www.zscaler.com Open in urlscan Pro
2606:4700::6813:d63e  Public Scan

25 Outgoing links

These are links going to different origins than the main page.

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Search URL Search Domain Scan URL

---

Redirected requests

There were HTTP redirect chains for the following requests:

Request Chain 31

• https://px.ads.linkedin.com/collect?v=2&fmt=js&pid=33962&url=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&time=1590693403088 HTTP 302
• https://www.linkedin.com/px/li_sync?redirect=https%3A%2F%2Fpx.ads.linkedin.com%2Fcollect%3Fv%3D2%26fmt%3Djs%26pid%3D33962%26url%3Dhttps%253A%252F%252Fwww.zscaler.com%252Fblogs%252Fresearch%252Fnew-ursnif-campaign-shift-powershell-mshta%26time%3D1590693403088%26liSync%3Dtrue HTTP 302
• https://px.ads.linkedin.com/collect?v=2&fmt=js&pid=33962&url=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&time=1590693403088&liSync=true

Request Chain 34

• https://s.adroll.com/j/exp/ULSJHTPGTZGY3EPPZSKHKS/index.js HTTP 302
• https://s.adroll.com/j/exp/index.js

Request Chain 36

• https://d.adroll.mgr.consensu.org/consent/iabcheck/ULSJHTPGTZGY3EPPZSKHKS?_s=11600b42880a73e612b5e8ce1304e13f&_b=2 HTTP 302
• https://d.adroll.com/consent/check/ULSJHTPGTZGY3EPPZSKHKS/?_s=11600b42880a73e612b5e8ce1304e13f&_b=2

Request Chain 38

• https://stats.g.doubleclick.net/r/collect?t=dc&aip=1&_r=3&v=1&_v=j82&tid=UA-6177009-1&cid=1965849376.1590693403&jid=717828031&gjid=807119452&_gid=102566784.1590693403&_u=aGDAgEADQ~&z=441964033 HTTP 302
• https://www.google.com/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-6177009-1&cid=1965849376.1590693403&jid=717828031&_v=j82&z=441964033 HTTP 302
• https://www.google.de/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-6177009-1&cid=1965849376.1590693403&jid=717828031&_v=j82&z=441964033&slf_rd=1&random=1132633929

Request Chain 63

• https://d.adroll.com/pixel/ULSJHTPGTZGY3EPPZSKHKS/22OEOVE2YNFA3EKSRERISY?adroll_fpc=9dc8eedcda4395399176c255a997da6d-1590693403635&arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&pv=81061262838.40182&cookie=&adroll_s_ref=&keyw= HTTP 302
• https://s.adroll.com/pixel/ULSJHTPGTZGY3EPPZSKHKS/22OEOVE2YNFA3EKSRERISY/XYPZFM5QENHXRH7RBBI5PW.js

Request Chain 72

• https://d.adroll.com/cm/aol/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS HTTP 302
• https://pixel.advertising.com/ups/55980/sync?uid=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&_origin=1&gdpr=1&gdpr_consent=BOOla_OOOla_OA2ABBENAkwAAAAXyACAAyAIIA HTTP 302
• https://pixel.advertising.com/ups/55980/sync?uid=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&_origin=1&gdpr=1&gdpr_consent=BOOla_OOOla_OA2ABBENAkwAAAAXyACAAyAIIA&verify=true HTTP 302
• https://ups.analytics.yahoo.com/ups/55980/sync?uid=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&_origin=1&gdpr=1&gdpr_consent=BOOla_OOOla_OA2ABBENAkwAAAAXyACAAyAIIA&apid=UPc4544c9f-a117-11ea-bf26-02800ef2d3d0

Request Chain 73

• https://d.adroll.com/cm/index/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS HTTP 302
• https://dsum-sec.casalemedia.com/rum?cm_dsp_id=105&external_user_id=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&expiration=1622229403 HTTP 302
• https://dsum-sec.casalemedia.com/rum?cm_dsp_id=105&external_user_id=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&expiration=1622229403&C=1

Request Chain 74

• https://d.adroll.com/cm/n/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS HTTP 302
• https://pixel.rubiconproject.com/tap.php?v=194538&nid=3644&put=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&expires=365

Request Chain 75

• https://d.adroll.com/cm/outbrain/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS HTTP 302
• https://sync.outbrain.com/cookie-sync?p=adroll&uid=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY HTTP 302
• https://sync.outbrain.com/cookie-sync?p=adroll&uid=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&rdrctExp=true

Request Chain 76

• https://d.adroll.com/cm/pubmatic/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS HTTP 302
• https://simage2.pubmatic.com/AdServer/Pug?vcode=bz0yJnR5cGU9MSZqcz0xJmNvZGU9MzMwNiZ0bD01MjU2MDA&piggybackCookie=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&gdpr=1&gdpr_consent=BOOoKswOOoKswA2ABBENAkwAAAAXyACACYAIIA

Request Chain 77

• https://d.adroll.com/cm/r/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS HTTP 302
• https://ads.yahoo.com/cms/v1?esig=1~bf4e7dc4546a90c08591652d78a230d3f2ef5733&nwid=10001032567&sigv=1&gdpr=1&gdpr_consent=BOOla_OOOla_OA2ABBENAkwAAAAXyACAAyAIIA HTTP 302
• https://d.adroll.com/cm/r/in?xid=E0&gdpr=1&gdpr_consent=BOOla_OOOla_OA2ABBENAkwAAAAXyACAAyAIIA

Request Chain 78

• https://d.adroll.com/cm/taboola/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS HTTP 302
• https://trc.taboola.com/sg/adroll-network/1/rtb-h/?taboola_hm=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY

Request Chain 79

• https://d.adroll.com/cm/triplelift/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS HTTP 302
• https://eb2.3lift.com/xuid?mid=4714&xuid=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&dongle=c85e HTTP 302
• https://eb2.3lift.com/xuid?ld=1&mid=4714&xuid=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&dongle=c85e&gdpr=1&cmp_cs=&us_privacy=

Request Chain 81

• https://d.adroll.com/cm/b/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS HTTP 302
• https://x.bidswitch.net/sync?dsp_id=44&user_id=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY HTTP 302
• https://x.bidswitch.net/ul_cb/sync?dsp_id=44&user_id=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY

Request Chain 82

• https://d.adroll.com/cm/x/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS HTTP 302
• https://ib.adnxs.com/setuid?entity=172&code=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY HTTP 307
• https://ib.adnxs.com/bounce?%2Fsetuid%3Fentity%3D172%26code%3DZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY

Request Chain 83

• https://d.adroll.com/cm/l/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS HTTP 302
• https://idsync.rlcdn.com/377928.gif?partner_uid=e83ccb424c33d3cb8a842d5250a30316

Request Chain 84

• https://d.adroll.com/cm/o/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS HTTP 302
• https://us-u.openx.net/w/1.0/sd?id=537103138&val=e83ccb424c33d3cb8a842d5250a30316 HTTP 302
• https://us-u.openx.net/w/1.0/sd?cc=1&id=537103138&val=e83ccb424c33d3cb8a842d5250a30316

Request Chain 85

• https://d.adroll.com/cm/g/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS&google_nid=adroll4 HTTP 302
• https://cm.g.doubleclick.net/pixel?google_sc&google_nid=artb&google_hm=6DzLQkwz08uKhC1SUKMDFg HTTP 302
• https://cm.g.doubleclick.net/pixel?google_sc=&google_nid=artb&google_hm=6DzLQkwz08uKhC1SUKMDFg&google_tc= HTTP 302
• https://d.adroll.com/cm/g/in

Request Chain 89

• https://tracking.leadlander.com/api/tracking?accountId=14146&page=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&referer=&fp=b83201a2071430f5c447d355c7c45885 HTTP 302
• https://tracking.leadlander.com/tracking.png

