 436D 7 KB
2 KB 22ms
21ms Script
text/javascript 2a00:1450:4001:818::2002
Google LLC

General

Check archive.org

Show headers Download Go to

Full URL

https://googleads.g.doubleclick.net/pagead/viewthroughconversion/956680084/?random=1571663937205&cv=9&fst=1571663937205&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&ig=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%5C%3D_pclIp._pmatchedIP%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts_ip%3B_plkpKey%3D_pclIp._pmatchedIP%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&rfmt=3&fmt=4

Requested by

Host: www.googleadservices.com
URL: https://www.googleadservices.com/pagead/conversion_async.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:818::2002 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

3ce9806392df75ac66fb903977838ff4609b65dfb4f160ebd04b22c996184947

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
status: 200
cache-control: no-cache, must-revalidate
content-disposition: attachment; filename="f.txt"
content-type: text/javascript; charset=UTF-8
alt-svc: quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43",h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 1834
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2

200

/
www.google.de/pagead/1p-user-list/956680084/ Frame 436D
Redirect Chain

https://googleads.g.doubleclick.net/pagead/viewthroughconversion/956680084/?random=1571663937204&cv=9&fst=1571663937204&num=1&fmt=3&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=12...
https://www.google.com/pagead/1p-user-list/956680084/?random=1571663937204&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java...
https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937204&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=...

42 B
110 B

23ms
22ms

Image
image/gif

2a00:1450:4001:821::2003
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937204&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=3590609516&resp=GooglemKTybQhCsO&ipr=y

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Security Headers

Name	Value
Content-Security-Policy	script-src 'none'; object-src 'none'
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
cache-control: no-cache, no-store, must-revalidate
content-security-policy: script-src 'none'; object-src 'none'
content-type: image/gif
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

Redirect headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options: nosniff
server: cafe
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 302
content-type: image/gif
location: https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937204&cv=9&fst=1571662800000&num=1&fmt=3&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&is_vtc=1&random=3590609516&resp=GooglemKTybQhCsO&ipr=y
cache-control: no-cache, no-store, must-revalidate
content-security-policy: script-src 'none'; object-src 'none'
timing-allow-origin: *
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

POST
H2 200 /
www.facebook.com/tr/ Frame 0C24 0
0 7ms
7ms Document
text/plain 2a03:2880:f11c:8183:face:b00c:0:25de
Facebook

General

Check archive.org

Show headers Download Go to

Full URL

https://www.facebook.com/tr/

Requested by

Host: connect.facebook.net
URL: https://connect.facebook.net/en_US/fbevents.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a03:2880:f11c:8183:face:b00c:0:25de , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),

Reverse DNS

Software

proxygen-bolt /

Resource Hash

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains

Request headers

:method: POST
:authority: www.facebook.com
:scheme: https
:path: /tr/
content-length: 3794
pragma: no-cache
cache-control: no-cache
origin: https://research.juniper.net
upgrade-insecure-requests: 1
content-type: application/x-www-form-urlencoded
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode: nested-navigate
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site: cross-site
referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
accept-encoding: gzip, deflate, br
Origin: https://research.juniper.net
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode: nested-navigate
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936

Response headers

status: 200
content-type: text/plain
access-control-allow-origin: https://research.juniper.net
access-control-allow-credentials: true
strict-transport-security: max-age=31536000; includeSubDomains
content-length: 0
server: proxygen-bolt
alt-svc: h3-23=":443"; ma=3600
date: Mon, 21 Oct 2019 13:18:57 GMT

POST
H2 200 /
www.facebook.com/tr/ Frame 8346 0
0 10ms
5ms Document
text/plain 2a03:2880:f11c:8183:face:b00c:0:25de
Facebook

General

Check archive.org

Show headers Download Go to

Full URL

https://www.facebook.com/tr/

Requested by

Host: connect.facebook.net
URL: https://connect.facebook.net/en_US/fbevents.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a03:2880:f11c:8183:face:b00c:0:25de , Ireland, ASN32934 (FACEBOOK - Facebook, Inc., US),

Reverse DNS

Software

proxygen-bolt /

Resource Hash

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000; includeSubDomains

Request headers

:method: POST
:authority: www.facebook.com
:scheme: https
:path: /tr/
content-length: 3846
pragma: no-cache
cache-control: no-cache
origin: https://research.juniper.net
upgrade-insecure-requests: 1
content-type: application/x-www-form-urlencoded
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
sec-fetch-mode: nested-navigate
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site: cross-site
referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
accept-encoding: gzip, deflate, br
Origin: https://research.juniper.net
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Sec-Fetch-Mode: nested-navigate
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936

