decoded.avast.io Open in urlscan Pro
162.241.248.14 Public Scan

Go To Rescan
Add Verdict Report

URL:
https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Submission: On February 05 via api (February 5th 2021, 2:40:55 am UTC) from US

Summary HTTP 60 Redirects Links 14 Behaviour Indicators

Summary

This website contacted 7 IPs in 3 countries across 6 domains to perform 60 HTTP transactions. The main IP is 162.241.248.14, located in Brooklyn, United States and belongs to UNIFIEDLAYER-AS-1, US. The main domain is decoded.avast.io.
TLS certificate: Issued by R3 on December 26th 2020. Valid for: 3 months.

This is the only time decoded.avast.io was scanned on urlscan.io!

urlscan.io Verdict: No classification

Domain & IP information

	IP Address	AS Autonomous System
31	162.241.248.14 162.241.248.14	46606 (UNIFIEDLA...) (UNIFIEDLAYER-AS-1)
1	2a00:1450:400... 2a00:1450:4001:82a::200a	15169 (GOOGLE) (GOOGLE)
3	2a00:1450:400... 2a00:1450:4001:809::200e	15169 (GOOGLE) (GOOGLE)
12	2a00:1450:400... 2a00:1450:4001:802::2001	15169 (GOOGLE) (GOOGLE)
10	2a00:1450:400... 2a00:1450:4001:80e::2001	15169 (GOOGLE) (GOOGLE)
2	2a00:1450:400... 2a00:1450:4001:828::2003	15169 (GOOGLE) (GOOGLE)
1	2a00:1450:400... 2a00:1450:400c:c00::9c	15169 (GOOGLE) (GOOGLE)
60	7

31 162.241.248.14 (Brooklyn, United States)

ASN46606 (UNIFIEDLAYER-AS-1, US)
PTR: wp2.bluehost.com

decoded.avast.io	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a00:1450:4001:82a::200a (Frankfurt am Main, Germany)

ASN15169 (GOOGLE, US)

fonts.googleapis.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

3 2a00:1450:4001:809::200e (Frankfurt am Main, Germany)

ASN15169 (GOOGLE, US)

www.google-analytics.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

12 2a00:1450:4001:802::2001 (Frankfurt am Main, Germany)

ASN15169 (GOOGLE, US)

lh5.googleusercontent.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools
lh6.googleusercontent.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

10 2a00:1450:4001:80e::2001 (Frankfurt am Main, Germany)

ASN15169 (GOOGLE, US)

lh4.googleusercontent.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools
lh3.googleusercontent.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

2 2a00:1450:4001:828::2003 (Frankfurt am Main, Germany)

ASN15169 (GOOGLE, US)

fonts.gstatic.com	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

1 2a00:1450:400c:c00::9c (Brussels, Belgium)

ASN15169 (GOOGLE, US)

stats.g.doubleclick.net	Domain lookup VirusTotal SecurityTrails crt.sh Censys Domaintools

	Apex Domain Subdomains	Transfer
31	avast.io decoded.avast.io	2 MB
22	googleusercontent.com lh5.googleusercontent.com lh4.googleusercontent.com lh6.googleusercontent.com lh3.googleusercontent.com	1011 KB
3	google-analytics.com www.google-analytics.com	20 KB
2	gstatic.com fonts.gstatic.com	46 KB
1	doubleclick.net stats.g.doubleclick.net	87 B
1	googleapis.com fonts.googleapis.com	551 B
60	6

	Domain	Requested by
31	decoded.avast.io	decoded.avast.io
9	lh6.googleusercontent.com	decoded.avast.io
6	lh3.googleusercontent.com	decoded.avast.io
4	lh4.googleusercontent.com	decoded.avast.io
3	lh5.googleusercontent.com	decoded.avast.io
3	www.google-analytics.com	decoded.avast.io www.google-analytics.com
2	fonts.gstatic.com	fonts.googleapis.com
1	stats.g.doubleclick.net	www.google-analytics.com
1	fonts.googleapis.com	decoded.avast.io
60	9

This site contains links to these domains. Also see Links.