97 HTTP transactions Everything HTML Script AJAX CSS Image Expand all
0 data transactions

Method Protocol	Status	Resource Path	Size x-fer	Time Latency	Type MIME-Type	IP Location
GET H2	200	Primary Request new-ursnif-campaign-shift-powershell-mshta Show response www.zscaler.com/blogs/research/	109 KB 20 KB	1453ms 1085ms	Document text/html	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Full URL https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash 6838b2a72a4993ff4fa06082824e6cad06a700b071745ada4119a7781d3b5221 Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff X-Frame-Options SAMEORIGIN Request headers :method GET :authority www.zscaler.com :scheme https :path /blogs/research/new-ursnif-campaign-shift-powershell-mshta pragma no-cache cache-control no-cache upgrade-insecure-requests 1 user-agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 accept text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 sec-fetch-site none sec-fetch-mode navigate sec-fetch-user ?1 sec-fetch-dest document accept-encoding gzip, deflate, br accept-language en-US Upgrade-Insecure-Requests 1 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers status 200 date Thu, 28 May 2020 19:16:42 GMT content-type text/html; charset=UTF-8 set-cookie __cfduid=dd707afc42340e9ebddf315a00439a6b51590693401; expires=Sat, 27-Jun-20 19:16:41 GMT; path=/; domain=.www.zscaler.com; HttpOnly; SameSite=Lax cache-control max-age=31536000, public x-drupal-dynamic-cache MISS link <https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta>; rel="canonical"; class="sl_norewrite" x-ua-compatible IE=edge content-language en x-content-type-options nosniff x-frame-options SAMEORIGIN expires Sun, 19 Nov 1978 05:00:00 GMT last-modified Thu, 28 May 2020 19:07:51 GMT vary X-UA-Device,Accept-Encoding x-request-id v-86c45476-a116-11ea-88fd-f3174a95e114 x-ah-environment prod age 530 via varnish x-cache HIT x-cache-hits 3 cf-cache-status DYNAMIC cf-request-id 02fe502cce0000635910a82200000001 expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload server cloudflare cf-ray 59aa4fc14a016359-FRA content-encoding br
GET H2	200	gtm.js Show response www.googletagmanager.com/	184 KB 52 KB	30ms 18ms	Script application/javascript	2a00:1450:4001:800::2008 GOOGLE
General Check archive.org Show headers Download Go to Full URL https://www.googletagmanager.com/gtm.js?id=GTM-5SLZFK Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:800::2008 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software Google Tag Manager / Resource Hash 0afe0a0111a8d0956339e26010128b328f520acfd5b85a7dcbfba64e2dc2e23c Security Headers Name Value Strict-Transport-Security max-age=31536000; includeSubDomains X-Xss-Protection 0 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:42 GMT content-encoding br vary Accept-Encoding status 200 alt-svc h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" content-length 52595 x-xss-protection 0 last-modified Thu, 28 May 2020 18:06:55 GMT server Google Tag Manager strict-transport-security max-age=31536000; includeSubDomains content-type application/javascript; charset=UTF-8 access-control-allow-origin * cache-control private, max-age=900 access-control-allow-credentials true access-control-allow-headers Cache-Control expires Thu, 28 May 2020 19:16:42 GMT
GET H2	200	conversion_async.js Show response www.googleadservices.com/pagead/	28 KB 12 KB	84ms 33ms	Script text/javascript	172.217.16.130 GOOGLE
General Check archive.org Show headers Download Go to Full URL https://www.googleadservices.com/pagead/conversion_async.js Requested by Host: www.googletagmanager.com URL: https://www.googletagmanager.com/gtm.js?id=GTM-5SLZFK Protocol H2 Security TLS 1.3, , AES_128_GCM Server 172.217.16.130 , United States, ASN15169 (GOOGLE, US), Reverse DNS fra15s46-in-f2.1e100.net Software cafe / Resource Hash 65a1850028118c64febbde9b109da293910bfff6ee261caf0087d3d3364359ba Security Headers Name Value X-Content-Type-Options nosniff X-Xss-Protection 0 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT content-encoding gzip x-content-type-options nosniff p3p policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC" status 200 content-disposition attachment; filename="f.txt" alt-svc h3-27="googleads.g.doubleclick.net:443"; ma=2592000,h3-27=":443"; ma=2592000,h3-25="googleads.g.doubleclick.net:443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050="googleads.g.doubleclick.net:443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43" content-length 10877 x-xss-protection 0 server cafe etag 12200185889747903800 vary Accept-Encoding content-type text/javascript; charset=UTF-8 cache-control private, max-age=3600 timing-allow-origin * expires Thu, 28 May 2020 19:16:43 GMT
GET H2	200	analytics.js Show response www.google-analytics.com/	45 KB 18 KB	21ms 9ms	Script text/javascript	2a00:1450:4001:81b::200e GOOGLE
General Check archive.org Show headers Download Go to Full URL https://www.google-analytics.com/analytics.js Requested by Host: www.googletagmanager.com URL: https://www.googletagmanager.com/gtm.js?id=GTM-5SLZFK Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:81b::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software Golfe2 / Resource Hash 2f1fd973e6c48489ae07c467e3278635b856c698d1f502e06af3ab555937deac Security Headers Name Value Strict-Transport-Security max-age=10886400; includeSubDomains; preload X-Content-Type-Options nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers strict-transport-security max-age=10886400; includeSubDomains; preload content-encoding gzip x-content-type-options nosniff last-modified Thu, 30 Apr 2020 21:54:13 GMT server Golfe2 age 1223 date Thu, 28 May 2020 18:56:19 GMT vary Accept-Encoding content-type text/javascript status 200 cache-control public, max-age=7200 alt-svc h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" content-length 18433 expires Thu, 28 May 2020 20:56:19 GMT
GET H/1.1	200 OK	roundtrip.js Show response s.adroll.com/j/	35 KB 12 KB	86ms 28ms	Script text/javascript	23.210.248.216 AKAMAI-AS
General Check archive.org Show headers Download Go to Full URL https://s.adroll.com/j/roundtrip.js Requested by Host: www.googletagmanager.com URL: https://www.googletagmanager.com/gtm.js?id=GTM-5SLZFK Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 23.210.248.216 , Netherlands, ASN16625 (AKAMAI-AS, US), Reverse DNS a23-210-248-216.deploy.static.akamaitechnologies.com Software AmazonS3 / Resource Hash fda94796843b65b7ac7d3d3d7989ebd225c527bf94fd77a95c447ee45373457a Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers x-amz-version-id N53gZzXQPldEXgbhn5lT.z3phkHJN1m7 Content-Encoding gzip ETag "9355769c19f8681a6f037e860c99d638" x-amz-request-id 9B61F3937D2116B6 x-amz-server-side-encryption AES256 Connection keep-alive Vary Accept-Encoding Content-Length 11221 x-amz-id-2 Us2gtfBDGO1ez3cqJthuOlCA96rjqfW7R5uPDfMW22xvg7JTRAppwBmL5Kg3dyc8WnThDLdY6Pg= Last-Modified Wed, 27 May 2020 16:00:42 GMT Server AmazonS3 Date Thu, 28 May 2020 19:16:43 GMT Access-Control-Max-Age 600 Access-Control-Allow-Methods GET Content-Type text/javascript Access-Control-Allow-Origin * Cache-Control max-age=3600, must-revalidate Access-Control-Allow-Credentials false Accept-Ranges bytes Access-Control-Allow-Headers *
GET H/1.1	200 OK	insight.min.js Show response snap.licdn.com/li.lms-analytics/	3 KB 2 KB	34ms 9ms	Script application/x-javascript	2a02:26f0:10c:39e::25ea AKAMAI-ASN1
General Check archive.org Show headers Download Go to Full URL https://snap.licdn.com/li.lms-analytics/insight.min.js Requested by Host: www.googletagmanager.com URL: https://www.googletagmanager.com/gtm.js?id=GTM-5SLZFK Protocol HTTP/1.1 Security TLS 1.3, , AES_256_GCM Server 2a02:26f0:10c:39e::25ea , Ascension Island, ASN20940 (AKAMAI-ASN1, EU), Reverse DNS Software / Resource Hash 41dd5e421fe221a7d2921d6fa2b36e8b01a9f2c054aaef5fad866fe896c1d1e0 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers Date Thu, 28 May 2020 19:16:43 GMT Content-Encoding gzip Last-Modified Mon, 07 Oct 2019 16:41:31 GMT X-CDN AKAM Vary Accept-Encoding Content-Type application/x-javascript;charset=utf-8 Cache-Control max-age=42288 Connection keep-alive Accept-Ranges bytes Content-Length 1576
GET H2	200	css_zT08A3VvkeejjebO3s3YaML9OZljXL8Ai6IkCdYzSeg.css www.zscaler.com/sites/default/files/css/	9 KB 3 KB	32ms 31ms	Stylesheet text/css	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Full URL https://www.zscaler.com/sites/default/files/css/css_zT08A3VvkeejjebO3s3YaML9OZljXL8Ai6IkCdYzSeg.css Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash cd3d3c03756f91e7a38de6cedecdd868c2fd3999635cbf008ba22409d63349e8 Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:42 GMT via varnish x-content-type-options nosniff cf-cache-status HIT age 1173075 x-cache HIT status 200 x-cache-hits 14 x-ah-environment prod content-encoding br vary Host,Accept-Encoding cf-request-id 02fe5031690000635910aca200000001 x-request-id v-9c2daf9a-9632-11ea-b9d4-0fb7f10959e7 last-modified Sun, 26 Apr 2020 01:33:15 GMT server cloudflare expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type text/css cache-control public, max-age=1814400 cf-ray 59aa4fc8af236359-FRA expires Thu, 18 Jun 2020 19:16:42 GMT
GET H2	200	css_zO1_93cGxIYyEO1P1C5EyfYUrSlZX6GteTp_t92Egzs.css www.zscaler.com/sites/default/files/css/	1 MB 123 KB	53ms 52ms	Stylesheet text/css	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Full URL https://www.zscaler.com/sites/default/files/css/css_zO1_93cGxIYyEO1P1C5EyfYUrSlZX6GteTp_t92Egzs.css Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash cced7ff77706c4863210ed4fd42e44c9f614ad29595fa1ad793a7fb7dd84833b Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff cf-cache-status HIT age 42615 x-cache HIT status 200 x-cache-hits 25 x-ah-environment prod content-encoding br vary Host,Accept-Encoding cf-request-id 02fe5031690000635910acb200000001 x-request-id v-0ffece96-a0b4-11ea-86e5-9f03ee1593cf last-modified Thu, 28 May 2020 07:22:42 GMT server cloudflare expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type text/css cache-control public, max-age=1814400 cf-ray 59aa4fc8af246359-FRA expires Thu, 18 Jun 2020 19:16:43 GMT
GET H2	200	css fonts.googleapis.com/	19 KB 2 KB	35ms 21ms	Stylesheet text/css	2a00:1450:4001:814::200a GOOGLE
General Check archive.org Show headers Download Go to Full URL https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,500,500i,700,700i Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:814::200a Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software ESF / Resource Hash 07e488fc7ca98a10872edeac01b7baffc4ee033ba9dda67d1de361df52af331b Security Headers Name Value Strict-Transport-Security max-age=31536000 X-Content-Type-Options nosniff X-Frame-Options SAMEORIGIN X-Xss-Protection 0 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers strict-transport-security max-age=31536000 content-encoding gzip x-content-type-options nosniff status 200 alt-svc h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" x-xss-protection 0 last-modified Thu, 28 May 2020 19:16:43 GMT server ESF date Thu, 28 May 2020 19:16:43 GMT x-frame-options SAMEORIGIN content-type text/css; charset=utf-8 access-control-allow-origin * cache-control private, max-age=86400, stale-while-revalidate=604800 timing-allow-origin * link <https://fonts.gstatic.com>; rel=preconnect; crossorigin expires Thu, 28 May 2020 19:16:43 GMT
GET H2	200	zscaler-hdr-logo.svg www.zscaler.com/themes/custom/zscaler/images/shared/	4 KB 2 KB	31ms 24ms	Image image/svg+xml	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/themes/custom/zscaler/images/shared/zscaler-hdr-logo.svg Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash 9889de61b49684c87111bcc4c726a73c3e6d799ca8eefa7f3dc109d533e92470 Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff cf-cache-status HIT age 1198932 x-cache HIT status 200 x-cache-hits 30 x-ah-environment prod content-encoding br vary Host, Accept-Encoding cf-request-id 02fe5031740000635910acc200000001 x-request-id v-63d3dd04-331d-11ea-8684-1b8793240112 last-modified Thu, 21 Nov 2019 05:31:29 GMT server cloudflare expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/svg+xml expires Thu, 18 Jun 2020 19:16:43 GMT cache-control public, max-age=1814400 cf-ray 59aa4fc8bf326359-FRA cf-bgj h2pri
GET H2	200	zscaler-header-logo-white.png www.zscaler.com/cdn-cgi/image/format=auto/themes/custom/zscaler/images/shared/	2 KB 2 KB	41ms 34ms	Image image/webp	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/cdn-cgi/image/format=auto/themes/custom/zscaler/images/shared/zscaler-header-logo-white.png Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash e1e09aad7716ffaa184b9b945a599df7ced0d8a6f542160da654595050285eb7 Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff, nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff, nosniff cf-cache-status HIT status 200 vary cf-int-resize, x-forwarded-proto, Accept-Encoding content-length 2070 cf-request-id 02fe5031740000635910acd200000001 last-modified Fri, 20 Sep 2019 09:57:57 GMT server cloudflare etag "cfHyg68MiQMwy4zqR-Sk_glg" expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/webp cache-control public, max-age=1814400 cf-resized internal=ok/h t=0.009 v=2020.5.1 accept-ranges bytes cf-ray 59aa4fc8bf336359-FRA expires Wed, 17 Jun 2020 22:10:51 GMT
GET H2	200	default-male-avatar.png www.zscaler.com/cdn-cgi/image/format=auto/themes/custom/zscaler/images/blog/	762 B 947 B	52ms 45ms	Image image/webp	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/cdn-cgi/image/format=auto/themes/custom/zscaler/images/blog/default-male-avatar.png Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash 3ebe5f3828c912e78aa7a84ded542df0601f54e389f0a06d710720fcdbd86010 Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff, nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff, nosniff cf-cache-status HIT status 200 vary cf-int-resize, x-forwarded-proto, Accept-Encoding content-length 762 cf-request-id 02fe5031740000635910ace200000001 last-modified Fri, 20 Sep 2019 09:57:45 GMT server cloudflare etag "cf0ol14c_S-lxG_o9kU4-uWg" expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/webp cache-control public, max-age=1814400 cf-resized internal=ok/h t=0.019 v=2020.5.1 accept-ranges bytes cf-ray 59aa4fc8bf346359-FRA expires Sun, 07 Jun 2020 08:20:21 GMT
GET H2	200	form%20and%20modules.jpg www.zscaler.com/cdn-cgi/image/format=auto/sites/default/files/images/blogs/Ursnif_03_24/	11 KB 11 KB	126ms 119ms	Image image/webp	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/cdn-cgi/image/format=auto/sites/default/files/images/blogs/Ursnif_03_24/form%20and%20modules.jpg Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash 386789d854ed4db8645002aa19c02fdcbfcafb9c5950dd68b1e6ff271d81630f Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff, nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff, nosniff cf-cache-status MISS status 200 vary cf-int-resize, x-forwarded-proto, Accept-Encoding content-length 11162 cf-request-id 02fe5031740000635910acf200000001 last-modified Tue, 31 Mar 2020 04:24:51 GMT server cloudflare etag "cfjV2-JQbGF8_i2n_sf8TBXQ" expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/webp cache-control public, max-age=1814400 cf-resized internal=ok/h t=0.072 v=2020.5.1 accept-ranges bytes cf-ray 59aa4fc8bf356359-FRA expires Thu, 18 Jun 2020 19:16:43 GMT
GET H2	200	macro%20code.jpg www.zscaler.com/cdn-cgi/image/format=auto/sites/default/files/images/blogs/Ursnif_03_24/	39 KB 39 KB	1305ms 1298ms	Image image/webp	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/cdn-cgi/image/format=auto/sites/default/files/images/blogs/Ursnif_03_24/macro%20code.jpg Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash 3ef6f17579cac3cfcce956c2cc33d997191f7c4534c0976674d9a365192e02a3 Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff, nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:44 GMT via varnish x-content-type-options nosniff, nosniff cf-cache-status MISS status 200 vary cf-int-resize, x-forwarded-proto, Accept-Encoding content-length 40038 cf-request-id 02fe5031740000635910ad0200000001 last-modified Tue, 31 Mar 2020 04:24:55 GMT server cloudflare etag "cfsZbVkeTdXiT2tA5BtX6xMg" expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/webp cache-control public, max-age=1814400 cf-resized internal=ok/m t=1.240 v=2020.5.1 accept-ranges bytes cf-ray 59aa4fc8bf366359-FRA expires Thu, 18 Jun 2020 19:16:44 GMT
GET H2	200	cleaned.js_.jpg www.zscaler.com/cdn-cgi/image/format=auto/sites/default/files/images/blogs/Ursnif_03_24/	48 KB 49 KB	51ms 47ms	Image image/webp	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/cdn-cgi/image/format=auto/sites/default/files/images/blogs/Ursnif_03_24/cleaned.js_.jpg Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash c445c3f21329b6adcd62130d315cb662b0bd2aa0be43153592a12a729871f829 Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff, nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff, nosniff cf-cache-status HIT status 200 vary cf-int-resize, x-forwarded-proto, Accept-Encoding content-length 49568 cf-request-id 02fe5031770000635910ad3200000001 last-modified Tue, 31 Mar 2020 04:24:49 GMT server cloudflare etag "cf963_1EWhHrqBgG65r1uS0w" expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/webp cache-control public, max-age=1814400 cf-resized internal=ok/m t=1.211 v=2020.5.1 accept-ranges bytes cf-ray 59aa4fc8bf3a6359-FRA expires Tue, 16 Jun 2020 20:59:06 GMT
GET H2	200	function_cleaned.jpg www.zscaler.com/cdn-cgi/image/format=auto/sites/default/files/images/blogs/Ursnif_03_24/	52 KB 53 KB	1366ms 1362ms	Image image/webp	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/cdn-cgi/image/format=auto/sites/default/files/images/blogs/Ursnif_03_24/function_cleaned.jpg Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash 91ec1559bb1fc6ab4d7752514d4237cb3d1d22e5cb668bcd22b83f5f31470620 Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff, nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:44 GMT via varnish x-content-type-options nosniff, nosniff cf-cache-status MISS status 200 vary cf-int-resize, x-forwarded-proto, Accept-Encoding content-length 53598 cf-request-id 02fe5031770000635910ad4200000001 last-modified Tue, 31 Mar 2020 04:24:53 GMT server cloudflare etag "cfm_SmnIOJzPfsedysYgHKuw" expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/webp cache-control public, max-age=1814400 cf-resized internal=ok/m t=1.334 v=2020.5.1 accept-ranges bytes cf-ray 59aa4fc8bf3c6359-FRA expires Thu, 18 Jun 2020 19:16:44 GMT