Response headers

status: 200
content-type: text/plain
access-control-allow-origin: https://research.juniper.net
access-control-allow-credentials: true
strict-transport-security: max-age=31536000; includeSubDomains
content-length: 0
server: proxygen-bolt
alt-svc: h3-23=":443"; ma=3600
date: Mon, 21 Oct 2019 13:18:57 GMT

GET
H2 200 /
www.google.com/pagead/1p-user-list/819694878/ Frame 3286 42 B
110 B 30ms
29ms Image
image/gif 2a00:1450:4001:81d::2004
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google.com/pagead/1p-user-list/819694878/?random=1571663937199&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&fmt=3&is_vtc=1&random=3819243290&resp=GooglemKTybQhCsO&rmt_tld=0&ipr=y

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Security Headers

Name	Value
Content-Security-Policy	script-src 'none'; object-src 'none'
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
cache-control: no-cache, no-store, must-revalidate
content-security-policy: script-src 'none'; object-src 'none'
content-type: image/gif
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 /
www.google.de/pagead/1p-user-list/819694878/ Frame 3286 42 B
110 B 24ms
24ms Image
image/gif 2a00:1450:4001:821::2003
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google.de/pagead/1p-user-list/819694878/?random=1571663937199&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&fmt=3&is_vtc=1&random=3819243290&resp=GooglemKTybQhCsO&rmt_tld=1&ipr=y

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Security Headers

Name	Value
Content-Security-Policy	script-src 'none'; object-src 'none'
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
cache-control: no-cache, no-store, must-revalidate
content-security-policy: script-src 'none'; object-src 'none'
content-type: image/gif
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 /
www.google.com/pagead/1p-user-list/819694878/ Frame 3286 42 B
110 B 27ms
27ms Image
image/gif 2a00:1450:4001:81d::2004
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google.com/pagead/1p-user-list/819694878/?random=1571663937200&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts%26_plkpKey%5C%3Djnpr_vId%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts%3B_plkpKey%3Djnpr_vId%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&fmt=3&is_vtc=1&random=3128167364&resp=GooglemKTybQhCsO&rmt_tld=0&ipr=y

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Security Headers

Name	Value
Content-Security-Policy	script-src 'none'; object-src 'none'
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
cache-control: no-cache, no-store, must-revalidate
content-security-policy: script-src 'none'; object-src 'none'
content-type: image/gif
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 /
www.google.de/pagead/1p-user-list/819694878/ Frame 3286 42 B
110 B 26ms
26ms Image
image/gif 2a00:1450:4001:821::2003
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google.de/pagead/1p-user-list/819694878/?random=1571663937200&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts%26_plkpKey%5C%3Djnpr_vId%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts%3B_plkpKey%3Djnpr_vId%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DYWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts%2526_plkpKey%253Djnpr_vId%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.juniper.net%252&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&fmt=3&is_vtc=1&random=3128167364&resp=GooglemKTybQhCsO&rmt_tld=1&ipr=y

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Security Headers

Name	Value
Content-Security-Policy	script-src 'none'; object-src 'none'
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=YWfAEhoTQWrf9dRMafLDmS9EgKqw7v1L-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts%26_plkpKey%3Djnpr_vId%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts&_plkpKey=jnpr_vId&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
cache-control: no-cache, no-store, must-revalidate
content-security-policy: script-src 'none'; object-src 'none'
content-type: image/gif
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 /
www.google.com/pagead/1p-user-list/819694878/ Frame 436D 42 B
278 B 23ms
23ms Image
image/gif 2a00:1450:4001:81d::2004
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google.com/pagead/1p-user-list/819694878/?random=1571663937203&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&fmt=3&is_vtc=1&random=506434098&resp=GooglemKTybQhCsO&rmt_tld=0&ipr=y

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Security Headers

Name	Value
Content-Security-Policy	script-src 'none'; object-src 'none'
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
cache-control: no-cache, no-store, must-revalidate
content-security-policy: script-src 'none'; object-src 'none'
content-type: image/gif
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 /
www.google.de/pagead/1p-user-list/819694878/ Frame 436D 42 B
110 B 24ms
24ms Image
image/gif 2a00:1450:4001:821::2003
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google.de/pagead/1p-user-list/819694878/?random=1571663937203&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dgtag.config&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&fmt=3&is_vtc=1&random=506434098&resp=GooglemKTybQhCsO&rmt_tld=1&ipr=y