GET H2	200	mail-icon.svg www.zscaler.com/themes/custom/zscaler/images/blog/	1021 B 684 B	39ms 35ms	Image image/svg+xml	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/themes/custom/zscaler/images/blog/mail-icon.svg Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash ac87ad7a2bef0649ec3f84eebacf1e02bd48647caa281c1da27cc26263abc75b Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff cf-cache-status HIT age 1156819 x-cache HIT status 200 x-cache-hits 17 x-ah-environment prod content-encoding br vary Host, Accept-Encoding cf-request-id 02fe5031770000635910ad5200000001 x-request-id v-aab75736-331e-11ea-a987-5fc997568479 last-modified Fri, 20 Sep 2019 09:57:55 GMT server cloudflare expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/svg+xml expires Thu, 18 Jun 2020 19:16:43 GMT cache-control public, max-age=1814400 cf-ray 59aa4fc8bf3e6359-FRA cf-bgj h2pri
GET H2	200	facebook-icon.svg www.zscaler.com/themes/custom/zscaler/images/blog/	1 KB 913 B	63ms 59ms	Image image/svg+xml	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/themes/custom/zscaler/images/blog/facebook-icon.svg Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash 7221be22d59bd95b5c1e47590a48d06d367a965213a39ca929241e4a6f9ee7ee Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff cf-cache-status HIT age 82488 x-cache HIT status 200 x-cache-hits 2 x-ah-environment prod content-encoding br vary Host, Accept-Encoding cf-request-id 02fe5031770000635910ad6200000001 x-request-id v-a882ed22-a051-11ea-b9b2-071bd50f1a94 last-modified Fri, 20 Sep 2019 09:57:45 GMT server cloudflare expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/svg+xml cache-control public, max-age=1814400 cf-ray 59aa4fc8bf436359-FRA expires Thu, 18 Jun 2020 19:16:43 GMT
GET H2	200	linkedin-icon.svg www.zscaler.com/themes/custom/zscaler/images/blog/	1 KB 817 B	38ms 34ms	Image image/svg+xml	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/themes/custom/zscaler/images/blog/linkedin-icon.svg Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash 391f4dc402b6ecb016765b0eae6e508d409b577b79e87dd1dbade260d4495581 Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff cf-cache-status HIT age 1156819 x-cache MISS status 200 cf-bgj h2pri x-ah-environment prod content-encoding br vary Host, Accept-Encoding cf-request-id 02fe5031770000635910ad7200000001 x-request-id v-2f57c09e-8611-11ea-ac20-33ab4b5736bb last-modified Fri, 20 Sep 2019 09:57:55 GMT server cloudflare expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/svg+xml cache-control public, max-age=1814400 cf-ray 59aa4fc8bf456359-FRA expires Thu, 18 Jun 2020 19:16:43 GMT
GET H2	200	twitter-icon.svg www.zscaler.com/themes/custom/zscaler/images/blog/	1 KB 851 B	42ms 39ms	Image image/svg+xml	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/themes/custom/zscaler/images/blog/twitter-icon.svg Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash c8abaf8f630ae4af089de7c1b5d7d8f54cec867b3ecf76256db2f5a9fffe7c0c Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff cf-cache-status HIT age 1156819 x-cache HIT status 200 x-cache-hits 18 x-ah-environment prod content-encoding br vary Host, Accept-Encoding cf-request-id 02fe5031770000635910ad8200000001 x-request-id v-dd4e1d26-331c-11ea-9951-4b07c20bc722 last-modified Fri, 20 Sep 2019 09:57:55 GMT server cloudflare expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/svg+xml expires Thu, 18 Jun 2020 19:16:43 GMT cache-control public, max-age=1814400 cf-ray 59aa4fc8bf4b6359-FRA cf-bgj h2pri
GET H2	200	gdpr-cover-2%20copy_1.jpg www.zscaler.com/cdn-cgi/image/format=auto/sites/default/files/images/blogs/	36 KB 36 KB	78ms 75ms	Image image/webp	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/cdn-cgi/image/format=auto/sites/default/files/images/blogs/gdpr-cover-2%20copy_1.jpg Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash 12da9c3b336f7fdad4730d5cb8f85410aa8f4e181cf12a76be0055dc620bd5bf Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff, nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff, nosniff cf-cache-status HIT status 200 vary cf-int-resize, x-forwarded-proto, Accept-Encoding content-length 36508 cf-request-id 02fe5031770000635910ad9200000001 last-modified Wed, 20 May 2020 19:02:38 GMT server cloudflare etag "cflLUhumBFGzYsAAs0AiY2vA" expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/webp cache-control public, max-age=1814400 cf-resized internal=ok/h t=0.326 v=2020.5.1 accept-ranges bytes cf-ray 59aa4fc8bf4e6359-FRA expires Thu, 18 Jun 2020 17:07:26 GMT
GET H2	200	beach-image_1.jpg www.zscaler.com/cdn-cgi/image/format=auto/sites/default/files/images/blogs/	177 KB 177 KB	51ms 48ms	Image image/webp	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/cdn-cgi/image/format=auto/sites/default/files/images/blogs/beach-image_1.jpg Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash 8be18d8d2cb7c971759d990f483fe2012d863e38d48fd2fa8f51d53ff2a0bc40 Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff, nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff, nosniff cf-cache-status HIT status 200 vary cf-int-resize, x-forwarded-proto, Accept-Encoding content-length 181038 cf-request-id 02fe5031770000635910ada200000001 last-modified Tue, 26 May 2020 22:03:00 GMT server cloudflare etag "cfg5HjZvWCv8ryKk-LJ3oOkg" expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/webp cache-control public, max-age=1814400 cf-resized internal=ok/h t=0.267 v=2020.5.1 accept-ranges bytes cf-ray 59aa4fc8bf4f6359-FRA expires Wed, 17 Jun 2020 16:22:31 GMT
GET H2	200	email-decode.min.js Show response www.zscaler.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/	1 KB 872 B	25ms 22ms	Script application/javascript	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Full URL https://www.zscaler.com/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash 2595496fe48df6fcf9b1bc57c29a744c121eb4dd11566466bc13d2e52e6bbcc8 Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Frame-Options SAMEORIGIN Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT content-encoding gzip vary Accept-Encoding last-modified Tue, 26 May 2020 17:48:24 GMT server cloudflare etag W/"5ecd5668-4d7" expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" x-frame-options SAMEORIGIN content-type application/javascript status 200 cache-control max-age=172800, public strict-transport-security max-age=31536000; preload cf-ray 59aa4fc8bf376359-FRA cf-request-id 02fe5031770000635910ad1200000001 expires Sat, 30 May 2020 19:16:43 GMT
GET H2	200	js_o43iLYjFaCbMP-fYtzOeS9trqU2USVukbKv0kuGUAXQ.js Show response www.zscaler.com/sites/default/files/js/	738 KB 195 KB	38ms 36ms	Script text/javascript	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Full URL https://www.zscaler.com/sites/default/files/js/js_o43iLYjFaCbMP-fYtzOeS9trqU2USVukbKv0kuGUAXQ.js Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash a38de22d88c56826cc3fe7d8b7339e4bdb6ba94d94495ba46cabf492e1940174 Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff cf-cache-status HIT age 101274 x-cache HIT status 200 x-cache-hits 8 x-ah-environment prod content-encoding br vary Host,Accept-Encoding cf-request-id 02fe5031770000635910ad2200000001 x-request-id v-2b1dc6a2-a02b-11ea-a9b6-d3d4e886ded0 last-modified Wed, 27 May 2020 15:02:15 GMT server cloudflare expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type text/javascript cache-control public, max-age=1814400 cf-ray 59aa4fc8bf396359-FRA expires Thu, 18 Jun 2020 19:16:43 GMT
GET H2	200	92ede4fc-c076-4245-8c3f-85e672763690.js Show response cdn.cookielaw.org/langswitch/	2 KB 1 KB	27ms 6ms	Script application/x-javascript	2606:2800:233:1cb7:261b:1f9c:2074:3c EDGECAST
General Check archive.org Show headers Download Go to Full URL https://cdn.cookielaw.org/langswitch/92ede4fc-c076-4245-8c3f-85e672763690.js Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_256_GCM Server 2606:2800:233:1cb7:261b:1f9c:2074:3c , United States, ASN15133 (EDGECAST, US), Reverse DNS Software ECAcc (frc/8FA5) / Resource Hash 3e630c1952503eb5a33e15aad315e03ae9d699c1c03ec1027c234933b37c9671 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers x-ms-blob-type BlockBlob date Thu, 28 May 2020 19:16:43 GMT content-encoding gzip content-md5 wNMyoZp2a7YtIJ5FlCf5Pg== age 341 x-cache HIT status 200 content-length 737 x-ms-lease-status unlocked last-modified Mon, 22 Apr 2019 21:38:32 GMT server ECAcc (frc/8FA5) etag 0x8D6C76ADDE64110 vary Accept-Encoding content-type application/x-javascript access-control-allow-origin * x-ms-request-id cd9199ea-201e-016c-1d23-353560000000 access-control-expose-headers x-ms-request-id,Server,x-ms-version,Content-Length,Date,Transfer-Encoding cache-control public, max-age=14400 x-ms-version 2009-09-19 accept-ranges bytes expires Thu, 28 May 2020 23:16:43 GMT
GET H2	200	zscaler-home-navigation-dropDown-products.jpg www.zscaler.com/cdn-cgi/image/format=auto/themes/custom/zscaler/images/shared/menu-backgrounds/	13 KB 13 KB	35ms 34ms	Image image/webp	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/cdn-cgi/image/format=auto/themes/custom/zscaler/images/shared/menu-backgrounds/zscaler-home-navigation-dropDown-products.jpg Requested by Host: www.google-analytics.com URL: https://www.google-analytics.com/analytics.js Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash 429760f352eff0a9b97d49c7b8f9f9dc427e9286828542e5df771ba2c1517575 Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff, nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff, nosniff cf-cache-status HIT status 200 vary cf-int-resize, x-forwarded-proto, Accept-Encoding content-length 12928 cf-request-id 02fe5031850000635910adb200000001 last-modified Fri, 20 Sep 2019 09:57:57 GMT server cloudflare etag "cfMW76R1cVRD8NHqewFjj0pQ" expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/webp cache-control public, max-age=1814400 cf-resized internal=ok/h t=0.049 v=2020.5.1 accept-ranges bytes cf-ray 59aa4fc8df536359-FRA expires Thu, 11 Jun 2020 01:37:20 GMT
GET H2	200	zscaler-home-navigation-dropDown-solutions.jpg www.zscaler.com/cdn-cgi/image/format=auto/themes/custom/zscaler/images/shared/menu-backgrounds/	10 KB 10 KB	35ms 34ms	Image image/webp	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/cdn-cgi/image/format=auto/themes/custom/zscaler/images/shared/menu-backgrounds/zscaler-home-navigation-dropDown-solutions.jpg Requested by Host: www.google-analytics.com URL: https://www.google-analytics.com/analytics.js Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash e6c93ca77ae18a172058a361c3269bbdc8c21153855c731550db0b4306d0c43d Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff, nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff, nosniff cf-cache-status HIT status 200 vary cf-int-resize, x-forwarded-proto, Accept-Encoding content-length 10320 cf-request-id 02fe5031850000635910adc200000001 last-modified Fri, 20 Sep 2019 09:57:46 GMT server cloudflare etag "cfOj4gQEoOfK4PXuMzhnQHew" expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/webp cache-control public, max-age=1814400 cf-resized internal=ok/h t=0.040 v=2020.5.1 accept-ranges bytes cf-ray 59aa4fc8df566359-FRA expires Wed, 17 Jun 2020 04:30:09 GMT
GET H2	200	zscaler-home-navigation-dropDown-resources.jpg www.zscaler.com/cdn-cgi/image/format=auto/themes/custom/zscaler/images/shared/menu-backgrounds/	14 KB 14 KB	57ms 57ms	Image image/webp	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/cdn-cgi/image/format=auto/themes/custom/zscaler/images/shared/menu-backgrounds/zscaler-home-navigation-dropDown-resources.jpg Requested by Host: www.google-analytics.com URL: https://www.google-analytics.com/analytics.js Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash c2a87a17d6f31133d7ac377f3608b91101b1a83dec5f1d001467f61443ddde2e Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff, nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff, nosniff cf-cache-status HIT status 200 vary cf-int-resize, x-forwarded-proto, Accept-Encoding content-length 14226 cf-request-id 02fe5031850000635910add200000001 last-modified Fri, 20 Sep 2019 09:57:57 GMT server cloudflare etag "cfZE-9HQ3fOVPB5AkRVOlVrA" expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/webp cache-control public, max-age=1814400 cf-resized internal=ok/h t=0.048 v=2020.5.1 accept-ranges bytes cf-ray 59aa4fc8df586359-FRA expires Mon, 15 Jun 2020 07:29:58 GMT
GET H2	200	zscaler-home-navigation-dropDown-company.jpg www.zscaler.com/cdn-cgi/image/format=auto/themes/custom/zscaler/images/shared/menu-backgrounds/	14 KB 14 KB	39ms 39ms	Image image/webp	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/cdn-cgi/image/format=auto/themes/custom/zscaler/images/shared/menu-backgrounds/zscaler-home-navigation-dropDown-company.jpg Requested by Host: www.google-analytics.com URL: https://www.google-analytics.com/analytics.js Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash b518eb58505b9843b13a5e1f1c9dc3f084b7cfc62f2d4c8e7ea6d4adb494a221 Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff, nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff, nosniff cf-cache-status HIT status 200 vary cf-int-resize, x-forwarded-proto, Accept-Encoding content-length 14522 cf-request-id 02fe5031850000635910ade200000001 last-modified Fri, 20 Sep 2019 09:57:46 GMT server cloudflare etag "cfUzyhd10Pe_7v-AkSsCOkRA" expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/webp cache-control public, max-age=1814400 cf-resized internal=ok/h t=0.053 v=2020.4.0 accept-ranges bytes cf-ray 59aa4fc8df596359-FRA expires Wed, 10 Jun 2020 22:53:08 GMT
GET H2	200	zscaler-blog-post-hero-malvertising@2x.jpg www.zscaler.com/cdn-cgi/image/format=auto/themes/custom/zscaler/images/blog/post-images/	46 KB 46 KB	41ms 41ms	Image image/webp	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/cdn-cgi/image/format=auto/themes/custom/zscaler/images/blog/post-images/zscaler-blog-post-hero-malvertising@2x.jpg Requested by Host: www.google-analytics.com URL: https://www.google-analytics.com/analytics.js Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash fccb5053288c30cfd44b92b998918772d2ad4b4d66375b381a77e24d414e2d7e Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff, nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff, nosniff cf-cache-status HIT status 200 vary cf-int-resize, x-forwarded-proto, Accept-Encoding content-length 47048 cf-request-id 02fe5031850000635910adf200000001 last-modified Fri, 20 Sep 2019 09:57:45 GMT server cloudflare etag "cf2lwoa4fhKsr0GRKG6zkFEQ" expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/webp cache-control public, max-age=1814400 cf-resized internal=ok/h t=0.367 v=2020.5.1 accept-ranges bytes cf-ray 59aa4fc8df5c6359-FRA expires Wed, 17 Jun 2020 08:50:06 GMT
GET H2	200	zscaler-blog-cyber-security-1.jpg www.zscaler.com/cdn-cgi/image/format=auto/sites/default/files/images/blogs/----category-images/cyber-security/	41 KB 42 KB	110ms 109ms	Image image/webp	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/cdn-cgi/image/format=auto/sites/default/files/images/blogs/----category-images/cyber-security/zscaler-blog-cyber-security-1.jpg Requested by Host: www.google-analytics.com URL: https://www.google-analytics.com/analytics.js Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash 42a7e0100b9a467cc8a9123b484f68b0d729974eb1c00eb64a42eedfc3820a3e Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff, nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff, nosniff cf-cache-status MISS status 200 vary cf-int-resize, x-forwarded-proto, Accept-Encoding content-length 42388 cf-request-id 02fe5031850000635910ae0200000001 last-modified Wed, 28 Feb 2018 10:03:37 GMT server cloudflare etag "cfSy5VN6Woa_KhlXJCFQJG0w" expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/webp cache-control public, max-age=1814400 cf-resized internal=ok/h t=0.048 v=2020.5.1 accept-ranges bytes cf-ray 59aa4fc8df606359-FRA expires Thu, 18 Jun 2020 19:16:43 GMT
GET H2	200	js Show response www.google-analytics.com/gtm/	66 KB 26 KB	15ms 15ms	Script application/javascript	2a00:1450:4001:81b::200e GOOGLE
General Check archive.org Show headers Download Go to Full URL https://www.google-analytics.com/gtm/js?id=GTM-5KQJVPX&t=gtm1&cid=1965849376.1590693403 Requested by Host: www.google-analytics.com URL: https://www.google-analytics.com/analytics.js Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:81b::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software Google Tag Manager / Resource Hash 5cf8cf94d7ab821dbfc44f7389185f3f8c9a5eb0df44bdca45ec2a0ec8f2b24c Security Headers Name Value Strict-Transport-Security max-age=31536000; includeSubDomains X-Xss-Protection 0 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT content-encoding br vary Accept-Encoding status 200 alt-svc h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" content-length 26730 x-xss-protection 0 last-modified Thu, 28 May 2020 18:00:00 GMT server Google Tag Manager strict-transport-security max-age=31536000; includeSubDomains content-type application/javascript; charset=UTF-8 access-control-allow-origin * cache-control private, max-age=900 access-control-allow-credentials true access-control-allow-headers Cache-Control expires Thu, 28 May 2020 19:16:43 GMT
GET H2	200	collect px.ads.linkedin.com/ Redirect Chain https://px.ads.linkedin.com/collect?v=2&fmt=js&pid=33962&url=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&time=1590693403088 https://www.linkedin.com/px/li_sync?redirect=https%3A%2F%2Fpx.ads.linkedin.com%2Fcollect%3Fv%3D2%26fmt%3Djs%26pid%3D33962%26url%3Dhttps%253A%252F%252Fwww.zscaler.com%252Fblogs%252Fresearch%252Fnew-... https://px.ads.linkedin.com/collect?v=2&fmt=js&pid=33962&url=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&time=1590693403088&liSync=true	0 59 B	123ms 123ms	Image application/javascript	2a05:f500:10:101::b93f:9105 LINKEDIN
General Check archive.org Show headers Download Go to Show image Full URL https://px.ads.linkedin.com/collect?v=2&fmt=js&pid=33962&url=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&time=1590693403088&liSync=true Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 2a05:f500:10:101::b93f:9105 , Ireland, ASN14413 (LINKEDIN, US), Reverse DNS Software Play / Resource Hash e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT server Play linkedin-action 1 x-li-fabric prod-lva1 status 200 x-li-proto http/2 x-li-pop prod-efr5 content-type application/javascript content-length 0 x-li-uuid dIoKCTlHExagWMbr9CoAAA== Redirect headers strict-transport-security max-age=2592000 x-content-type-options nosniff nel {"report_to":"network-errors","max_age":1296000,"success_fraction":0.00066,"failure_fraction":1,"include_subdomains":true} linkedin-action 1 status 302 content-length 0 x-li-uuid wvWZ/ThHExZgaZAqIisAAA== pragma no-cache x-li-pop afd-prod-esv5 x-msedge-ref Ref A: 2A092B63B33C403DA813472DBFE0ED4E Ref B: FRAEDGE0710 Ref C: 2020-05-28T19:16:43Z date Thu, 28 May 2020 19:16:43 GMT expect-ct max-age=86400, report-uri="https://www.linkedin.com/platform-telemetry/ct" x-frame-options sameorigin report-to {"group":"network-errors","max_age":2592000,"endpoints":[{"url":"https://www.linkedin.com/li/rep"}],"include_subdomains":true} x-li-fabric prod-lva1 location https://px.ads.linkedin.com/collect?v=2&fmt=js&pid=33962&url=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&time=1590693403088&liSync=true x-xss-protection 1; mode=block cache-control no-cache, no-store content-security-policy default-src *; connect-src 'self' https://media-src.linkedin.com/media/ www.linkedin.com s.c.lnkd.licdn.com m.c.lnkd.licdn.com s.c.exp1.licdn.com s.c.exp2.licdn.com m.c.exp1.licdn.com m.c.exp2.licdn.com wss://*.linkedin.com dms.licdn.com https://dpm.demdex.net/id https://lnkd.demdex.net/event blob: static.licdn.com static-exp1.licdn.com static-exp2.licdn.com static-exp3.licdn.com media.licdn.com media-exp1.licdn.com media-exp2.licdn.com media-exp3.licdn.com; img-src data: blob: *; font-src data: *; style-src 'unsafe-inline' 'self' static-src.linkedin.com *.licdn.com; script-src 'report-sample' 'unsafe-inline' 'unsafe-eval' 'self' spdy.linkedin.com static-src.linkedin.com *.ads.linkedin.com *.licdn.com static.chartbeat.com www.google-analytics.com ssl.google-analytics.com bcvipva02.rightnowtech.com www.bizographics.com sjs.bizographics.com js.bizographics.com d.la4-c1-was.salesforceliveagent.com slideshare.www.linkedin.com https://snap.licdn.com/li.lms-analytics/insight.min.js platform.linkedin.com platform-akam.linkedin.com platform-ecst.linkedin.com platform-azur.linkedin.com; object-src 'none'; media-src blob: *; child-src blob: lnkd-communities: voyager: *; frame-ancestors 'self' x-li-proto http/2 expires Thu, 01 Jan 1970 00:00:00 GMT
GET H2	200	/ Show response googleads.g.doubleclick.net/pagead/viewthroughconversion/973777747/	2 KB 2 KB	33ms 21ms	Script text/javascript	2a00:1450:4001:824::2002 GOOGLE
General Check archive.org Show headers Download Go to Full URL https://googleads.g.doubleclick.net/pagead/viewthroughconversion/973777747/?random=1590693403093&cv=9&fst=1590693403093&num=1&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2wg5k1&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&tiba=New%20Ursnif%20Campaign%3A%20From%20PowerShell%20to%20Mshta%20%7C%20blog&hn=www.googleadservices.com&async=1&rfmt=3&fmt=4 Requested by Host: www.googleadservices.com URL: https://www.googleadservices.com/pagead/conversion_async.js Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:824::2002 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software cafe / Resource Hash 658ca3735e2006c5661c472b777474ac2294c0cacabb9c4526e13046eea530f5 Security Headers Name Value X-Content-Type-Options nosniff X-Xss-Protection 0 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers pragma no-cache date Thu, 28 May 2020 19:16:43 GMT content-encoding gzip x-content-type-options nosniff server cafe timing-allow-origin * p3p policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" status 200 cache-control no-cache, must-revalidate content-disposition attachment; filename="f.txt" content-type text/javascript; charset=UTF-8 alt-svc h3-27="googleads.g.doubleclick.net:443"; ma=2592000,h3-27=":443"; ma=2592000,h3-25="googleads.g.doubleclick.net:443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050="googleads.g.doubleclick.net:443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43" content-length 1051 x-xss-protection 0 expires Fri, 01 Jan 1990 00:00:00 GMT
GET H2	200	/ Show response googleads.g.doubleclick.net/pagead/viewthroughconversion/812494211/	2 KB 1 KB	32ms 21ms	Script text/javascript	2a00:1450:4001:824::2002 GOOGLE
General Check archive.org Show headers Download Go to Full URL https://googleads.g.doubleclick.net/pagead/viewthroughconversion/812494211/?random=1590693403096&cv=9&fst=1590693403096&num=1&guid=ON&resp=GooglemKTybQhCsO&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2wg5k1&sendb=1&ig=1&frm=0&url=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&tiba=New%20Ursnif%20Campaign%3A%20From%20PowerShell%20to%20Mshta%20%7C%20blog&hn=www.googleadservices.com&async=1&rfmt=3&fmt=4 Requested by Host: www.googleadservices.com URL: https://www.googleadservices.com/pagead/conversion_async.js Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:824::2002 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software cafe / Resource Hash a3124cdeb89fcf468138072c5c3794904704733b6082707a905b63419e464ef6 Security Headers Name Value X-Content-Type-Options nosniff X-Xss-Protection 0 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers pragma no-cache date Thu, 28 May 2020 19:16:43 GMT content-encoding gzip x-content-type-options nosniff server cafe timing-allow-origin * p3p policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" status 200 cache-control no-cache, must-revalidate content-disposition attachment; filename="f.txt" content-type text/javascript; charset=UTF-8 alt-svc h3-27="googleads.g.doubleclick.net:443"; ma=2592000,h3-27=":443"; ma=2592000,h3-25="googleads.g.doubleclick.net:443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050="googleads.g.doubleclick.net:443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43" content-length 1054 x-xss-protection 0 expires Fri, 01 Jan 1990 00:00:00 GMT
GET H/1.1	200 OK	index.js Show response s.adroll.com/j/exp/ Redirect Chain https://s.adroll.com/j/exp/ULSJHTPGTZGY3EPPZSKHKS/index.js https://s.adroll.com/j/exp/index.js	28 B 747 B	28ms 27ms	Script application/javascript	23.210.248.216 AKAMAI-AS
General Check archive.org Show headers Download Go to Full URL https://s.adroll.com/j/exp/index.js Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 23.210.248.216 , Netherlands, ASN16625 (AKAMAI-AS, US), Reverse DNS a23-210-248-216.deploy.static.akamaitechnologies.com Software AmazonS3 / Resource Hash f59e5f34a941183aacaed25322ac0856628493c2cfd936ded3fddc0a49510e52 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers x-amz-version-id zI1a68l_q6T1b2EhpOJKQKDaEgTMqZm8 Content-Encoding gzip ETag "5816cced8568d223aa09d889f300692b" x-amz-request-id B60CFCE3C5D83057 x-amz-server-side-encryption AES256 Connection keep-alive Vary Accept-Encoding Content-Length 48 x-amz-id-2 PaUn7ouWO0GVFhiS3VEpiXwnAv8XJFpWmGwFFF1O6iEfpbSkspWlPD0KEgLeEEnhaeuNB1WdrDI= Last-Modified Wed, 27 May 2020 15:57:37 GMT Server AmazonS3 Date Thu, 28 May 2020 19:16:43 GMT Access-Control-Max-Age 600 Access-Control-Allow-Methods GET Content-Type application/javascript Access-Control-Allow-Origin * Access-Control-Allow-Credentials false Accept-Ranges bytes Access-Control-Allow-Headers * Redirect headers Date Thu, 28 May 2020 19:16:43 GMT Server AkamaiGHost Location https://s.adroll.com/j/exp/index.js Access-Control-Max-Age 600 Access-Control-Allow-Methods GET Access-Control-Allow-Origin * Access-Control-Allow-Credentials false Connection keep-alive Access-Control-Allow-Headers * Content-Length 0
GET H/1.1	200 OK	index.js Show response s.adroll.com/j/pre/ULSJHTPGTZGY3EPPZSKHKS/22OEOVE2YNFA3EKSRERISY/	0 773 B	74ms 25ms	Script text/javascript	23.210.248.216 AKAMAI-AS
General Check archive.org Show headers Download Go to Full URL https://s.adroll.com/j/pre/ULSJHTPGTZGY3EPPZSKHKS/22OEOVE2YNFA3EKSRERISY/index.js Requested by Host: s.adroll.com URL: https://s.adroll.com/j/roundtrip.js Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 23.210.248.216 , Netherlands, ASN16625 (AKAMAI-AS, US), Reverse DNS a23-210-248-216.deploy.static.akamaitechnologies.com Software AmazonS3 / Resource Hash e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers x-amz-version-id ZjTJ_3h2sH0vJdenvGadM8VdobllDlJ5 Content-Encoding gzip ETag "d41d8cd98f00b204e9800998ecf8427e" x-amz-request-id F22C86B2E39A076B x-amz-server-side-encryption AES256 Connection keep-alive Vary Accept-Encoding Content-Length 20 x-amz-id-2 +JM9j8LjbC9cwiesbZAhHLLnbxXgwxz0P1EK0sDEr7BDeaGLycbzdeMn+WesFTRuglKQNP2wxAQ= Last-Modified Thu, 28 May 2020 04:37:45 GMT Server AmazonS3 Date Thu, 28 May 2020 19:16:43 GMT Access-Control-Max-Age 600 Access-Control-Allow-Methods GET Content-Type text/javascript; charset=utf-8 Access-Control-Allow-Origin * Cache-Control max-age=3600, must-revalidate Access-Control-Allow-Credentials false Accept-Ranges bytes Access-Control-Allow-Headers *
GET H2	200	/ Show response d.adroll.com/consent/check/ULSJHTPGTZGY3EPPZSKHKS/ Redirect Chain https://d.adroll.mgr.consensu.org/consent/iabcheck/ULSJHTPGTZGY3EPPZSKHKS?_s=11600b42880a73e612b5e8ce1304e13f&_b=2 https://d.adroll.com/consent/check/ULSJHTPGTZGY3EPPZSKHKS/?_s=11600b42880a73e612b5e8ce1304e13f&_b=2	115 B 583 B	39ms 38ms	Script application/javascript	54.229.99.84 AMAZON-02
General Check archive.org Show headers Download Go to Full URL https://d.adroll.com/consent/check/ULSJHTPGTZGY3EPPZSKHKS/?_s=11600b42880a73e612b5e8ce1304e13f&_b=2 Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 54.229.99.84 Dublin, Ireland, ASN16509 (AMAZON-02, US), Reverse DNS ec2-54-229-99-84.eu-west-1.compute.amazonaws.com Software nginx/1.16.1 / Resource Hash 88abc59fee4d6efb376d4f04f4c5d2461dccd063a11cf1ca399a907df6d62d0b Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers pragma no-cache date Thu, 28 May 2020 19:16:43 GMT server nginx/1.16.1 p3p CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA" status 200 cache-control no-store, no-cache, must-revalidate content-type application/javascript content-length 115 Redirect headers status 302 date Thu, 28 May 2020 19:16:43 GMT server nginx/1.16.1 content-length 105 location https://d.adroll.com/consent/check/ULSJHTPGTZGY3EPPZSKHKS/?_s=11600b42880a73e612b5e8ce1304e13f&_b=2
GET H2	200	collect www.google-analytics.com/	35 B 192 B	7ms 6ms	Image image/gif	2a00:1450:4001:81b::200e GOOGLE
General Check archive.org Show headers Download Go to Show image Full URL https://www.google-analytics.com/collect?v=1&_v=j82&a=1542488913&t=pageview&_s=1&dl=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&ul=en-us&de=UTF-8&dt=New%20Ursnif%20Campaign%3A%20From%20PowerShell%20to%20Mshta%20%7C%20blog&sd=24-bit&sr=1600x1200&vp=1600x1200&je=0&_u=aGDAgEADQ~&jid=717828031&gjid=807119452&cid=1965849376.1590693403&tid=UA-6177009-1&_gid=102566784.1590693403&gtm=2wg5k15SLZFK&z=327694248 Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:81b::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software Golfe2 / Resource Hash 8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015 Security Headers Name Value X-Content-Type-Options nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers pragma no-cache date Sun, 17 May 2020 05:08:17 GMT x-content-type-options nosniff last-modified Sun, 17 May 1998 03:00:00 GMT server Golfe2 age 1001306 status 200 content-type image/gif access-control-allow-origin * cache-control no-cache, no-store, must-revalidate alt-svc h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" content-length 35 expires Mon, 01 Jan 1990 00:00:00 GMT
GET H2	200	ga-audiences www.google.de/ads/ Redirect Chain https://stats.g.doubleclick.net/r/collect?t=dc&aip=1&_r=3&v=1&_v=j82&tid=UA-6177009-1&cid=1965849376.1590693403&jid=717828031&gjid=807119452&_gid=102566784.1590693403&_u=aGDAgEADQ~&z=441964033 https://www.google.com/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-6177009-1&cid=1965849376.1590693403&jid=717828031&_v=j82&z=441964033 https://www.google.de/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-6177009-1&cid=1965849376.1590693403&jid=717828031&_v=j82&z=441964033&slf_rd=1&random=1132633929	42 B 535 B	32ms 19ms	Image image/gif	2a00:1450:4001:81f::2003 GOOGLE
General Check archive.org Show headers Download Go to Show image Full URL https://www.google.de/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-6177009-1&cid=1965849376.1590693403&jid=717828031&_v=j82&z=441964033&slf_rd=1&random=1132633929 Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:81f::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software cafe / Resource Hash ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629 Security Headers Name Value X-Content-Type-Options nosniff X-Xss-Protection 0 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers pragma no-cache date Thu, 28 May 2020 19:16:43 GMT x-content-type-options nosniff server cafe timing-allow-origin * p3p policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC" status 200 cache-control no-cache, no-store, must-revalidate content-type image/gif alt-svc h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" content-length 42 x-xss-protection 0 expires Fri, 01 Jan 1990 00:00:00 GMT Redirect headers pragma no-cache date Thu, 28 May 2020 19:16:43 GMT x-content-type-options nosniff server cafe p3p policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC" status 302 content-type text/html; charset=UTF-8 location https://www.google.de/ads/ga-audiences?v=1&aip=1&t=sr&_r=4&tid=UA-6177009-1&cid=1965849376.1590693403&jid=717828031&_v=j82&z=441964033&slf_rd=1&random=1132633929 cache-control no-cache, no-store, must-revalidate timing-allow-origin * alt-svc h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" content-length 0 x-xss-protection 0 expires Fri, 01 Jan 1990 00:00:00 GMT
GET H2	200	fa-brands-400.woff2 www.zscaler.com/themes/custom/zscaler/vendor/font-awesome/webfonts/	73 KB 73 KB	35ms 35ms	Font text/plain	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Full URL https://www.zscaler.com/themes/custom/zscaler/vendor/font-awesome/webfonts/fa-brands-400.woff2 Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash 03b742a6efdb17797c84c2b5db25f5cda6a3361fa5e62b98662e321b26f77331 Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff Request headers User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Referer https://www.zscaler.com/sites/default/files/css/css_zO1_93cGxIYyEO1P1C5EyfYUrSlZX6GteTp_t92Egzs.css Origin https://www.zscaler.com Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff cf-cache-status HIT age 210290 x-cache HIT status 200 x-cache-hits 12 x-ah-environment prod vary Host, Accept-Encoding content-length 74800 cf-request-id 02fe5032570000635910aeb200000001 x-request-id v-b40e3dbe-9f1a-11ea-96c1-43628c3547a3 last-modified Fri, 20 Sep 2019 09:57:57 GMT server cloudflare expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload access-control-allow-origin * cache-control public, max-age=1814400 accept-ranges bytes cf-ray 59aa4fca28246359-FRA expires Thu, 18 Jun 2020 19:16:43 GMT
GET H2	200	KFOmCnqEu92Fr1Mu4mxKKTU1Kg.woff2 fonts.gstatic.com/s/roboto/v20/	11 KB 11 KB	19ms 5ms	Font font/woff2	2a00:1450:4001:820::2003 GOOGLE
General Check archive.org Show headers Download Go to Full URL https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Mu4mxKKTU1Kg.woff2 Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:820::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software sffe / Resource Hash 5d1bc9b443f3f81fa4b4ad4634c1bb9702194c1898e3a9de0ab5e2cdc0e9f479 Security Headers Name Value X-Content-Type-Options nosniff X-Xss-Protection 0 Request headers User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Referer https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,500,500i,700,700i Origin https://www.zscaler.com Response headers date Tue, 19 May 2020 23:49:29 GMT x-content-type-options nosniff last-modified Wed, 24 Jul 2019 01:18:50 GMT server sffe age 761234 status 200 content-type font/woff2 access-control-allow-origin * cache-control public, max-age=31536000 accept-ranges bytes timing-allow-origin * alt-svc h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" content-length 11016 x-xss-protection 0 expires Wed, 19 May 2021 23:49:29 GMT
GET H2	200	KFOlCnqEu92Fr1MmWUlfBBc4AMP6lQ.woff2 fonts.gstatic.com/s/roboto/v20/	11 KB 11 KB	24ms 12ms	Font font/woff2	2a00:1450:4001:820::2003 GOOGLE
General Check archive.org Show headers Download Go to Full URL https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmWUlfBBc4AMP6lQ.woff2 Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:820::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software sffe / Resource Hash 0d9fd7ccabde9b202de45ee6b65878ce9594975d8e8810b0878d3f3fa3637d0e Security Headers Name Value X-Content-Type-Options nosniff X-Xss-Protection 0 Request headers User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Referer https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,500,500i,700,700i Origin https://www.zscaler.com Response headers date Tue, 26 May 2020 05:53:44 GMT x-content-type-options nosniff last-modified Wed, 24 Jul 2019 01:18:58 GMT server sffe age 220979 status 200 content-type font/woff2 access-control-allow-origin * cache-control public, max-age=31536000 accept-ranges bytes timing-allow-origin * alt-svc h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" content-length 11020 x-xss-protection 0 expires Wed, 26 May 2021 05:53:44 GMT
GET H2	200	KFOlCnqEu92Fr1MmSU5fBBc4AMP6lQ.woff2 fonts.gstatic.com/s/roboto/v20/	11 KB 11 KB	22ms 11ms	Font font/woff2	2a00:1450:4001:820::2003 GOOGLE