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Security Headers

Name	Value
Content-Security-Policy	script-src 'none'; object-src 'none'
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
cache-control: no-cache, no-store, must-revalidate
content-security-policy: script-src 'none'; object-src 'none'
content-type: image/gif
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 /
www.google.com/pagead/1p-user-list/819694878/ Frame 436D 42 B
110 B 29ms
29ms Image
image/gif 2a00:1450:4001:81d::2004
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google.com/pagead/1p-user-list/819694878/?random=1571663937204&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%5C%3D_pclIp._pmatchedIP%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts_ip%3B_plkpKey%3D_pclIp._pmatchedIP%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&fmt=3&is_vtc=1&random=887524795&resp=GooglemKTybQhCsO&rmt_tld=0&ipr=y

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Security Headers

Name	Value
Content-Security-Policy	script-src 'none'; object-src 'none'
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
cache-control: no-cache, no-store, must-revalidate
content-security-policy: script-src 'none'; object-src 'none'
content-type: image/gif
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 /
www.google.de/pagead/1p-user-list/819694878/ Frame 436D 42 B
110 B 26ms
26ms Image
image/gif 2a00:1450:4001:821::2003
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google.de/pagead/1p-user-list/819694878/?random=1571663937204&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%5C%3D_pclIp._pmatchedIP%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts_ip%3B_plkpKey%3D_pclIp._pmatchedIP%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&fmt=3&is_vtc=1&random=887524795&resp=GooglemKTybQhCsO&rmt_tld=1&ipr=y

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Security Headers

Name	Value
Content-Security-Policy	script-src 'none'; object-src 'none'
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
cache-control: no-cache, no-store, must-revalidate
content-security-policy: script-src 'none'; object-src 'none'
content-type: image/gif
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 /
www.google.com/pagead/1p-user-list/956680084/ Frame 436D 42 B
110 B 43ms
43ms Image
image/gif 2a00:1450:4001:81d::2004
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google.com/pagead/1p-user-list/956680084/?random=1571663937205&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%5C%3D_pclIp._pmatchedIP%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts_ip%3B_plkpKey%3D_pclIp._pmatchedIP%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&fmt=3&is_vtc=1&random=930459174&resp=GooglemKTybQhCsO&rmt_tld=0&ipr=y

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:81d::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Security Headers

Name	Value
Content-Security-Policy	script-src 'none'; object-src 'none'
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
cache-control: no-cache, no-store, must-revalidate
content-security-policy: script-src 'none'; object-src 'none'
content-type: image/gif
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 /
www.google.de/pagead/1p-user-list/956680084/ Frame 436D 42 B
110 B 28ms
27ms Image
image/gif 2a00:1450:4001:821::2003
Google LLC

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google.de/pagead/1p-user-list/956680084/?random=1571663937205&cv=9&fst=1571662800000&num=1&bg=ffffff&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2oaaa0&sendb=1&data=event%3Dpage_view%3B_pclId%3D3AqJOZ7HCNhvSfnaY1guVgsnqrANRcu0-1571663937%3B_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%3B_pdLoc%3Dhttps%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram%3B_pdHash%3DUnavailable%3B_pqStr%3Dactive%3B_psqStr%3D%3F_pclientId%5C%3Djnpr%26_peventName%5C%3Dlkps%26_pdataSource%5C%3Dweb%26_pqStr%5C%3Denabled%26_pgetId%5C%3Dtrue%26_plkpTblId%5C%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%5C%3D_pclIp._pmatchedIP%26_plkpPrfl%5C%3Dactive%26_pclIp%5C%3Dactive%26_pqStr%5C%3Dactive%26_pidName%5C%3DrmulusId%26_pidSource%5C%3Dresearch.juniper.net%26_pclPrint%5C%3Dtrue%26_ptwAids%5C%3Do1oeb%7Cnvrg6%26_pfbAids%5C%3D340159566928684%7C437764526963678%26_pliPids%5C%3D1318724%7C4751%26_pawAids%5C%3DAW-819694878%7CAW-956680084%26jnpr_vId%5C%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936%3B_pclientId%3Djnpr%3B_peventName%3Dlkps%3B_pdataSource%3Dweb%3B_pgetId%3Dtrue%3B_plkpTblId%3Djnpr_audiences_targetaccounts_ip%3B_plkpKey%3D_pclIp._pmatchedIP%3B_plkpPrfl%3D%7B%22not%20found%22%3A%22not%20found%22%7D%3B_pcityName%3DUnavailable%3B_pcompanyName%3DHetzner%20Online%20GmbH%3B_pcontinentCode%3DEU%3B_pcontinentName%3DEurope%3B_pcountryISOCode%3DDE%3B_pcountryName%3DGermany%3B_platitude%3D51.2993%3B_plongitude%3D9.491%3B_pmatchedIP%3D144.76.109.30%3B_ppostalCode%3DNone%3B_pstateISOCode%3DUnavailable%3B_pstateName%3DUnavailable%3B_ptimeZone%3DEurope%2FBerlin%3B_pidName%3DrmulusId%3B_pidSource%3Dresearch.juniper.net%3B_pclPrint%3D4c8a59ab63a77a27026bf4490e98a2f1%3B_ptwAids%3Do1oeb%7Cnvrg6%3B_pfbAids%3D340159566928684%7C437764526963678%3B_pliPids%3D1318724%7C4751%3B_pawAids%3DAW-819694878%7CAW-956680084%3Bjnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&frm=2&url=https%3A%2F%2Fresearch.juniper.net%2F%3F_pevId%3DtRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936%26_pdLoc%3Dhttps%253A%252F%252Fforums.juniper.net%252Ft5%252FThreat-Research%252FMasad-Stealer-Exfiltrating-using-Telegram%26_pdHash%3DUnavailable%26_pqStr%3Dactive%26_psqStr%3D%253F_pclientId%253Djnpr%2526_peventName%253Dlkps%2526_pdataSource%253Dweb%2526_pqStr%253Denabled%2526_pgetId%253Dtrue%2526_plkpTblId%253Djnpr_audiences_targetaccounts_ip%2526_plkpKey%253D_pclIp._pmatchedIP%2526_plkpPrfl%253Dactive%2526_pclIp%253Dactive%2526_pqStr%253Dactive%2526_pidName%253DrmulusId%2526_pidSource%253Dresearch.&ref=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&async=1&fmt=3&is_vtc=1&random=930459174&resp=GooglemKTybQhCsO&rmt_tld=1&ipr=y