General Check archive.org Show headers Download Go to Full URL https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmSU5fBBc4AMP6lQ.woff2 Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:820::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software sffe / Resource Hash 92606bd38901e67d069f2ef883715b6e5ae07d72ae3bead3ad92346528374afc Security Headers Name Value X-Content-Type-Options nosniff X-Xss-Protection 0 Request headers User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Referer https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,500,500i,700,700i Origin https://www.zscaler.com Response headers date Sun, 17 May 2020 05:16:06 GMT x-content-type-options nosniff last-modified Wed, 24 Jul 2019 01:18:52 GMT server sffe age 1000837 status 200 content-type font/woff2 access-control-allow-origin * cache-control public, max-age=31536000 accept-ranges bytes timing-allow-origin * alt-svc h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" content-length 11180 x-xss-protection 0 expires Mon, 17 May 2021 05:16:06 GMT
GET H2	200	KFOlCnqEu92Fr1MmEU9fBBc4AMP6lQ.woff2 fonts.gstatic.com/s/roboto/v20/	11 KB 11 KB	16ms 7ms	Font font/woff2	2a00:1450:4001:820::2003 GOOGLE
General Check archive.org Show headers Download Go to Full URL https://fonts.gstatic.com/s/roboto/v20/KFOlCnqEu92Fr1MmEU9fBBc4AMP6lQ.woff2 Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:820::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software sffe / Resource Hash ce897833ac6e362df7c91ac8223fe511c6defcf33964928a81004600a2dd4c2e Security Headers Name Value X-Content-Type-Options nosniff X-Xss-Protection 0 Request headers User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Referer https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,500,500i,700,700i Origin https://www.zscaler.com Response headers date Sun, 17 May 2020 05:19:35 GMT x-content-type-options nosniff last-modified Wed, 24 Jul 2019 01:18:48 GMT server sffe age 1000628 status 200 content-type font/woff2 access-control-allow-origin * cache-control public, max-age=31536000 accept-ranges bytes timing-allow-origin * alt-svc h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" content-length 11056 x-xss-protection 0 expires Mon, 17 May 2021 05:19:35 GMT
GET H2	200	KFOkCnqEu92Fr1Mu51xIIzIXKMny.woff2 fonts.gstatic.com/s/roboto/v20/	12 KB 12 KB	20ms 12ms	Font font/woff2	2a00:1450:4001:820::2003 GOOGLE
General Check archive.org Show headers Download Go to Full URL https://fonts.gstatic.com/s/roboto/v20/KFOkCnqEu92Fr1Mu51xIIzIXKMny.woff2 Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:820::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software sffe / Resource Hash 3be0a916496d7936bb83ce60a4de9f10ef400f16c38e7dd7c65449c795e7739b Security Headers Name Value X-Content-Type-Options nosniff X-Xss-Protection 0 Request headers User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Referer https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,500,500i,700,700i Origin https://www.zscaler.com Response headers date Sun, 17 May 2020 05:28:47 GMT x-content-type-options nosniff last-modified Wed, 24 Jul 2019 01:19:00 GMT server sffe age 1000076 status 200 content-type font/woff2 access-control-allow-origin * cache-control public, max-age=31536000 accept-ranges bytes timing-allow-origin * alt-svc h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" content-length 12680 x-xss-protection 0 expires Mon, 17 May 2021 05:28:47 GMT
GET H2	200	fa-solid-900.woff2 www.zscaler.com/themes/custom/zscaler/vendor/font-awesome/webfonts/	115 KB 115 KB	16ms 16ms	Font text/plain	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Full URL https://www.zscaler.com/themes/custom/zscaler/vendor/font-awesome/webfonts/fa-solid-900.woff2 Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash 5538a328926c9517ffb8670fccce94f6137d58c21ff4b10ecd772abfa16a012b Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff Request headers User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Referer https://www.zscaler.com/sites/default/files/css/css_zO1_93cGxIYyEO1P1C5EyfYUrSlZX6GteTp_t92Egzs.css Origin https://www.zscaler.com Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff cf-cache-status HIT age 1173075 x-cache HIT status 200 x-cache-hits 52 x-ah-environment prod vary Host, Accept-Encoding content-length 117536 cf-request-id 02fe50325e0000635910aec200000001 x-request-id v-63f71828-331d-11ea-9cbc-63c54b27e6b0 last-modified Fri, 20 Sep 2019 09:57:57 GMT server cloudflare expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload access-control-allow-origin * expires Thu, 18 Jun 2020 19:16:43 GMT cache-control public, max-age=1814400 accept-ranges bytes cf-ray 59aa4fca38296359-FRA cf-bgj h2pri
GET H2	200	KFOmCnqEu92Fr1Mu4mxP.ttf fonts.gstatic.com/s/roboto/v20/	35 KB 20 KB	6ms 6ms	Font font/ttf	2a00:1450:4001:820::2003 GOOGLE
General Check archive.org Show headers Download Go to Full URL https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Mu4mxP.ttf Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:820::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software sffe / Resource Hash 0b1d7f87f3ca4c8b4bd749b02b6ad71c930b7e306c752a2e2293d7b250b02e27 Security Headers Name Value X-Content-Type-Options nosniff X-Xss-Protection 0 Request headers User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Referer https://www.zscaler.com/sites/default/files/css/css_zO1_93cGxIYyEO1P1C5EyfYUrSlZX6GteTp_t92Egzs.css Origin https://www.zscaler.com Response headers date Mon, 18 May 2020 23:12:16 GMT content-encoding gzip x-content-type-options nosniff age 849867 status 200 alt-svc h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" content-length 20742 x-xss-protection 0 last-modified Wed, 24 Jul 2019 01:18:36 GMT server sffe vary Accept-Encoding content-type font/ttf access-control-allow-origin * cache-control public, max-age=31536000 accept-ranges bytes timing-allow-origin * expires Tue, 18 May 2021 23:12:16 GMT
GET H2	200	sf14g.js Show response t.sf14g.com/	37 KB 37 KB	315ms 98ms	Script application/javascript	52.206.150.214 AMAZON-AES
General Check archive.org Show headers Download Go to Full URL https://t.sf14g.com/sf14g.js Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 52.206.150.214 Ashburn, United States, ASN14618 (AMAZON-AES, US), Reverse DNS ec2-52-206-150-214.compute-1.amazonaws.com Software Kestrel / Resource Hash 86ecafc33ecb5976760d6b5f13a2874525e3f4bfa8b12a0e14d6c98ae9e727cd Security Headers Name Value Strict-Transport-Security max-age=2592000 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers pragma no-cache date Thu, 28 May 2020 19:16:43 GMT last-modified Tue, 16 Oct 2018 18:33:02 GMT server Kestrel etag "1d4657eab9c909b" strict-transport-security max-age=2592000 content-type application/javascript status 200 cache-control no-cache, no-store accept-ranges bytes content-length 37787 expires -1
GET H/1.1	200 OK	munchkin.js Show response munchkin.marketo.net/	1 KB 1 KB	65ms 24ms	Script application/x-javascript	184.30.221.218 AKAMAI-ASN1
General Check archive.org Show headers Download Go to Full URL https://munchkin.marketo.net/munchkin.js Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 184.30.221.218 , Netherlands, ASN20940 (AKAMAI-ASN1, EU), Reverse DNS a184-30-221-218.deploy.static.akamaitechnologies.com Software Apache / Resource Hash c7d7214a0b940c1ffcbd64689a576c5847b42e886da3ad9ea45bc4cda214bac8 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers Date Thu, 28 May 2020 19:16:43 GMT Content-Encoding gzip Last-Modified Fri, 03 Apr 2020 02:45:45 GMT Server Apache ETag "aa520b8aca3502dbdbf62462e6f4be67:1585881945" Vary Accept-Encoding P3P policyref="http://www.marketo.com/w3c/p3p.xml", CP="NOI DSP COR NID CURi OUR NOR" Connection keep-alive Accept-Ranges bytes Content-Type application/x-javascript Content-Length 751
GET H2	200	75590e24-f605-4d9c-b92c-ca09a93d469f.js Show response cdn.cookielaw.org/consent/	107 KB 18 KB	7ms 7ms	Script application/x-javascript	2606:2800:233:1cb7:261b:1f9c:2074:3c EDGECAST
General Check archive.org Show headers Download Go to Full URL https://cdn.cookielaw.org/consent/75590e24-f605-4d9c-b92c-ca09a93d469f.js Requested by Host: cdn.cookielaw.org URL: https://cdn.cookielaw.org/langswitch/92ede4fc-c076-4245-8c3f-85e672763690.js Protocol H2 Security TLS 1.3, , AES_256_GCM Server 2606:2800:233:1cb7:261b:1f9c:2074:3c , United States, ASN15133 (EDGECAST, US), Reverse DNS Software ECAcc (frc/8FED) / Resource Hash ac68bb7dc5704e99d44c73c67f609a3c8fb6105fae418687b80ec13d9b370114 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers x-ms-blob-type BlockBlob date Thu, 28 May 2020 19:16:43 GMT content-encoding gzip content-md5 u1OHPxwcyLXNxp1DCtacfg== age 10378 x-cache HIT status 200 content-length 17894 x-ms-lease-status unlocked last-modified Mon, 22 Apr 2019 21:38:35 GMT server ECAcc (frc/8FED) etag 0x8D6C76ADF89B5D5 vary Accept-Encoding content-type application/x-javascript access-control-allow-origin * x-ms-request-id 9ed7e7a8-901e-0175-050c-351908000000 access-control-expose-headers x-ms-request-id,Server,x-ms-version,Content-Length,Date,Transfer-Encoding cache-control public, max-age=14400 x-ms-version 2009-09-19 accept-ranges bytes expires Thu, 28 May 2020 23:16:43 GMT
GET H2	200	iframe_api Show response www.youtube.com/	859 B 1 KB	38ms 26ms	Script application/javascript	2a00:1450:4001:815::200e GOOGLE
General Check archive.org Show headers Download Go to Full URL https://www.youtube.com/iframe_api Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:815::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software YouTube Frontend Proxy / Resource Hash 555ec86bd79030b1ef64f3a76cbe3f267cd562c3dc33ba0ee1f6dc3d43b0af2e Security Headers Name Value X-Content-Type-Options nosniff X-Xss-Protection 0 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT x-content-type-options nosniff server YouTube Frontend Proxy content-type application/javascript status 200 cache-control no-cache alt-svc h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" content-length 859 x-xss-protection 0 expires Tue, 27 Apr 1971 19:44:06 GMT
GET H2	200	bizible.js Show response cdn.bizible.com/scripts/	87 KB 33 KB	91ms 22ms	Script application/x-javascript	68.232.35.12 EDGECAST
General Check archive.org Show headers Download Go to Full URL https://cdn.bizible.com/scripts/bizible.js Requested by Host: www.googletagmanager.com URL: https://www.googletagmanager.com/gtm.js?id=GTM-5SLZFK Protocol H2 Security TLS 1.3, , AES_256_GCM Server 68.232.35.12 , United States, ASN15133 (EDGECAST, US), Reverse DNS Software ECS (fcn/40B4) / ASP.NET Resource Hash 4e565f1d8d81e94cdd1ee567c3d757932dc7062e1fe64580ed81addaf51681bf Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT content-encoding gzip etag "77026968730d61:0" last-modified Fri, 22 May 2020 22:23:15 GMT server ECS (fcn/40B4) age 506706 x-powered-by ASP.NET vary Accept-Encoding x-cache HIT content-type application/x-javascript status 200 accept-ranges bytes content-length 34012
GET H/1.1	200 OK	6si.min.js Show response j.6sc.co/	14 KB 7 KB	160ms 58ms	Script application/javascript	23.10.73.123 AKAMAI-AS
General Check archive.org Show headers Download Go to Full URL https://j.6sc.co/6si.min.js Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol HTTP/1.1 Security TLS 1.3, , AES_256_GCM Server 23.10.73.123 , Netherlands, ASN16625 (AKAMAI-AS, US), Reverse DNS a23-10-73-123.deploy.static.akamaitechnologies.com Software nginx/1.14.0 (Ubuntu) / Resource Hash 5535d2c567dac9fb9a8eb888a5415164e87c4aa6f08f70a6cc6ab1c0cd3bac12 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers Date Thu, 28 May 2020 19:16:43 GMT Content-Encoding gzip Last-Modified Sun, 12 Apr 2020 02:02:20 GMT Server nginx/1.14.0 (Ubuntu) ETag "5e9276ac-3997" Vary Accept-Encoding Access-Control-Allow-Methods GET,POST Content-Type application/javascript Access-Control-Allow-Origin Access-Control-Max-Age 86400 Access-Control-Allow-Credentials true Connection keep-alive Accept-Ranges bytes Access-Control-Allow-Headers * Content-Length 6031
GET H/1.1	200 OK	tracking.js Show response trk.techtarget.com/	4 KB 2 KB	89ms 28ms	Script text/javascript	163.171.132.119 QUANTILNETWORKS
General Check archive.org Show headers Download Go to Full URL https://trk.techtarget.com/tracking.js Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 163.171.132.119 , Germany, ASN54994 (QUANTILNETWORKS, US), Reverse DNS Software PWS/8.3.1.0.8 / Resource Hash 8b51552f523ecd57ca4f82df5ab10610349f91cacb7c0f72d0290bed3cc37e4e Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers Date Thu, 28 May 2020 19:16:43 GMT Content-Encoding gzip Last-Modified Fri, 21 Jun 2019 20:11:17 GMT Server PWS/8.3.1.0.8 Age 266 X-Ws-Request-Id 5ed00e1b_PSdgflkfFRA2po7_47662-15292 Content-Type text/javascript Via 1.1 VMmgasbIAD1am50:2 (W), 1.1 PSdgflkfFRA1hb199:0 (W), 1.1 PSdgflkfFRA2gb73:3 (W) Cache-Control max-age=600 X-Px ht PSdgflkfFRA2gb73FRA Connection keep-alive Accept-Ranges bytes Content-Length 1711 Expires Thu, 28 May 2020 19:22:17 GMT
GET H2	200	/ www.google.com/pagead/1p-user-list/812494211/	42 B 140 B	22ms 22ms	Image image/gif	2a00:1450:4001:806::2004 GOOGLE
General Check archive.org Show headers Download Go to Show image Full URL https://www.google.com/pagead/1p-user-list/812494211/?random=1590693403096&cv=9&fst=1590692400000&num=1&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2wg5k1&sendb=1&frm=0&url=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&tiba=New%20Ursnif%20Campaign%3A%20From%20PowerShell%20to%20Mshta%20%7C%20blog&async=1&fmt=3&is_vtc=1&random=3440302195&resp=GooglemKTybQhCsO&rmt_tld=0&ipr=y Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:806::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software cafe / Resource Hash ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629 Security Headers Name Value Content-Security-Policy script-src 'none'; object-src 'none' X-Content-Type-Options nosniff X-Xss-Protection 0 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers pragma no-cache date Thu, 28 May 2020 19:16:43 GMT x-content-type-options nosniff server cafe timing-allow-origin * p3p policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC" status 200 cache-control no-cache, no-store, must-revalidate content-security-policy script-src 'none'; object-src 'none' content-type image/gif alt-svc h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" content-length 42 x-xss-protection 0 expires Fri, 01 Jan 1990 00:00:00 GMT
GET H2	200	/ www.google.de/pagead/1p-user-list/812494211/	42 B 153 B	34ms 23ms	Image image/gif	2a00:1450:4001:81f::2003 GOOGLE
General Check archive.org Show headers Download Go to Show image Full URL https://www.google.de/pagead/1p-user-list/812494211/?random=1590693403096&cv=9&fst=1590692400000&num=1&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2wg5k1&sendb=1&frm=0&url=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&tiba=New%20Ursnif%20Campaign%3A%20From%20PowerShell%20to%20Mshta%20%7C%20blog&async=1&fmt=3&is_vtc=1&random=3440302195&resp=GooglemKTybQhCsO&rmt_tld=1&ipr=y Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:81f::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software cafe / Resource Hash ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629 Security Headers Name Value Content-Security-Policy script-src 'none'; object-src 'none' X-Content-Type-Options nosniff X-Xss-Protection 0 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers pragma no-cache date Thu, 28 May 2020 19:16:43 GMT x-content-type-options nosniff server cafe timing-allow-origin * p3p policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC" status 200 cache-control no-cache, no-store, must-revalidate content-security-policy script-src 'none'; object-src 'none' content-type image/gif alt-svc h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" content-length 42 x-xss-protection 0 expires Fri, 01 Jan 1990 00:00:00 GMT
GET H2	200	/ www.google.com/pagead/1p-user-list/973777747/	42 B 107 B	23ms 23ms	Image image/gif	2a00:1450:4001:806::2004 GOOGLE
General Check archive.org Show headers Download Go to Show image Full URL https://www.google.com/pagead/1p-user-list/973777747/?random=1590693403093&cv=9&fst=1590692400000&num=1&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2wg5k1&sendb=1&frm=0&url=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&tiba=New%20Ursnif%20Campaign%3A%20From%20PowerShell%20to%20Mshta%20%7C%20blog&async=1&fmt=3&is_vtc=1&random=3106782258&resp=GooglemKTybQhCsO&rmt_tld=0&ipr=y Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:806::2004 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software cafe / Resource Hash ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629 Security Headers Name Value Content-Security-Policy script-src 'none'; object-src 'none' X-Content-Type-Options nosniff X-Xss-Protection 0 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers pragma no-cache date Thu, 28 May 2020 19:16:43 GMT x-content-type-options nosniff server cafe timing-allow-origin * p3p policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC" status 200 cache-control no-cache, no-store, must-revalidate content-security-policy script-src 'none'; object-src 'none' content-type image/gif alt-svc h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" content-length 42 x-xss-protection 0 expires Fri, 01 Jan 1990 00:00:00 GMT
GET H2	200	/ www.google.de/pagead/1p-user-list/973777747/	42 B 107 B	35ms 24ms	Image image/gif	2a00:1450:4001:81f::2003 GOOGLE
General Check archive.org Show headers Download Go to Show image Full URL https://www.google.de/pagead/1p-user-list/973777747/?random=1590693403093&cv=9&fst=1590692400000&num=1&guid=ON&u_h=1200&u_w=1600&u_ah=1200&u_aw=1600&u_cd=24&u_his=2&u_tz=120&u_java=false&u_nplug=0&u_nmime=0&gtm=2wg5k1&sendb=1&frm=0&url=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&tiba=New%20Ursnif%20Campaign%3A%20From%20PowerShell%20to%20Mshta%20%7C%20blog&async=1&fmt=3&is_vtc=1&random=3106782258&resp=GooglemKTybQhCsO&rmt_tld=1&ipr=y Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:81f::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software cafe / Resource Hash ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629 Security Headers Name Value Content-Security-Policy script-src 'none'; object-src 'none' X-Content-Type-Options nosniff X-Xss-Protection 0 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers pragma no-cache date Thu, 28 May 2020 19:16:43 GMT x-content-type-options nosniff server cafe timing-allow-origin * p3p policyref="https://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA IVD OTP OUR OTR IND OTC" status 200 cache-control no-cache, no-store, must-revalidate content-security-policy script-src 'none'; object-src 'none' content-type image/gif alt-svc h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" content-length 42 x-xss-protection 0 expires Fri, 01 Jan 1990 00:00:00 GMT