Requested by

Host: forums.juniper.net
URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:821::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE - Google LLC, US),

Reverse DNS

Software

cafe /

Resource Hash

ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

Security Headers

Name	Value
Content-Security-Policy	script-src 'none'; object-src 'none'
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://research.juniper.net/?_pevId=tRtws8nXBXf8ghDdW4Ao8GryqaBxF1Ik-1571663936&_pdLoc=https%3A%2F%2Fforums.juniper.net%2Ft5%2FThreat-Research%2FMasad-Stealer-Exfiltrating-using-Telegram&_pdHash=Unavailable&_pqStr=active&_psqStr=%3F_pclientId%3Djnpr%26_peventName%3Dlkps%26_pdataSource%3Dweb%26_pqStr%3Denabled%26_pgetId%3Dtrue%26_plkpTblId%3Djnpr_audiences_targetaccounts_ip%26_plkpKey%3D_pclIp._pmatchedIP%26_plkpPrfl%3Dactive%26_pclIp%3Dactive%26_pqStr%3Dactive%26_pidName%3DrmulusId%26_pidSource%3Dresearch.juniper.net%26_pclPrint%3Dtrue%26_ptwAids%3Do1oeb%7Cnvrg6%26_pfbAids%3D340159566928684%7C437764526963678%26_pliPids%3D1318724%7C4751%26_pawAids%3DAW-819694878%7CAW-956680084%26jnpr_vId%3DLWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936&_pclientId=jnpr&_peventName=lkps&_pdataSource=web&_pgetId=true&_plkpTblId=jnpr_audiences_targetaccounts_ip&_plkpKey=_pclIp._pmatchedIP&_plkpPrfl=%7B%22not%20found%22%3A%22not%20found%22%7D&_pcityName=Unavailable&_pcompanyName=Hetzner%20Online%20GmbH&_pcontinentCode=EU&_pcontinentName=Europe&_pcountryISOCode=DE&_pcountryName=Germany&_platitude=51.2993&_plongitude=9.491&_pmatchedIP=144.76.109.30&_ppostalCode=None&_pstateISOCode=Unavailable&_pstateName=Unavailable&_ptimeZone=Europe%2FBerlin&_pidName=rmulusId&_pidSource=research.juniper.net&_pclPrint=true&_ptwAids=o1oeb%7Cnvrg6&_pfbAids=340159566928684%7C437764526963678&_pliPids=1318724%7C4751&_pawAids=AW-819694878%7CAW-956680084&jnpr_vId=LWaEfbtW12tOqfplvXPvviRymxPkxOxK-1571663936
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

pragma: no-cache
date: Mon, 21 Oct 2019 13:18:57 GMT
x-content-type-options: nosniff
server: cafe
timing-allow-origin: *
p3p: policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC"
status: 200
cache-control: no-cache, no-store, must-revalidate
content-security-policy: script-src 'none'; object-src 'none'
content-type: image/gif
alt-svc: quic=":443"; ma=2592000; v="46,43",h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000
content-length: 42
x-xss-protection: 0
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H2 200 satellite-57e2f6c764746d7a990154e8.js Show response
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/ 1 KB
676 B 7ms
6ms Script
application/x-javascript 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-57e2f6c764746d7a990154e8.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash: 0b30b39cc04a7922ed34d3d567d814c6ea9c8cea7e4ba2302b5d45272c13a483