GET H2	200	icon-enlarge-btn.svg www.zscaler.com/themes/custom/zscaler/images/resources/ransomware/	3 KB 1 KB	22ms 22ms	Image image/svg+xml	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/themes/custom/zscaler/images/resources/ransomware/icon-enlarge-btn.svg Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash 07ccf8d6d38b3753c3420a0d4a9311372de4ad8301dffe9cca751a67f884d923 Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff Request headers Referer https://www.zscaler.com/sites/default/files/css/css_zO1_93cGxIYyEO1P1C5EyfYUrSlZX6GteTp_t92Egzs.css User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT via varnish x-content-type-options nosniff cf-cache-status HIT age 43024 x-cache HIT status 200 x-cache-hits 8 x-ah-environment prod content-encoding br vary Host, Accept-Encoding cf-request-id 02fe5033c20000635910b0e200000001 x-request-id v-81b28932-a083-11ea-9d1e-0fe7e73e263f last-modified Fri, 20 Sep 2019 09:57:46 GMT server cloudflare expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/svg+xml cache-control public, max-age=1814400 cf-ray 59aa4fcc69df6359-FRA expires Thu, 18 Jun 2020 19:16:43 GMT
GET H/1.1	200 OK	munchkin.js Show response munchkin.marketo.net/158/	11 KB 5 KB	21ms 21ms	Script application/x-javascript	184.30.221.218 AKAMAI-ASN1
General Check archive.org Show headers Download Go to Full URL https://munchkin.marketo.net/158/munchkin.js Requested by Host: munchkin.marketo.net URL: https://munchkin.marketo.net/munchkin.js Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 184.30.221.218 , Netherlands, ASN20940 (AKAMAI-ASN1, EU), Reverse DNS a184-30-221-218.deploy.static.akamaitechnologies.com Software AkamaiNetStorage / Resource Hash 5f967fd41346c0fc1b9b44fa69c52bf1e754420c59c8017cefb0a14a764cafa4 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers Date Thu, 28 May 2020 19:16:43 GMT Content-Encoding gzip Last-Modified Tue, 28 Jan 2020 03:01:21 GMT Server AkamaiNetStorage ETag "67df7eb9e9e68638308f14367dddec10:1580180481" Vary Accept-Encoding P3P policyref="http://www.marketo.com/w3c/p3p.xml", CP="NOI DSP COR NID CURi OUR NOR" Cache-Control max-age=8640000 Connection keep-alive Accept-Ranges bytes Content-Type application/x-javascript Content-Length 4686 Expires Sat, 05 Sep 2020 19:16:43 GMT
GET H2	200	optanon.css cdn.cookielaw.org/skins/4.7.0/default_responsive_alert_bottom_two_button_white/v2/css/	20 KB 4 KB	7ms 6ms	Stylesheet text/css	2606:2800:233:1cb7:261b:1f9c:2074:3c EDGECAST
General Check archive.org Show headers Download Go to Full URL https://cdn.cookielaw.org/skins/4.7.0/default_responsive_alert_bottom_two_button_white/v2/css/optanon.css Requested by Host: cdn.cookielaw.org URL: https://cdn.cookielaw.org/consent/75590e24-f605-4d9c-b92c-ca09a93d469f.js Protocol H2 Security TLS 1.3, , AES_256_GCM Server 2606:2800:233:1cb7:261b:1f9c:2074:3c , United States, ASN15133 (EDGECAST, US), Reverse DNS Software ECAcc (frc/8FDA) / Resource Hash bc14b8a5bdb868d718c59e30703d928b218050d4c2a891d8d85ece159e523b23 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers x-ms-blob-type BlockBlob date Thu, 28 May 2020 19:16:43 GMT content-encoding gzip content-md5 NYS8lY5d5dnS26QwLdV6bA== age 10376 x-cache HIT status 200 content-length 3587 x-ms-lease-status unlocked last-modified Thu, 19 Sep 2019 20:24:15 GMT server ECAcc (frc/8FDA) etag 0x8D73D3F576177AF vary Accept-Encoding content-type text/css access-control-allow-origin * x-ms-request-id 7d61d586-901e-00b6-5d0c-35d61e000000 access-control-expose-headers x-ms-request-id,Server,x-ms-version,Content-Length,Date,Transfer-Encoding cache-control max-age=14400 x-ms-version 2009-09-19 accept-ranges bytes expires Thu, 28 May 2020 23:16:43 GMT
GET H2	200	EU Show response geolocation.onetrust.com/cookieconsentpub/v1/geo/countries/	32 B 405 B	67ms 36ms	Script text/javascript	2606:4700:10::6814:b844 CLOUDFLARENET
General Check archive.org Show headers Download Go to Full URL https://geolocation.onetrust.com/cookieconsentpub/v1/geo/countries/EU?callback=jQuery34109639224570042708_1590693403334&_=1590693403335 Requested by Host: www.zscaler.com URL: https://www.zscaler.com/sites/default/files/js/js_o43iLYjFaCbMP-fYtzOeS9trqU2USVukbKv0kuGUAXQ.js Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700:10::6814:b844 , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash b0817a0d6a87f2d42532035e42b20ea55cfaa5ca1092c761f5fc5e734790bdbf Security Headers Name Value Strict-Transport-Security max-age=31536000; includeSubDomains; preload Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT server cloudflare expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" vary Accept-Encoding content-type text/javascript status 200 strict-transport-security max-age=31536000; includeSubDomains; preload cf-ray 59aa4fcced66d6b1-FRA content-length 32 cf-request-id 02fe5034120000d6b1ff9f4200000001
GET H2	200	www-widgetapi.js Show response s.ytimg.com/yts/jsbin/www-widgetapi-vflh3Z-Yc/	66 KB 25 KB	20ms 6ms	Script text/javascript	2a00:1450:4001:802::200e GOOGLE
General Check archive.org Show headers Download Go to Full URL https://s.ytimg.com/yts/jsbin/www-widgetapi-vflh3Z-Yc/www-widgetapi.js Requested by Host: www.youtube.com URL: https://www.youtube.com/iframe_api Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a00:1450:4001:802::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE, US), Reverse DNS Software sffe / Resource Hash 28c2e11a29f3bc9655bfacdf156f78bc54e0cba933aa84a87ee6cde9755d5cac Security Headers Name Value X-Content-Type-Options nosniff X-Xss-Protection 0 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Tue, 26 May 2020 21:46:04 GMT content-encoding gzip x-content-type-options nosniff age 163839 status 200 alt-svc h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" content-length 24649 x-xss-protection 0 last-modified Tue, 26 May 2020 21:02:14 GMT server sffe vary Accept-Encoding, Origin content-type text/javascript cache-control public, max-age=691200 accept-ranges bytes timing-allow-origin https://www.youtube.com expires Wed, 03 Jun 2020 21:46:04 GMT
GET H/1.1	200 OK	XYPZFM5QENHXRH7RBBI5PW.js Show response s.adroll.com/pixel/ULSJHTPGTZGY3EPPZSKHKS/22OEOVE2YNFA3EKSRERISY/ Redirect Chain https://d.adroll.com/pixel/ULSJHTPGTZGY3EPPZSKHKS/22OEOVE2YNFA3EKSRERISY?adroll_fpc=9dc8eedcda4395399176c255a997da6d-1590693403635&arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursn... https://s.adroll.com/pixel/ULSJHTPGTZGY3EPPZSKHKS/22OEOVE2YNFA3EKSRERISY/XYPZFM5QENHXRH7RBBI5PW.js	6 KB 3 KB	39ms 37ms	Script text/javascript	23.210.248.216 AKAMAI-AS
General Check archive.org Show headers Download Go to Full URL https://s.adroll.com/pixel/ULSJHTPGTZGY3EPPZSKHKS/22OEOVE2YNFA3EKSRERISY/XYPZFM5QENHXRH7RBBI5PW.js Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 23.210.248.216 , Netherlands, ASN16625 (AKAMAI-AS, US), Reverse DNS a23-210-248-216.deploy.static.akamaitechnologies.com Software AmazonS3 / Resource Hash 9ddc524de287d27c0523c2b229f166e6c6f0e5d67f1ef37b71521ddb0de1fa52 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers x-amz-version-id Oa3i3f9jcf6iJvs8kwN9wpxTNfdovStJ Content-Encoding gzip ETag "c5cf93843e809f98649a85e359cceb72" x-amz-request-id 4D22A00C678CA18B x-amz-server-side-encryption AES256 Connection keep-alive Vary Accept-Encoding Content-Length 1991 x-amz-id-2 3/Bi/hJJjz3AKWbMouMcECttCADU6ZPF1gbxX5KxHMwEUxYgd1krALOceEDrLpE21jRAYWlmOew= Last-Modified Tue, 04 Feb 2020 02:12:02 GMT Server AmazonS3 Date Thu, 28 May 2020 19:16:43 GMT Access-Control-Max-Age 600 Access-Control-Allow-Methods GET Content-Type text/javascript; charset=utf-8 Access-Control-Allow-Origin * Cache-Control max-age=3600, must-revalidate Access-Control-Allow-Credentials false Accept-Ranges bytes Access-Control-Allow-Headers * Redirect headers date Thu, 28 May 2020 19:16:43 GMT x-segment-display-name Visitors to Unsegmented Pages p3p CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA" status 302 content-length 0 pragma no-cache x-conversion-value 0.00 server nginx/1.16.1 x-rule * x-segment-eid XYPZFM5QENHXRH7RBBI5PW location https://s.adroll.com/pixel/ULSJHTPGTZGY3EPPZSKHKS/22OEOVE2YNFA3EKSRERISY/XYPZFM5QENHXRH7RBBI5PW.js cache-control no-store, no-cache, must-revalidate x-pixel-eid 22OEOVE2YNFA3EKSRERISY x-segment-name * x-advertisable-eid ULSJHTPGTZGY3EPPZSKHKS x-conversion-currency
GET H/1.1	200 OK	activity.gif apt.techtarget.com/activity/	43 B 450 B	288ms 97ms	Image image/gif	206.19.49.24 ATT-INTERNET4
General Check archive.org Show headers Download Go to Show image Full URL https://apt.techtarget.com/activity/activity.gif?activityTypeId=31&cid=2334982&version=2.0&ref=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&r=1590693403641 Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 206.19.49.24 , United States, ASN7018 (ATT-INTERNET4, US), Reverse DNS Software / Resource Hash 2dfe28cbdb83f01c940de6a88ab86200154fd772d568035ac568664e52068363 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers Date Thu, 28 May 2020 19:16:43 GMT Last-Modified Tue, 26 Mar 2019 18:30:29 GMT ETag "2b-5850384023492" Content-Type image/gif Connection Keep-Alive Accept-Ranges bytes Keep-Alive timeout=5, max=71 Content-Length 43
GET H/1.1	200 OK	/ Show response c.6sc.co/	47 B 371 B	126ms 41ms	XHR text/plain	23.10.73.123 AKAMAI-AS
General Check archive.org Show headers Download Go to Full URL https://c.6sc.co/ Requested by Host: j.6sc.co URL: https://j.6sc.co/6si.min.js Protocol HTTP/1.1 Security TLS 1.3, , AES_256_GCM Server 23.10.73.123 , Netherlands, ASN16625 (AKAMAI-AS, US), Reverse DNS a23-10-73-123.deploy.static.akamaitechnologies.com Software / Resource Hash b7ac0816eb11db0a3e16b0cb1fe630221afb75aced9d68f5597ccdf038427e86 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers Date Thu, 28 May 2020 19:16:43 GMT Access-Control-Max-Age 86400 Access-Control-Allow-Methods GET,POST Content-Type text/plain Access-Control-Allow-Origin https://www.zscaler.com Access-Control-Allow-Credentials true Connection keep-alive Access-Control-Allow-Headers * Content-Length 47
GET H/1.1	200 OK	img.gif b.6sc.co/v1/beacon/	43 B 774 B	352ms 267ms	Image image/gif	23.10.73.123 AKAMAI-AS
General Check archive.org Show headers Download Go to Show image Full URL https://b.6sc.co/v1/beacon/img.gif?token=ab9750bca4342498694e239e304dd3a9&svisitor=&visitor=b9af02da-a6f5-4b4c-89f8-c01b83f4ca26&session=9c0622fe-1e3d-42b4-8584-82bf47362169&event=a_pageload&q=%7B%7D&isIframe=false&m=%7B%22description%22%3A%22Analysis%20of%20a%20campaign%20with%20a%20new%20multistage%20payload%20distribution%20technique%20for%20the%20well-known%20banking%20Trojan%20named%20Ursnif%20(aka%20Gozi%20aka%20Dreambot).%22%2C%22keywords%22%3A%22ThreatLabZ%2C%20Ursnif%2C%20PowerShell%2C%20Mshta%22%2C%22title%22%3A%22New%20Ursnif%20Campaign%3A%20From%20PowerShell%20to%20Mshta%20%7C%20blog%22%7D&cb=93403645&r=&thirdParty=%7B%7D Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol HTTP/1.1 Security TLS 1.3, , AES_256_GCM Server 23.10.73.123 , Netherlands, ASN16625 (AKAMAI-AS, US), Reverse DNS a23-10-73-123.deploy.static.akamaitechnologies.com Software nginx/1.14.0 (Ubuntu) / Resource Hash dcecab1355b5c2b9ecef281322bf265ac5840b4688748586e9632b473a5fe56b Security Headers Name Value X-Content-Type-Options nosniff Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers Date Thu, 28 May 2020 19:16:43 GMT X-Content-Type-Options nosniff Connection keep-alive Content-Length 43 Pragma no-cache Last-Modified Fri, 21 Feb 2020 18:51:25 GMT Server nginx/1.14.0 (Ubuntu) ETag "5e5026ad-2b" Access-Control-Max-Age 86400 Access-Control-Allow-Methods GET,POST Content-Type image/gif Access-Control-Allow-Origin Cache-Control private, no-cache, no-cache=Set-Cookie, proxy-revalidate Access-Control-Allow-Credentials true Accept-Ranges bytes Access-Control-Allow-Headers * Expires Wed, 19 Apr 2000 11:43:00 GMT
GET H2	200	ipv cdn.bizible.com/m/	43 B 347 B	23ms 22ms	Image image/gif	68.232.35.12 EDGECAST
General Check archive.org Show headers Download Go to Show image Full URL https://cdn.bizible.com/m/ipv?_biz_r=&_biz_h=-1906410348&_biz_u=6f89e03c4b96402f898de700345972a8&_biz_s=534a8d&_biz_l=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&_biz_t=1590693403663&_biz_i=New%20Ursnif%20Campaign%3A%20From%20PowerShell%20to%20Mshta%20%7C%20blog&_biz_n=0&rnd=800616&cdn_o=a&_biz_z=1590693403664 Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_256_GCM Server 68.232.35.12 , United States, ASN15133 (EDGECAST, US), Reverse DNS Software ECS (fcn/41A2) / ASP.NET Resource Hash afe0dcfca292a0fae8bce08a48c14d3e59c9d82c6052ab6d48a22ecc6c48f277 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:43 GMT x-aspnet-version 4.0.30319 age 373474 x-powered-by ASP.NET x-cache HIT p3p CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" status 200 content-length 43 pragma no-cache x-aspnetmvc-version 5.2 last-modified Sun, 24 May 2020 11:32:09 GMT server ECS (fcn/41A2) content-type Image/GIF cache-control no-cache, no-store accept-ranges bytes expires -1
GET H/1.1	200 OK	visitWebPage Show response 306-zej-256.mktoresp.com/webevents/	2 B 304 B	593ms 107ms	XHR text/plain	192.28.144.124 OMNITURE
General Check archive.org Show headers Download Go to Full URL https://306-zej-256.mktoresp.com/webevents/visitWebPage?_mchNc=1590693403694&_mchCn=&_mchId=306-ZEJ-256&_mchTk=_mch-zscaler.com-1590693403693-43567&_mchHo=www.zscaler.com&_mchPo=&_mchRu=%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&_mchPc=https%3A&_mchVr=158&_mchEcid=&_mchHa=&_mchRe=&_mchQp= Requested by Host: munchkin.marketo.net URL: https://munchkin.marketo.net/158/munchkin.js Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 192.28.144.124 , United States, ASN15224 (OMNITURE, US), Reverse DNS Software akka-http/10.1.11 / Resource Hash 565339bc4d33d72817b583024112eb7f5cdf3e5eef0252d6ec1b9c9a94e12bb3 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers Access-Control-Allow-Origin * Date Thu, 28 May 2020 19:16:44 GMT Content-Encoding gzip Server akka-http/10.1.11 Transfer-Encoding chunked X-Request-Id 76a17689-a979-4ca2-a20d-17ce1b8217d7 Content-Type text/plain; charset=UTF-8
GET H2	200	BizibleAcct.js Show response cdn.bizible.com/	378 B 545 B	134ms 133ms	Script text/javascript	68.232.35.12 EDGECAST
General Check archive.org Show headers Download Go to Full URL https://cdn.bizible.com/BizibleAcct.js?_biz_u=6f89e03c4b96402f898de700345972a8&_biz_h=-1906410348&cdn_o=a&jsVer=4.20.05.18 Requested by Host: cdn.bizible.com URL: https://cdn.bizible.com/scripts/bizible.js Protocol H2 Security TLS 1.3, , AES_256_GCM Server 68.232.35.12 , United States, ASN15133 (EDGECAST, US), Reverse DNS Software Microsoft-IIS/10.0 / ASP.NET Resource Hash 9e8fe8318c4b1fb53685d8e5c424b87cb00d84cb10591cf073118428c8ea4ba5 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:42 GMT content-encoding gzip etag 18888C1A x-aspnetmvc-version 5.2 server Microsoft-IIS/10.0 x-aspnet-version 4.0.30319 x-powered-by ASP.NET vary Accept-Encoding p3p CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" status 200 cache-control private, must-revalidate, max-age=21600 content-type text/javascript; charset=utf-8 content-length 325
GET H2	200	fbevents.js Show response connect.facebook.net/en_US/	131 KB 32 KB	18ms 6ms	Script application/x-javascript	2a03:2880:f01c:8012:face:b00c:0:3 FACEBOOK
General Check archive.org Show headers Download Go to Full URL https://connect.facebook.net/en_US/fbevents.js Requested by Host: s.adroll.com URL: https://s.adroll.com/pixel/ULSJHTPGTZGY3EPPZSKHKS/22OEOVE2YNFA3EKSRERISY/XYPZFM5QENHXRH7RBBI5PW.js Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a03:2880:f01c:8012:face:b00c:0:3 , Ireland, ASN32934 (FACEBOOK, US), Reverse DNS Software / Resource Hash 4cb61e44bf63a9e090e666898cd04d382e4c33b55b62cc5e9ff7dab055fbf787 Security Headers Name Value Content-Security-Policy default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self'; Strict-Transport-Security max-age=31536000; preload; includeSubDomains X-Content-Type-Options nosniff X-Frame-Options DENY X-Xss-Protection 0 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers strict-transport-security max-age=31536000; preload; includeSubDomains content-encoding gzip x-content-type-options nosniff status 200 alt-svc h3-27=":443"; ma=3600 content-length 31766 x-xss-protection 0 pragma public x-fb-debug MHWMcu10btoovI0jf9f1HA7WXuzQ9ZM/5UHaYj9WyLkjRjYIkw/eEP+SDNwC3flYnE7Ce1zofksnA7HcrpMzyw== x-fb-trip-id 664085054 x-frame-options DENY date Thu, 28 May 2020 19:16:43 GMT, Thu, 28 May 2020 19:16:43 GMT vary Accept-Encoding content-type application/x-javascript; charset=utf-8 cache-control public, max-age=1200 content-security-policy default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self'; expires Sat, 01 Jan 2000 00:00:00 GMT
GET H/1.1	200 OK	sendrolling.js Show response s.adroll.com/j/	9 KB 3 KB	25ms 25ms	Script text/javascript	23.210.248.216 AKAMAI-AS
General Check archive.org Show headers Download Go to Full URL https://s.adroll.com/j/sendrolling.js Requested by Host: s.adroll.com URL: https://s.adroll.com/pixel/ULSJHTPGTZGY3EPPZSKHKS/22OEOVE2YNFA3EKSRERISY/XYPZFM5QENHXRH7RBBI5PW.js Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 23.210.248.216 , Netherlands, ASN16625 (AKAMAI-AS, US), Reverse DNS a23-210-248-216.deploy.static.akamaitechnologies.com Software AmazonS3 / Resource Hash 1bdbcee5cd776cb671f72362db4be8dde833057b8e8f816c86fd301896652c8d Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers x-amz-version-id NM.EHVfGEDu2TYFqb1osrv1zRII373EC Content-Encoding gzip ETag "15441b08d0c4f93b1dd5f533cd361cd8" x-amz-request-id E2F067B4E9F95C64 x-amz-server-side-encryption AES256 Connection keep-alive Vary Accept-Encoding Content-Length 2039 x-amz-id-2 zahNXUrZcHvPMHZ5OZzeA/pmU+ThIaY+/c27IjCJ/f8DH693VdK16PYXiwNkUgRleJPaNozozcA= Last-Modified Mon, 03 Feb 2020 20:32:06 GMT Server AmazonS3 Date Thu, 28 May 2020 19:16:43 GMT Access-Control-Max-Age 600 Access-Control-Allow-Methods GET Content-Type text/javascript Access-Control-Allow-Origin * Cache-Control max-age=3600 Access-Control-Allow-Credentials false Accept-Ranges bytes Access-Control-Allow-Headers *
GET H/1.1	204 No Content	sync ups.analytics.yahoo.com/ups/55980/ Redirect Chain https://d.adroll.com/cm/aol/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS https://pixel.advertising.com/ups/55980/sync?uid=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&_origin=1&gdpr=1&gdpr_consent=BOOla_OOOla_OA2ABBENAkwAAAAXyACAAyAIIA https://pixel.advertising.com/ups/55980/sync?uid=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&_origin=1&gdpr=1&gdpr_consent=BOOla_OOOla_OA2ABBENAkwAAAAXyACAAyAIIA&verify=true https://ups.analytics.yahoo.com/ups/55980/sync?uid=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&_origin=1&gdpr=1&gdpr_consent=BOOla_OOOla_OA2ABBENAkwAAAAXyACAAyAIIA&apid=UPc4544c9f-a117-11ea-bf26-02...	0 977 B	70ms 24ms	Image text/plain	3.126.56.137 AMAZON-02
General Check archive.org Show headers Download Go to Show image Full URL https://ups.analytics.yahoo.com/ups/55980/sync?uid=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&_origin=1&gdpr=1&gdpr_consent=BOOla_OOOla_OA2ABBENAkwAAAAXyACAAyAIIA&apid=UPc4544c9f-a117-11ea-bf26-02800ef2d3d0 Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol HTTP/1.1 Security TLS 1.3, , AES_256_GCM Server 3.126.56.137 Frankfurt am Main, Germany, ASN16509 (AMAZON-02, US), Reverse DNS ec2-3-126-56-137.eu-central-1.compute.amazonaws.com Software ATS/7.1.2.113 / Resource Hash e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Security Headers Name Value Strict-Transport-Security max-age=31536000 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers Date Thu, 28 May 2020 19:16:44 GMT Server ATS/7.1.2.113 Connection keep-alive Age 0 Strict-Transport-Security max-age=31536000 P3P CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV Redirect headers status 302 date Thu, 28 May 2020 19:16:43 GMT location https://ups.analytics.yahoo.com/ups/55980/sync?uid=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&_origin=1&gdpr=1&gdpr_consent=BOOla_OOOla_OA2ABBENAkwAAAAXyACAAyAIIA&apid=UPc4544c9f-a117-11ea-bf26-02800ef2d3d0 content-length 0 strict-transport-security max-age=31536000 p3p CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
GET H/1.1	200 OK	rum dsum-sec.casalemedia.com/ Redirect Chain https://d.adroll.com/cm/index/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS https://dsum-sec.casalemedia.com/rum?cm_dsp_id=105&external_user_id=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&expiration=1622229403 https://dsum-sec.casalemedia.com/rum?cm_dsp_id=105&external_user_id=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&expiration=1622229403&C=1	43 B 1002 B	61ms 61ms	Image image/gif	23.210.249.164 AKAMAI-AS
General Check archive.org Show headers Download Go to Show image Full URL https://dsum-sec.casalemedia.com/rum?cm_dsp_id=105&external_user_id=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&expiration=1622229403&C=1 Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 23.210.249.164 , Netherlands, ASN16625 (AKAMAI-AS, US), Reverse DNS a23-210-249-164.deploy.static.akamaitechnologies.com Software Apache / Resource Hash b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers Pragma no-cache Date Thu, 28 May 2020 19:16:44 GMT Server Apache P3P policyref="/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Cache-Control max-age=0, no-cache, no-store Connection keep-alive Content-Type image/gif Content-Length 43 Expires Thu, 28 May 2020 19:16:44 GMT Redirect headers Pragma no-cache Date Thu, 28 May 2020 19:16:43 GMT Server Apache P3P policyref="/w3c/p3p.xml", CP="NOI DSP COR DEVa TAIa OUR BUS UNI" Location https://dsum-sec.casalemedia.com/rum?cm_dsp_id=105&external_user_id=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&expiration=1622229403&C=1 Cache-Control max-age=0, no-cache, no-store Connection keep-alive Content-Type text/html; charset=iso-8859-1 Content-Length 333 Expires Thu, 28 May 2020 19:16:43 GMT
GET H/1.1	204 No Content	tap.php pixel.rubiconproject.com/ Redirect Chain https://d.adroll.com/cm/n/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS https://pixel.rubiconproject.com/tap.php?v=194538&nid=3644&put=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&expires=365	0 239 B	108ms 31ms	Image image/gif	69.173.144.138 RUBICONPROJECT
General Check archive.org Show headers Download Go to Show image Full URL https://pixel.rubiconproject.com/tap.php?v=194538&nid=3644&put=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&expires=365 Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol HTTP/1.1 Security TLS 1.2, RSA, AES_128_GCM Server 69.173.144.138 Frankfurt am Main, Germany, ASN26667 (RUBICONPROJECT, US), Reverse DNS Software / Resource Hash e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers Pragma no-cache Expires 0 Cache-Control no-cache,no-store,must-revalidate P3P CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT" X-RPHost 6f9fd0201ed801884e5299d5aabca094 Content-Type image/gif Redirect headers pragma no-cache date Thu, 28 May 2020 19:16:43 GMT server nginx/1.16.1 status 302 p3p CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA" location https://pixel.rubiconproject.com/tap.php?v=194538&nid=3644&put=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&expires=365 cache-control no-store, no-cache, must-revalidate content-length 124
GET H/1.1	200 OK	cookie-sync sync.outbrain.com/ Redirect Chain https://d.adroll.com/cm/outbrain/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS https://sync.outbrain.com/cookie-sync?p=adroll&uid=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY https://sync.outbrain.com/cookie-sync?p=adroll&uid=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&rdrctExp=true	0 452 B	103ms 103ms	Image text/plain	70.42.32.95 AS-OUTBRAIN
General Check archive.org Show headers Download Go to Show image Full URL https://sync.outbrain.com/cookie-sync?p=adroll&uid=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&rdrctExp=true Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_256_GCM Server 70.42.32.95 , United States, ASN22075 (AS-OUTBRAIN, US), Reverse DNS ny.outbrain.com Software / Resource Hash e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers X-TraceId ed25ecd6a9b6d0f7b0b4aba7e30676fb Date Thu, 28 May 2020 19:16:44 GMT Content-Length 0 Redirect headers Location https://sync.outbrain.com/cookie-sync?p=adroll&uid=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&rdrctExp=true Date Thu, 28 May 2020 19:16:44 GMT X-TraceId 3f0764fd52ee6e73286fa38ca8f8e93d Content-Length 0
GET H/1.1	200 OK	Pug simage2.pubmatic.com/AdServer/ Redirect Chain https://d.adroll.com/cm/pubmatic/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS https://simage2.pubmatic.com/AdServer/Pug?vcode=bz0yJnR5cGU9MSZqcz0xJmNvZGU9MzMwNiZ0bD01MjU2MDA&piggybackCookie=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&gdpr=1&gdpr_consent=BOOoKswOOoKswA2ABBENA...	1 B 886 B	73ms 19ms	Image text/html	185.64.189.110 AS-PUBMATIC
General Check archive.org Show headers Download Go to Show image Full URL https://simage2.pubmatic.com/AdServer/Pug?vcode=bz0yJnR5cGU9MSZqcz0xJmNvZGU9MzMwNiZ0bD01MjU2MDA&piggybackCookie=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&gdpr=1&gdpr_consent=BOOoKswOOoKswA2ABBENAkwAAAAXyACACYAIIA Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 185.64.189.110 , United Kingdom, ASN62713 (AS-PUBMATIC, US), Reverse DNS Software Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/1.0.1e-fips mod_fastcgi/2.4.6 / Resource Hash e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers X-Cnection close Pragma no-cache Date Thu, 28 May 2020 19:16:43 GMT X-lat Pug22023:0:818 Server Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/1.0.1e-fips mod_fastcgi/2.4.6 P3P CP="NOI DSP COR LAW CUR ADMo DEVo TAIo PSAo PSDo IVAo IVDo HISo OTPo OUR SAMo BUS UNI COM NAV INT DEM CNT STA PRE LOC" Cache-Control no-store, no-cache, private Content-Type text/html; charset=utf-8 Content-Length 1 Redirect headers pragma no-cache date Thu, 28 May 2020 19:16:43 GMT server nginx/1.16.1 status 302 p3p CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA" location https://simage2.pubmatic.com/AdServer/Pug?vcode=bz0yJnR5cGU9MSZqcz0xJmNvZGU9MzMwNiZ0bD01MjU2MDA&piggybackCookie=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&gdpr=1&gdpr_consent=BOOoKswOOoKswA2ABBENAkwAAAAXyACACYAIIA cache-control no-store, no-cache, must-revalidate content-length 220
GET H2	200	in d.adroll.com/cm/r/ Redirect Chain https://d.adroll.com/cm/r/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS https://ads.yahoo.com/cms/v1?esig=1~bf4e7dc4546a90c08591652d78a230d3f2ef5733&nwid=10001032567&sigv=1&gdpr=1&gdpr_consent=BOOla_OOOla_OA2ABBENAkwAAAAXyACAAyAIIA https://d.adroll.com/cm/r/in?xid=E0&gdpr=1&gdpr_consent=BOOla_OOOla_OA2ABBENAkwAAAAXyACAAyAIIA	42 B 500 B	38ms 38ms	Image image/gif	54.229.99.84 AMAZON-02
General Check archive.org Show headers Download Go to Show image Full URL https://d.adroll.com/cm/r/in?xid=E0&gdpr=1&gdpr_consent=BOOla_OOOla_OA2ABBENAkwAAAAXyACAAyAIIA Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 54.229.99.84 Dublin, Ireland, ASN16509 (AMAZON-02, US), Reverse DNS ec2-54-229-99-84.eu-west-1.compute.amazonaws.com Software nginx/1.16.1 / Resource Hash ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers pragma no-cache date Thu, 28 May 2020 19:16:44 GMT server nginx/1.16.1 p3p CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA" status 200 cache-control no-store, no-cache, must-revalidate content-type image/gif content-length 42 Redirect headers date Thu, 28 May 2020 19:16:43 GMT referrer-policy no-referrer-when-downgrade server ATS age 0 status 302 expect-ct max-age=31536000, report-uri="http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only" strict-transport-security max-age=15552000 p3p policyref="https://policies.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV" location https://d.adroll.com/cm/r/in?xid=E0&gdpr=1&gdpr_consent=BOOla_OOOla_OA2ABBENAkwAAAAXyACAAyAIIA x-xss-protection 1; mode=block content-length 0 x-content-type-options nosniff
GET H2	204	/ trc.taboola.com/sg/adroll-network/1/rtb-h/ Redirect Chain https://d.adroll.com/cm/taboola/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS https://trc.taboola.com/sg/adroll-network/1/rtb-h/?taboola_hm=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY	0 281 B	70ms 30ms	Image text/plain	151.101.113.44 FASTLY
General Check archive.org Show headers Download Go to Show image Full URL https://trc.taboola.com/sg/adroll-network/1/rtb-h/?taboola_hm=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 151.101.113.44 Frankfurt am Main, Germany, ASN54113 (FASTLY, US), Reverse DNS Software nginx / Resource Hash e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers x-vcl-time-ms 9 date Thu, 28 May 2020 19:16:44 GMT via 1.1 varnish server nginx x-timer S1590693404.180521,VS0,VE9 x-cache MISS status 204 x-cache-hits 0 accept-ranges bytes x-served-by cache-hhn4064-HHN Redirect headers pragma no-cache date Thu, 28 May 2020 19:16:43 GMT server nginx/1.16.1 status 302 p3p CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA" location https://trc.taboola.com/sg/adroll-network/1/rtb-h/?taboola_hm=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY cache-control no-store, no-cache, must-revalidate content-length 111
GET H2	200	xuid eb2.3lift.com/ Redirect Chain https://d.adroll.com/cm/triplelift/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS https://eb2.3lift.com/xuid?mid=4714&xuid=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&dongle=c85e https://eb2.3lift.com/xuid?ld=1&mid=4714&xuid=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&dongle=c85e&gdpr=1&cmp_cs=&us_privacy=	37 B 352 B	23ms 22ms	Image image/gif	52.57.173.127 AMAZON-02
General Check archive.org Show headers Download Go to Show image Full URL https://eb2.3lift.com/xuid?ld=1&mid=4714&xuid=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&dongle=c85e&gdpr=1&cmp_cs=&us_privacy= Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 52.57.173.127 Frankfurt am Main, Germany, ASN16509 (AMAZON-02, US), Reverse DNS ec2-52-57-173-127.eu-central-1.compute.amazonaws.com Software / Resource Hash bb229a48bee31f5d54ca12dc9bd960c63a671f0d4be86a054c1d324a44499d96 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers status 200 date Thu, 28 May 2020 19:16:44 GMT cache-control no-cache, no-store, must-revalidate content-type image/gif content-length 37 p3p policyref="http://cdn.3lift.com/w3c/p3p.xml", CP="NON DSP COR NID OUR DEL SAM OTR UNR COM NAV INT DEM CNT STA PRE LOC OTC" Redirect headers status 302 date Thu, 28 May 2020 19:16:44 GMT cache-control no-cache, no-store, must-revalidate content-length 0 location /xuid?ld=1&mid=4714&xuid=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY&dongle=c85e&gdpr=1&cmp_cs=&us_privacy= p3p policyref="http://cdn.3lift.com/w3c/p3p.xml", CP="NON DSP COR NID OUR DEL SAM OTR UNR COM NAV INT DEM CNT STA PRE LOC OTC"
GET H2	200	in d.adroll.com/cm/mk/ULSJHTPGTZGY3EPPZSKHKS/	42 B 500 B	39ms 39ms	Image image/gif	54.229.99.84 AMAZON-02
General Check archive.org Show headers Download Go to Show image Full URL https://d.adroll.com/cm/mk/ULSJHTPGTZGY3EPPZSKHKS/in?id=id%3A306-ZEJ-256%26token%3A_mch-zscaler.com-1590693403693-43567 Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 54.229.99.84 Dublin, Ireland, ASN16509 (AMAZON-02, US), Reverse DNS ec2-54-229-99-84.eu-west-1.compute.amazonaws.com Software nginx/1.16.1 / Resource Hash ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers pragma no-cache date Thu, 28 May 2020 19:16:44 GMT server nginx/1.16.1 p3p CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA" status 200 cache-control no-store, no-cache, must-revalidate content-type image/gif content-length 42
GET H2	200	sync x.bidswitch.net/ul_cb/ Redirect Chain https://d.adroll.com/cm/b/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS https://x.bidswitch.net/sync?dsp_id=44&user_id=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY https://x.bidswitch.net/ul_cb/sync?dsp_id=44&user_id=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY	43 B 380 B	71ms 70ms	Image image/gif	52.59.155.31 AMAZON-02
General Check archive.org Show headers Download Go to Show image Full URL https://x.bidswitch.net/ul_cb/sync?dsp_id=44&user_id=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 52.59.155.31 Frankfurt am Main, Germany, ASN16509 (AMAZON-02, US), Reverse DNS ec2-52-59-155-31.eu-central-1.compute.amazonaws.com Software / Resource Hash 548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers status 200 date Thu, 28 May 2020 19:16:44 GMT cache-control no-cache, no-store, must-revalidate content-type image/gif content-length 43 p3p CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA" Redirect headers status 302 date Thu, 28 May 2020 19:16:44 GMT cache-control no-cache, no-store, must-revalidate content-length 0 location https://x.bidswitch.net/ul_cb/sync?dsp_id=44&user_id=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY p3p CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
GET H/1.1	200 OK	bounce ib.adnxs.com/ Redirect Chain https://d.adroll.com/cm/x/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS https://ib.adnxs.com/setuid?entity=172&code=ZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY https://ib.adnxs.com/bounce?%2Fsetuid%3Fentity%3D172%26code%3DZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY	43 B 1 KB	28ms 28ms	Image image/gif	37.252.173.62 ASN-APPNEX
General Check archive.org Show headers Download Go to Show image Full URL https://ib.adnxs.com/bounce?%2Fsetuid%3Fentity%3D172%26code%3DZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol HTTP/1.1 Security TLS 1.2, ECDHE_ECDSA, AES_128_GCM Server 37.252.173.62 , Ascension Island, ASN29990 (ASN-APPNEX, US), Reverse DNS 535.bm-nginx-loadbalancer.mgmt.fra1.adnexus.net Software nginx/1.13.4 / Resource Hash 4b5b6b15c6255109e06720cce42a06d3aead8b7874423d9c52cb0303212c25ef Security Headers Name Value X-Xss-Protection 0 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers Pragma no-cache Date Thu, 28 May 2020 19:16:46 GMT X-Proxy-Origin 82.102.19.136; 82.102.19.136; 535.bm-nginx-loadbalancer.mgmt.fra1; *.adnxs.com; 37.252.173.55:80 AN-X-Request-Uuid 43ea5215-85a3-4dbc-b443-07d978d8a988 Server nginx/1.13.4 P3P policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE" Access-Control-Allow-Origin * Cache-Control no-store, no-cache, private Access-Control-Allow-Credentials true Connection keep-alive Content-Type image/gif Content-Length 43 X-XSS-Protection 0 Expires Sat, 15 Nov 2008 16:00:00 GMT Redirect headers Pragma no-cache Date Thu, 28 May 2020 19:16:46 GMT X-Proxy-Origin 82.102.19.136; 82.102.19.136; 535.bm-nginx-loadbalancer.mgmt.fra1; *.adnxs.com; 37.252.173.55:80 AN-X-Request-Uuid 2ef4af82-05f7-4c86-98d2-6629065cb318 Server nginx/1.13.4 P3P policyref="http://cdn.adnxs.com/w3c/policy/p3p.xml", CP="NOI DSP COR ADM PSAo PSDo OURo SAMo UNRo OTRo BUS COM NAV DEM STA PRE" Location https://ib.adnxs.com/bounce?%2Fsetuid%3Fentity%3D172%26code%3DZTgzY2NiNDI0YzMzZDNjYjhhODQyZDUyNTBhMzAzMTY Cache-Control no-store, no-cache, private Connection keep-alive Content-Type text/html; charset=utf-8 Content-Length 0 X-XSS-Protection 0 Expires Sat, 15 Nov 2008 16:00:00 GMT
GET H2	204	377928.gif idsync.rlcdn.com/ Redirect Chain https://d.adroll.com/cm/l/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS https://idsync.rlcdn.com/377928.gif?partner_uid=e83ccb424c33d3cb8a842d5250a30316	0 59 B	162ms 125ms	Image text/plain	35.241.8.149 GOOGLE