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
last-modified: Thu, 17 Oct 2019 18:01:31 GMT
server: AkamaiNetStorage
etag: "143f04ca053bbbb67e7e7db60384c44e:1571335291.002567"
vary: Accept-Encoding
content-type: application/x-javascript
status: 200
cache-control: max-age=3600
accept-ranges: bytes
timing-allow-origin: *
content-length: 431
expires: Mon, 21 Oct 2019 14:18:57 GMT

GET
H2 200 satellite-586d49e464746d11fd002f2c.js Show response
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/ 414 B
526 B 8ms
7ms Script
application/x-javascript 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-586d49e464746d11fd002f2c.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash: f0ebf94842d7584c1c3c4925765c776bc6acc5345d1c01bdb846b416bad07877

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
last-modified: Thu, 17 Oct 2019 18:01:31 GMT
server: AkamaiNetStorage
etag: "73f8288b3e1da89f3ff0360bfca03245:1571335291.159718"
vary: Accept-Encoding
content-type: application/x-javascript
status: 200
cache-control: max-age=3600
accept-ranges: bytes
timing-allow-origin: *
content-length: 281
expires: Mon, 21 Oct 2019 14:18:57 GMT

GET
H2 200 satellite-5630f65f64746d185c002af5.js Show response
assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/ 503 B
580 B 8ms
8ms Script
application/x-javascript 2.18.232.23
Akamai Technologies

General

Check archive.org

Show headers Download Go to

Full URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/scripts/satellite-5630f65f64746d185c002af5.js
Requested by: Host: assets.adobedtm.com
URL: https://assets.adobedtm.com/998b2d6d4944658536fe36266a249b07e626b86d/satelliteLib-6d05b7c7a99e1cbbdcac4fcfe7005e6bee80a0e9.js
Protocol: H2
Security: TLS 1.2, ECDHE_RSA, AES_256_GCM
Server: 2.18.232.23 , Ascension Island, ASN16625 (AKAMAI-AS - Akamai Technologies, Inc., US),
Reverse DNS: a2-18-232-23.deploy.static.akamaitechnologies.com
Software: AkamaiNetStorage /
Resource Hash: 1fee2fb3eb1831930f4e325e6f05dc0d322ce37f53cc7da4cd2cdde999ed0b1d

Request headers

Sec-Fetch-Mode: no-cors
Referer: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36

Response headers

date: Mon, 21 Oct 2019 13:18:57 GMT
content-encoding: gzip
last-modified: Thu, 17 Oct 2019 18:01:24 GMT
server: AkamaiNetStorage
etag: "902ab4d82e29bb124a4127654ea7be62:1571335284.528625"
vary: Accept-Encoding
content-type: application/x-javascript
status: 200
cache-control: max-age=3600
accept-ranges: bytes
timing-allow-origin: *
content-length: 335
expires: Mon, 21 Oct 2019 14:18:57 GMT

Verdicts & Comments Add Verdict or Comment

160 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

2 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

			Domain/Path	Expires	Name / Value
			.doubleclick.net/	1970-01-19 13:55:59	Name: IDE Value: AHWqTUn4QeLlpbPs0iXSE65iZ5tQCW466ywZS4kWF4N0KE3OIiZ_bHUhdVCQvWAf
			.juniper.net/	1970-01-19 06:43:59	Name: _fbp Value: fb.1.1571663937173.1180827004

1 Console Messages

A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.

Source	Level	URL Text
console-api	log	URL: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram(Line 170) Message: on load

Security Headers

This page lists any security headers set by the main page. If you want to understand what these mean and how to use them, head on over to this page

Header	Value
Strict-Transport-Security	max-age=31536000;includeSubDomains

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

3872718.fls.doubleclick.net
5922977.fls.doubleclick.net
ajax.googleapis.com
analytics.twitter.com
api.company-target.com
api.demandbase.com
assets.adobedtm.com
attr.ml-api.io
clients1.google.com
cloud.webtype.com
cm.everesttech.net
collect.rmulus.com
connect.facebook.net
cse.google.com
dpm.demdex.net
fonts.googleapis.com
forums.juniper.net
googleads.g.doubleclick.net
img.en25.com
jnet.i.lithium.com
junipernetworks.d2.sc.omtrdc.net
junipernetworks.demdex.net
junipernetworks.tt.omtrdc.net
lookups.rmulus.com
match.prod.bidr.io
maxcdn.bootstrapcdn.com
platform.twitter.com
pls.webtype.com
px.ads.linkedin.com
research.juniper.net
s.ml-attr.com
s1229.t.eloqua.com
scripts.demandbase.com
secure.adnxs.com
secure.rmulus.com
segments.company-target.com
static.ads-twitter.com
stats.g.doubleclick.net
t.co
tags.bluekai.com
use.fontawesome.com
www.facebook.com
www.google-analytics.com
www.google.ca
www.google.com
www.google.de
www.googleadservices.com
www.googleapis.com
www.googletagmanager.com
www.juniper.net
104.111.241.32
104.244.42.197
104.244.42.67
13.224.196.121
13.225.78.27
13.225.78.79
143.204.101.123
143.204.101.126
143.204.101.13
151.101.112.157
172.217.18.102
185.33.223.100
2.18.232.23
2001:4de0:ac19::1:b:2a
208.74.207.25
209.167.231.17
216.58.205.230
216.58.207.66
23.111.9.35
2606:2800:234:59:254c:406:2366:268c
2a00:1450:4001:800::200e
2a00:1450:4001:814::2008
2a00:1450:4001:814::200e
2a00:1450:4001:818::2002
2a00:1450:4001:81b::2003
2a00:1450:4001:81c::200a
2a00:1450:4001:81d::2004
2a00:1450:4001:81e::200a
2a00:1450:4001:820::200a
2a00:1450:4001:821::2003
2a00:1450:400c:c00::9a
2a02:26f0:10:2a9::720
2a03:2880:f01c:8012:face:b00c:0:3
2a03:2880:f11c:8183:face:b00c:0:25de
2a05:f500:11:101::b93f:9005
34.201.194.177
34.253.43.81
52.213.193.252
52.30.78.155
52.49.100.189
54.230.95.207
65.52.62.25
66.117.28.86
66.117.29.3
68.67.153.60
93.184.220.41
93.184.220.97
95.100.78.166
04cc38228e78bcd321b02a1db468d35e557f12251aae38a9b2f1814f2761b9b4
04cc99186aa1ed2c9e0989ad7f6a2e180508c8656caef8cd2b153fa8dbba9038
0620feb9ea1ef87a0f1fd0df37a90ef556afb630b3360be72266f4f505dc42b4
066d654e9fdae411ba75229bf293bb54156406111dd0f69f789f97a8a8a6502b
06999de90eb62434c9e26cc7b0b70c3db1602e5b3ebea36b7dd6cb9e4ebbd784
081de2455a7c07a455ae28fec0acf0db473c515d1d38b49fda402724febc6da7
0af3aae90b7de9fdceee2ab421378ea2f54c74be81ef43fc6c1790a032755d80
0b30b39cc04a7922ed34d3d567d814c6ea9c8cea7e4ba2302b5d45272c13a483
0eb2263b102275bbff7847e76a3668c516c2db3d2f6523b94259525ab8124a4b
10d8d42d73a02ddb877101e72fbfa15a0ec820224d97cedee4cf92d571be5caa
179f42988ae4cab77687b27656fc69ab3fa07efbcf6279ac1bef85ac0688e69d
18640403461461c763056c71c9d16db51cfaf8bd64473e8746b7692e25200e12
18a02257219987458dc60f3fc2284ce0ceba4affa260c51d66d0b6e815e0a90f
1bc61ec53e5af2299b45821748c5d3984ed56fa406cd1c49531ef1d25bdc30ce
1e76b665a6f0a9668df5358d69d8e88e82e602cbb5d5eb7acb4ea7daa5d5190d
1fee2fb3eb1831930f4e325e6f05dc0d322ce37f53cc7da4cd2cdde999ed0b1d
2099c9be1d977088b3fa5f862474b7ed87e34c8988f6eaf1a20b15787c9998b6
21ac54b2dfa107c2c34e22763929c410c38b8b8dc586cb34221b708735da39b2