General Check archive.org Show headers Download Go to Show image Full URL https://idsync.rlcdn.com/377928.gif?partner_uid=e83ccb424c33d3cb8a842d5250a30316 Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 35.241.8.149 , Ascension Island, ASN15169 (GOOGLE, US), Reverse DNS 149.8.241.35.bc.googleusercontent.com Software / Resource Hash e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers status 204 date Thu, 28 May 2020 19:16:44 GMT via 1.1 google alt-svc clear Redirect headers pragma no-cache date Thu, 28 May 2020 19:16:44 GMT server nginx/1.16.1 status 302 p3p CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA" location https://idsync.rlcdn.com/377928.gif?partner_uid=e83ccb424c33d3cb8a842d5250a30316 cache-control no-store, no-cache, must-revalidate content-length 86
GET H2	200	sd us-u.openx.net/w/1.0/ Redirect Chain https://d.adroll.com/cm/o/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS https://us-u.openx.net/w/1.0/sd?id=537103138&val=e83ccb424c33d3cb8a842d5250a30316 https://us-u.openx.net/w/1.0/sd?cc=1&id=537103138&val=e83ccb424c33d3cb8a842d5250a30316	43 B 180 B	25ms 24ms	Image image/gif	34.98.64.218 GOOGLE
General Check archive.org Show headers Download Go to Show image Full URL https://us-u.openx.net/w/1.0/sd?cc=1&id=537103138&val=e83ccb424c33d3cb8a842d5250a30316 Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 34.98.64.218 , United States, ASN15169 (GOOGLE, US), Reverse DNS 218.64.98.34.bc.googleusercontent.com Software OXGW/16.187.0 / Resource Hash 4e0705327480ad2323cb03d9c450ffcae4a98bf3a5382fa0c7882145ed620e49 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers pragma no-cache date Thu, 28 May 2020 19:16:44 GMT via 1.1 google server OXGW/16.187.0 vary Accept p3p CP="CUR ADM OUR NOR STA NID" status 200 cache-control private, max-age=0, no-cache content-type image/gif alt-svc clear content-length 43 expires Mon, 26 Jul 1997 05:00:00 GMT Redirect headers date Thu, 28 May 2020 19:16:44 GMT via 1.1 google server OXGW/16.187.0 status 302 p3p CP="CUR ADM OUR NOR STA NID" location https://us-u.openx.net/w/1.0/sd?cc=1&id=537103138&val=e83ccb424c33d3cb8a842d5250a30316 alt-svc clear content-length 0
GET H2	200	in d.adroll.com/cm/g/ Redirect Chain https://d.adroll.com/cm/g/out?arrfrr=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&xid_ch=f&advertisable=ULSJHTPGTZGY3EPPZSKHKS&google_nid=adroll4 https://cm.g.doubleclick.net/pixel?google_sc&google_nid=artb&google_hm=6DzLQkwz08uKhC1SUKMDFg https://cm.g.doubleclick.net/pixel?google_sc=&google_nid=artb&google_hm=6DzLQkwz08uKhC1SUKMDFg&google_tc= https://d.adroll.com/cm/g/in	42 B 537 B	38ms 38ms	Image image/gif	54.229.99.84 AMAZON-02
General Check archive.org Show headers Download Go to Show image Full URL https://d.adroll.com/cm/g/in Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 54.229.99.84 Dublin, Ireland, ASN16509 (AMAZON-02, US), Reverse DNS ec2-54-229-99-84.eu-west-1.compute.amazonaws.com Software nginx/1.16.1 / Resource Hash ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers pragma no-cache date Thu, 28 May 2020 19:16:44 GMT server nginx/1.16.1 p3p CP="NON DSP COR CURa PSA PSD OUR BUS NAV STA" status 200 cache-control no-store, no-cache, must-revalidate content-type image/gif content-length 42 x-result g.-1.-1.-1 Redirect headers pragma no-cache date Thu, 28 May 2020 19:16:44 GMT server HTTP server (unknown) status 302 p3p policyref="https://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR" location https://d.adroll.com/cm/g/in cache-control no-cache, must-revalidate content-type text/html; charset=UTF-8 alt-svc h3-27="googleads.g.doubleclick.net:443"; ma=2592000,h3-27=":443"; ma=2592000,h3-25="googleads.g.doubleclick.net:443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050="googleads.g.doubleclick.net:443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q049="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q049=":443"; ma=2592000,h3-Q048="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q048=":443"; ma=2592000,h3-Q046="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043="googleads.g.doubleclick.net:443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic="googleads.g.doubleclick.net:443"; ma=2592000; v="46,43",quic=":443"; ma=2592000; v="46,43" content-length 225 x-xss-protection 0 expires Fri, 01 Jan 1990 00:00:00 GMT
GET H2	200	476377582537549 Show response connect.facebook.net/signals/config/	516 KB 130 KB	65ms 64ms	Script application/x-javascript	2a03:2880:f01c:8012:face:b00c:0:3 FACEBOOK
General Check archive.org Show headers Download Go to Full URL https://connect.facebook.net/signals/config/476377582537549?v=2.9.18&r=stable Requested by Host: connect.facebook.net URL: https://connect.facebook.net/en_US/fbevents.js Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a03:2880:f01c:8012:face:b00c:0:3 , Ireland, ASN32934 (FACEBOOK, US), Reverse DNS Software / Resource Hash 80bb178f2160ff1ac7acf66c09622f3b4b049acaf6f53f8035d561dbf0a7dd7e Security Headers Name Value Content-Security-Policy default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' chrome-extension://boadgeojelhgndaghljhdicfkmllpafd chrome-extension://dliochdbjfkdbacpmhlcpmleaejidimm; Strict-Transport-Security max-age=31536000; preload; includeSubDomains X-Content-Type-Options nosniff X-Frame-Options DENY X-Xss-Protection 0 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers strict-transport-security max-age=31536000; preload; includeSubDomains content-encoding gzip x-content-type-options nosniff status 200 alt-svc h3-27=":443"; ma=3600 x-xss-protection 0 pragma public x-fb-debug j7IL2toplmj+30vaVsz6381NKArv9KaadJXNyn5j+en1lJX25M6DYuV0a5cEV9zCesoBdbC+Ca3IaWnXIOni2g== x-fb-trip-id 664085054 x-frame-options DENY date Thu, 28 May 2020 19:16:43 GMT, Thu, 28 May 2020 19:16:43 GMT vary Accept-Encoding content-type application/x-javascript; charset=utf-8 cache-control public, max-age=1200 content-security-policy default-src * data: blob:;script-src *.facebook.com *.fbcdn.net *.facebook.net *.google-analytics.com *.virtualearth.net *.google.com 127.0.0.1:* *.spotilocal.com:* 'unsafe-inline' 'unsafe-eval' blob: data: 'self';style-src data: blob: 'unsafe-inline' *;connect-src *.facebook.com facebook.com *.fbcdn.net *.facebook.net *.spotilocal.com:* wss://*.facebook.com:* https://fb.scanandcleanlocal.com:* attachment.fbsbx.com ws://localhost:* blob: *.cdninstagram.com 'self' chrome-extension://boadgeojelhgndaghljhdicfkmllpafd chrome-extension://dliochdbjfkdbacpmhlcpmleaejidimm; expires Sat, 01 Jan 2000 00:00:00 GMT
GET H2	200	details Show response epsilon.6sense.com/v1/company/	812 B 651 B	65ms 24ms	XHR application/json	52.57.44.100 AMAZON-02
General Check archive.org Show headers Download Go to Full URL https://epsilon.6sense.com/v1/company/details Requested by Host: j.6sc.co URL: https://j.6sc.co/6si.min.js Protocol H2 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 52.57.44.100 Frankfurt am Main, Germany, ASN16509 (AMAZON-02, US), Reverse DNS ec2-52-57-44-100.eu-central-1.compute.amazonaws.com Software nginx/1.16.0 / Resource Hash 569b54f0c98d7da79efb74d029499748c590ae48c8114d5ad7e4763baee4fcf9 Request headers Authorization Token d9a28eea7120bf0c47191c72d2fdf42c4de8fc4e Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 EpsilonCookie 1a497b5c494900001b0ed05ef30100003a590000 Response headers date Thu, 28 May 2020 19:16:43 GMT content-encoding gzip server nginx/1.16.0 status 200 vary Accept-Encoding content-type application/json access-control-allow-origin https://www.zscaler.com access-control-allow-credentials true content-length 462
GET H2	200	/ www.facebook.com/tr/	44 B 350 B	18ms 6ms	Image image/gif	2a03:2880:f11c:8183:face:b00c:0:25de FACEBOOK
General Check archive.org Show headers Download Go to Show image Full URL https://www.facebook.com/tr/?id=476377582537549&ev=PageView&dl=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&rl=&if=false&ts=1590693404160&cd[segment_eid]=XYPZFM5QENHXRH7RBBI5PW&sw=1600&sh=1200&v=2.9.18&r=stable&ec=0&o=29&fbp=fb.1.1590693404160.616711093&it=1590693403771&coo=false&rqm=GET Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2a03:2880:f11c:8183:face:b00c:0:25de , Ireland, ASN32934 (FACEBOOK, US), Reverse DNS Software proxygen-bolt / Resource Hash 10d8d42d73a02ddb877101e72fbfa15a0ec820224d97cedee4cf92d571be5caa Security Headers Name Value Strict-Transport-Security max-age=31536000; includeSubDomains Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:44 GMT, Thu, 28 May 2020 19:16:44 GMT last-modified Fri, 21 Dec 2012 00:00:01 GMT server proxygen-bolt strict-transport-security max-age=31536000; includeSubDomains content-type image/gif status 200 cache-control no-cache, must-revalidate, max-age=0 alt-svc h3-27=":443"; ma=3600 content-length 44 expires Thu, 28 May 2020 19:16:44 GMT
GET H2	200	tracking.png tracking.leadlander.com/ Redirect Chain https://tracking.leadlander.com/api/tracking?accountId=14146&page=https%3A%2F%2Fwww.zscaler.com%2Fblogs%2Fresearch%2Fnew-ursnif-campaign-shift-powershell-mshta&referer=&fp=b83201a2071430f5c447d355c... https://tracking.leadlander.com/tracking.png	68 B 296 B	101ms 101ms	Image image/png	52.206.150.214 AMAZON-AES
General Check archive.org Show headers Download Go to Show image Full URL https://tracking.leadlander.com/tracking.png Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 52.206.150.214 Ashburn, United States, ASN14618 (AMAZON-AES, US), Reverse DNS ec2-52-206-150-214.compute-1.amazonaws.com Software Kestrel / Resource Hash 69539b5b3777cffda28a66d7f2aa9b17c91ee1ec8fd50c00c442af91753a60f7 Security Headers Name Value Strict-Transport-Security max-age=2592000 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers pragma no-cache date Thu, 28 May 2020 19:16:44 GMT last-modified Wed, 26 Sep 2018 16:48:51 GMT server Kestrel etag "1d455b8cd761bc4" strict-transport-security max-age=2592000 content-type image/png status 200 cache-control no-cache, no-store accept-ranges bytes content-length 68 expires -1 Redirect headers status 302 date Thu, 28 May 2020 19:16:44 GMT server Kestrel access-control-allow-origin * location /tracking.png content-length 0 strict-transport-security max-age=2592000
GET H2	200	nr-1169.min.js Show response js-agent.newrelic.com/	27 KB 10 KB	63ms 23ms	Script application/javascript	151.101.114.110 FASTLY
General Check archive.org Show headers Download Go to Full URL https://js-agent.newrelic.com/nr-1169.min.js Requested by Host: www.zscaler.com URL: https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Protocol H2 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 151.101.114.110 Frankfurt am Main, Germany, ASN54113 (FASTLY, US), Reverse DNS Software AmazonS3 / Resource Hash cddee6bb37cab7b576ddf080fd6ba00fa8420d0afc0531f413633175e9e5f9c8 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:44 GMT content-encoding gzip x-amz-request-id 0F29A27F753E1AFD x-cache HIT status 200 content-length 10276 x-amz-id-2 RTyRtbPoVluljTtYOi1PDmzXZ0EgpPGsJyhbvz8bvk6ESiFaefFHrKBOySEZQ3f3qaja+cszoxA= x-served-by cache-hhn4064-HHN last-modified Wed, 20 May 2020 21:16:15 GMT server AmazonS3 x-timer S1590693405.921530,VS0,VE0 etag "7e312620a90879b595db1bff9c42ed57" vary Accept-Encoding content-type application/javascript via 1.1 varnish cache-control public, max-age=7200, stale-if-error=604800 accept-ranges bytes x-cache-hits 3676
GET H2	200	zscaler-cookie-icon-close.png www.zscaler.com/cdn-cgi/image/format=auto//themes/custom/zscaler/images/shared/OneTrust/	162 B 326 B	23ms 22ms	Image image/webp	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/cdn-cgi/image/format=auto//themes/custom/zscaler/images/shared/OneTrust/zscaler-cookie-icon-close.png Requested by Host: www.zscaler.com URL: https://www.zscaler.com/sites/default/files/js/js_o43iLYjFaCbMP-fYtzOeS9trqU2USVukbKv0kuGUAXQ.js Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash ad3a070356997e229cf81d5bbcf3760a49b5cbf216dd74abe3254d6b890d99fa Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff, nosniff Request headers Referer https://www.zscaler.com/sites/default/files/css/css_zO1_93cGxIYyEO1P1C5EyfYUrSlZX6GteTp_t92Egzs.css User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:44 GMT via varnish x-content-type-options nosniff, nosniff cf-cache-status HIT status 200 vary cf-int-resize, x-forwarded-proto, Accept-Encoding content-length 162 cf-request-id 02fe5038d90000635910b75200000001 last-modified Fri, 20 Sep 2019 09:57:46 GMT server cloudflare etag "cfIY7UmQV8D2lEE3vfE0bGMQ" expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/webp cache-control public, max-age=1814400 cf-resized internal=ok/h t=0.053 v=2020.5.1 accept-ranges bytes cf-ray 59aa4fd48edd6359-FRA expires Mon, 15 Jun 2020 13:49:06 GMT
GET H2	200	zscaler-cookie-icon-asterik.png www.zscaler.com/cdn-cgi/image/format=auto//themes/custom/zscaler/images/shared/OneTrust/	226 B 528 B	21ms 20ms	Image image/webp	2606:4700::6813:d63e CLOUDFLARENET
General Check archive.org Show headers Download Go to Show image Full URL https://www.zscaler.com/cdn-cgi/image/format=auto//themes/custom/zscaler/images/shared/OneTrust/zscaler-cookie-icon-asterik.png Requested by Host: www.zscaler.com URL: https://www.zscaler.com/sites/default/files/js/js_o43iLYjFaCbMP-fYtzOeS9trqU2USVukbKv0kuGUAXQ.js Protocol H2 Security TLS 1.3, , AES_128_GCM Server 2606:4700::6813:d63e , United States, ASN13335 (CLOUDFLARENET, US), Reverse DNS Software cloudflare / Resource Hash 80428526d24e4ff69d4aa60edc9fcf5efa5af0d835743cadbdc9a06d1b8b4221 Security Headers Name Value Strict-Transport-Security max-age=31536000; preload X-Content-Type-Options nosniff, nosniff Request headers Referer https://www.zscaler.com/sites/default/files/css/css_zO1_93cGxIYyEO1P1C5EyfYUrSlZX6GteTp_t92Egzs.css User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers date Thu, 28 May 2020 19:16:44 GMT via varnish x-content-type-options nosniff, nosniff cf-cache-status HIT status 200 vary cf-int-resize, x-forwarded-proto, Accept-Encoding content-length 226 cf-request-id 02fe5038d90000635910b76200000001 last-modified Fri, 20 Sep 2019 09:57:57 GMT server cloudflare etag "cfyqkdyVHbk-iP3rTYiRvVXw" expect-ct max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" strict-transport-security max-age=31536000; preload content-type image/webp cache-control public, max-age=1814400 cf-resized internal=ok/h t=0.031 v=2020.5.1 accept-ranges bytes cf-ray 59aa4fd48ee06359-FRA expires Mon, 15 Jun 2020 14:04:43 GMT
GET H2	200	cookie-collective-black-overlay.png cdn.cookielaw.org/skins/4.7.0/default_responsive_alert_bottom_two_button_white/v2/images/	84 B 285 B	7ms 6ms	Image image/png	2606:2800:233:1cb7:261b:1f9c:2074:3c EDGECAST
General Check archive.org Show headers Download Go to Show image Full URL https://cdn.cookielaw.org/skins/4.7.0/default_responsive_alert_bottom_two_button_white/v2/images/cookie-collective-black-overlay.png Requested by Host: www.zscaler.com URL: https://www.zscaler.com/sites/default/files/js/js_o43iLYjFaCbMP-fYtzOeS9trqU2USVukbKv0kuGUAXQ.js Protocol H2 Security TLS 1.3, , AES_256_GCM Server 2606:2800:233:1cb7:261b:1f9c:2074:3c , United States, ASN15133 (EDGECAST, US), Reverse DNS Software ECAcc (frc/8F86) / Resource Hash b5b72b34704b3be1098742f3ed587bdd0d89a423a375a3ad3d067eba623047b5 Request headers Referer https://cdn.cookielaw.org/skins/4.7.0/default_responsive_alert_bottom_two_button_white/v2/css/optanon.css User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers x-ms-blob-type BlockBlob date Thu, 28 May 2020 19:16:44 GMT content-md5 eOozn7qowjgmAKNqoTzdJA== age 8337 x-cache HIT status 200 content-length 84 x-ms-lease-status unlocked last-modified Thu, 19 Sep 2019 20:27:25 GMT server ECAcc (frc/8F86) etag 0x8D73D3FC8D6E3F6 content-type image/png access-control-allow-origin * x-ms-request-id 1c69fc07-201e-00eb-4611-35261a000000 access-control-expose-headers x-ms-request-id,Server,x-ms-version,Content-Length,Date,Transfer-Encoding cache-control max-age=14400 x-ms-version 2009-09-19 accept-ranges bytes expires Thu, 28 May 2020 23:16:44 GMT
GET H/1.1	200 OK	2148692b96 Show response bam.nr-data.net/1/	57 B 275 B	434ms 109ms	Script text/javascript	162.247.242.20 NEWRELIC-AS-1
General Check archive.org Show headers Download Go to Full URL https://bam.nr-data.net/1/2148692b96?a=542666155&v=1169.7b094c0&to=Ml1VMkNXDEBTWxZaWAsXdgVFXw1dHXwQRkcEVGslXkQHb3RXEF5rI1dFC3NDC19WXRAeCRddWQJURDJfU1sHW1gJXFIUd1kQXnNbFlpYCw%3D%3D&rst=3502&ck=1&ref=https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta&ap=1320&be=1549&fe=3432&dc=1925&perf=%7B%22timing%22:%7B%22of%22:1590693401437,%22n%22:0,%22f%22:1,%22dn%22:1,%22dne%22:23,%22c%22:23,%22s%22:28,%22ce%22:368,%22rq%22:368,%22rp%22:1454,%22rpe%22:1545,%22dl%22:1457,%22di%22:1925,%22ds%22:1925,%22de%22:1927,%22dc%22:3432,%22l%22:3432,%22le%22:3462%7D,%22navigation%22:%7B%7D%7D&fp=1877&fcp=1877&at=HhpWRAtNH04%3D&jsonp=NREUM.setToken Requested by Host: js-agent.newrelic.com URL: https://js-agent.newrelic.com/nr-1169.min.js Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 162.247.242.20 San Francisco, United States, ASN23467 (NEWRELIC-AS-1, US), Reverse DNS bam-8.nr-data.net Software / Resource Hash f69a13217482dc43f25e74cfcb9391d0f06d22501f10f5cb5e413d2d98a5cd23 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Response headers Expires Thu, 01 Jan 1970 00:00:00 GMT Content-Length 57 Content-Type text/javascript;charset=ISO-8859-1
POST H/1.1	200 OK	2148692b96 Show response bam.nr-data.net/events/1/	24 B 182 B	108ms 108ms	XHR image/gif	162.247.242.20 NEWRELIC-AS-1
General Check archive.org Show headers Download Go to Full URL https://bam.nr-data.net/events/1/2148692b96?a=542666155&v=1169.7b094c0&to=Ml1VMkNXDEBTWxZaWAsXdgVFXw1dHXwQRkcEVGslXkQHb3RXEF5rI1dFC3NDC19WXRAeCRddWQJURDJfU1sHW1gJXFIUd1kQXnNbFlpYCw%3D%3D&rst=13502&ck=1&ref=https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta Requested by Host: cdn.bizible.com URL: https://cdn.bizible.com/scripts/bizible.js Protocol HTTP/1.1 Security TLS 1.2, ECDHE_RSA, AES_128_GCM Server 162.247.242.20 San Francisco, United States, ASN23467 (NEWRELIC-AS-1, US), Reverse DNS bam-8.nr-data.net Software / Resource Hash 0c9cf152a0ad00d4f102c93c613c104914be5517ac8f8e0831727f8bfbe8b300 Request headers Referer https://www.zscaler.com/blogs/research/new-ursnif-campaign-shift-powershell-mshta User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 content-type text/plain Response headers Access-Control-Allow-Origin https://www.zscaler.com Access-Control-Allow-Credentials true Content-Length 24 Content-Type image/gif