22642f202577f0ba2f22cbe56b6cf291a09374487567cd3563e0d2a29f75c0c5
2381b47f8892f725ff4cc6758375a338efbea0fc9178e18c8c97ee4d8d1d290c
24b74951479c73418c6486173931f2c1b9f56142776dda0a7dc19a9e9884b8a9
2adefcbc041e7d18fcf2d417879dc5a09997aa64d675b7a3c4b6ce33da13f3fe
2aec599bb34eb6dc9628239d56d39f8b9fbf6cea0d7b4272d3a6c18c6ab81e05
2c9f1c57bc31c65cdb84a1c44c0c91fc88799512fd87c5bc6e52b21f69abd5d0
2e4f5dd09499f2da4d8350e694d389f5837bc9a97addae7785a708a1867551a2
2e982e3c73e6f28505203e3efd647293555d1b34940f19626bd054bd6f2efc57
319949c8c08b86e9c35ea542c0dc0c30cedaa9b8d3d3c3327a36c91aefbd8af5
3236d2dc701f583a81401e777323e8026c6342c1e5bb5ac7fb9262f929227b1c
373fe54362c261716e6033ea509f22416fa0f09dae64dbdc7cd7219af8cff89e
39d48454cc249ca68918b13d93558d1027516393b06df1c104557532da1bc02e
3a97f850111de83f07a53261de9a8a1dfa6823a4ea63ee414a9f3533c247b3ef
3b7b8a4b411ddf8db9bacc2f3aabf406f8e4c0c087829b336ca331c40adfdff1
3ca19e57c9a2465ae4df271316ba4d29e7ff7f113a2a2c5297780c0b7a0ac09d
3ce9806392df75ac66fb903977838ff4609b65dfb4f160ebd04b22c996184947
3e84bcc6469e170029339c0b60b522671ca5d4298578308ec882df95f7badd9c
3eadffc329fb1c32ee10e809962cb4114a71d92b0f30db0b9ba9bef6abc91015
40a20291f9b526cba58796a4bbd0256d5663313e02c9d5ab5a842476562b3108
4c891889ca55d5cadf9e960d2e40f31f50ac0b6252417a9be7414ff2f26a3880
513a1cdd025b3086aa57881e2c801d57b76154c11975cc9283a9a3b480650722
53964478a7c634e8dad34ecc303dd8048d00dce4993906de1bacf67f663486ef
5b4f7ddf2cbd5ef8611f5fd90529a7c0b42bedb4c6f5a8f08d1c328b55043372
5b9573e1023da775390e9284ec0eb1c606df9b468a28980055b4a6aa804f4350
626ef4978a3758ced595afe37b89812432ef49fe3f967d2cd8e1321459b3a9b8
640ab2801ebaaac35a628d23dfe09caac3ba92b4ad30519a876620e1e8505b7b
656e1fb71a24f4d230a9ce9ff572e6c7e52382d7bbe666dafb10c12fc2799210
690217dd4ebde7d6750b11980ac97780557184aa636e8ae5ca6a53aadfbce5b8
6b4ebd6049c806e3eef1bd770b2d8b4fdd75803861ead3584ee753e41988efae
711484d0904f76b29c4cbf14e3e7d11c818545fdf95c19112c2ef1bd3e0680b8
775babc192dd84c190b44f9612ad8a9de10a522c9a178e7f37a623b13974582b
78a8202e2d22f37c9ed73bb52845944b2776d14a59bd21bd44dca6ca11795495
79340c32d5422c3331db60c78f9854b0d9c0a9bd0f9c454b7398734c1b990658
79e16119ceda988947279eb9addd1869b4270af3967b69ec9e09713ae4b6572b
7b08b6c86fb4d51c3e96dd3f06ed35c02b7f0662404fb6b14b9b2b0425a9e28a
7bde86f22329283dc816191116fb2c332cfdb506928e6551cae7273356d8d238
7da66ec546c027bfe5b9ca59aa2225cfaa5f0d68f96801f31186878c0fa853f8
7ee39e6b76207efc841a6882a2af5241490e1a2161c4e13790f78fb4dbfdde28
80a19a79e29cb723295fdccd389f61b999ccb6bde709c20cf6c970e7211b253c
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015
851bd834d24a84c0f4780789e868a65f9db8d9655a7a0cac039dbf3b65ad873f
8c5519ff6e93dfefc21c8b9c586ceef2060b2161e6be946d5b704341456ef053
8c785b78817298c70c27829e6903d75fac181ed591e3260c4b1fec35f0cd03c0
8febd8b0e9b817a31d401574d8f8aaeb5003d76c2c1afa9da932fa0990685b53
9093f80f7653038c751be64d054f6159875ac0f6f99935c4008bf3f705abdbee
925ce3258ea45dd475bffbdc02c278e08d6bc4667c685b18c43b8dd0cb8bee5a
9404cee30e4489a7ed4d6de2dd92aa8e4386fd5ff1c81ebcea77f581952eac31
983b0caf336e8542214fc17019a4fc5e0360864b92806ca14d55c1fc1c2c5a0f
9912c03b52a7cb0fc11bde58e200010eca671219552929b31be4c2e26c0e10c3
994f862399526907874323d0bf282947d8c1b6e01c2ef047da2b5521e88eba5b
9b8a69e995564719ea29e03b8593d8d18d03c3c8411a0eba1d714afec595d848
9e5b8d4ced66c172dc84f16051eee4bac1e0fc60781c1ea05d73072b3cc7ddf1
a1ecbaed793a1f564c49c671f2dd0ce36f858534ef6d26b55783a06b884cc506
a844cdc48c7591822e45128a138f1dbba5753a3ca9992bd71c36758d51d0b68e
aadc3580d2b64ff5a7e6f1425587db4e8b033efcbf8f5c332ca52a5ed580c87c
ac8778041fdb7f2e08ceb574c9a766247ea26f1a7d90fa854c4efcf4b361a957
acbde4a5a6ca3a99092c40c7d64b1e6a3c170a991a1ae98dd28b590cec53a7c0
b1110f2c7ae9f0a22977c4df6431fdfef92d1e8223f9734713e57aeb2ee96fcf
b6b12491bd3384604967dba5b6d0d4430484097b7982a988bf78aae31bf9ff76
b8eea75e456823a6e0eebfa1e4f27b56395485fff2bbf27e0344f7bf4fa8e509
be411113a7cc410c17ca7c311a35166e012b630b56da83341cbed129f6abd6bd
c0f533082d6b784c7f939ad3fbcafc2faa6a88d96f0b076f7a0e28b431995bff
c5aff3477022f781ee765989cdf6abbdd986f331064c59f5655fab8c6f9796c7
c74679537a89890b260d93e19aad5f4cc95a230623a945ffcc3d981fc13a1adf
c85e7ce68f3a78005c8c4603e3312b48ab1465bfdc86b397941295aa75299f2e
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356
cf4724b2f736ed1a0ae6bc28f1ead963d9cd2c1fd87b6ef32e7799fc1c5c8bda
d2474340ff2bb92f87a9ff9df68cd9bb04ec042a4af464d42d76ad69d9b2a67d
db0031471b3f9181ff21d83674674ac3dd7c128531fae90bc274ad0e17c58c37
dbb67c620eaabf6679a314db18d3ae43037aef71ab27422e6feec08ee987cc0a
df3e003cc30e9bdd0313100e8ee5d468070b4b34d11ad355f276a356d4b9c7bf
e28195ef556c2e1f2d22ff939f487f10a32e608255bbd541be3eda5883b414c3
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
e8a8cd48f7f93a8c8d708eda1f3f9c6ddd886c3f6c38eee67aeac98897b09510
e931faaef092c8d98a58ac536216378f58e2a17a4833bbe5f9a29e5bbed849f6
edd8db5c29b96b7a290a5e266d426dca85541b7cd7a62b180e5ec89dc635f05f
eec3860fdc0bff086a73a04051948c4e76ea29a6b61eaa870083739555b83f64
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629
f0ebf94842d7584c1c3c4925765c776bc6acc5345d1c01bdb846b416bad07877
f3572da14ecd1438b014367bee13c3f32b1bbce41a0ea16254a3455c64b064f2
f50798458e958d44022e68ed50eaf58ee47256a163f3022681fe1c899139d612
f75e846cc83bd11432f4b1e21a45f31bc85283d11d372f7b19accd1bf6a2635c
f7d6b1c8e88874fb2696fc3128ea91fc6f47915466ea9f566ab2c39fcebffbd6
ffa161118fe5c86651a1086172071bfe65d3c22968af6e2cfdfc450b8051770d

forums.juniper.net Open in urlscan Pro 208.74.207.25 Public Scan

Summary

urlscan.io Verdict: No classification

Domain & IP information

Screenshot Live screenshot Full Image

Detected technologies

Page Statistics

177 Requests

100 %HTTPS

35 %IPv6

33 Domains

50 Subdomains

43 IPs

7 Countries

2651 kBTransfer

9863 kBSize

2 Cookies

76 Outgoing links

Redirected requests

177 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 1 data transactions

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Redirect headers

Request headers

Response headers

Request headers

Response headers

forums.juniper.net Open in urlscan Pro
208.74.207.25 Public Scan

Screenshot
Live screenshot

Full Image

177
Requests

100 %
HTTPS

35 %
IPv6

33
Domains

50
Subdomains

43
IPs

7
Countries

2651 kB
Transfer

9863 kB
Size

2
Cookies

177 HTTP transactions
1 data transactions