Domain
avast.io
www.avast.com
blog.avast.com
blog.nic.cz
developer.mozilla.org
jquery.com
github.com
chrome.google.com
myaccount.google.com
wordpress.org

Subject Issuer	Validity	Valid
www.decoded.avast.io R3	`2020-12-26` - `2021-03-26`	3 months	crt.sh
upload.video.google.com GTS CA 1O1	`2021-01-05` - `2021-03-30`	3 months	crt.sh
*.google-analytics.com GTS CA 1O1	`2021-01-05` - `2021-03-30`	3 months	crt.sh
*.googleusercontent.com GTS CA 1O1	`2021-01-05` - `2021-03-30`	3 months	crt.sh
*.gstatic.com GTS CA 1O1	`2021-01-05` - `2021-03-30`	3 months	crt.sh
*.g.doubleclick.net GTS CA 1O1	`2021-01-19` - `2021-04-13`	3 months	crt.sh

This page contains 1 frames:

Primary Page: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Frame ID: 524E8E3626C6334CC60E7D9D1529663E
Requests: 60 HTTP requests in this frame

Screenshot
Live screenshot

Full Image

Detected technologies

WordPress (CMS) Expand

Overall confidence: 100%
Detected patterns

script /\/wp-(?:content|includes)\//i
headers link /rel="https:\/\/api\.w\.org\/"/i
html /<!-- This site is optimized with the Yoast (?:WordPress )?SEO plugin v([\d.]+) -/i

PHP (Programming Languages) Expand

Overall confidence: 100%
Detected patterns

script /\/wp-(?:content|includes)\//i
headers link /rel="https:\/\/api\.w\.org\/"/i
html /<!-- This site is optimized with the Yoast (?:WordPress )?SEO plugin v([\d.]+) -/i

MySQL (Databases) Expand

Overall confidence: 100%
Detected patterns

script /\/wp-(?:content|includes)\//i
headers link /rel="https:\/\/api\.w\.org\/"/i
html /<!-- This site is optimized with the Yoast (?:WordPress )?SEO plugin v([\d.]+) -/i

Nginx (Web Servers) Expand

Overall confidence: 100%
Detected patterns

headers server /nginx(?:\/([\d.]+))?/i

Yoast SEO (SEO) Expand

Overall confidence: 100%
Detected patterns

html /<!-- This site is optimized with the Yoast (?:WordPress )?SEO plugin v([\d.]+) -/i

Google Analytics (Analytics) Expand

Overall confidence: 100%
Detected patterns

script /google-analytics\.com\/(?:ga|urchin|analytics)\.js/i

Google Font API (Font Scripts) Expand

Overall confidence: 100%
Detected patterns

html /<link[^>]* href=[^>]+fonts\.(?:googleapis|google)\.com/i

Page Statistics

60
Requests

100 %
HTTPS

86 %
IPv6

6
Domains

9
Subdomains

7
IPs

3
Countries

2874 kB
Transfer

3340 kB
Size

3
Cookies

14 Outgoing links

These are links going to different origins than the main page.

URL: https://avast.io/
Title: More onAvast Inside Out

Search URL Search Domain Scan URL

URL: https://www.avast.com/en-us/careers
Title: Careers

Search URL Search Domain Scan URL

URL: https://blog.avast.com/malicious-browser-extensions-avast
Title: reported

Search URL Search Domain Scan URL

URL: https://blog.nic.cz/2020/11/19/hledani-skodliveho-kodu-mezi-doplnky/
Title: Czech blog post by Edvard Rejthar from CZ.NIC

Search URL Search Domain Scan URL

URL: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!
Title: infamous

Search URL Search Domain Scan URL

URL: https://jquery.com/
Title: jQuery

Search URL Search Domain Scan URL

URL: https://github.com/avast/ioc/blob/master/CacheFlow/extras/decryptor_strrevsstr.py
Title: decoded

Search URL Search Domain Scan URL

URL: https://github.com/avast/ioc/blob/master/CacheFlow/extras/developer_extensions.txt
Title: hardcoded list of extension IDs

Search URL Search Domain Scan URL

URL: https://chrome.google.com/webstore/detail/chrome-extension-source-v/jifpbeccnghkjeaalbbjmodiffmgedin
Title: Chrome extension source viewer

Search URL Search Domain Scan URL

URL: https://chrome.google.com/webstore/detail/link-redirect-trace/nnpljppamoaalgkieeciijbcccohlpoh
Title: Link Redirect Trace

Search URL Search Domain Scan URL

URL: https://chrome.google.com/webstore/detail/jwt-debugger/ppmmlchacdbknfphdeafcbmklcghghmd
Title: JWT Debugger

Search URL Search Domain Scan URL

URL: https://myaccount.google.com/birthday
Title: https://myaccount.google.com/birthday

Search URL Search Domain Scan URL

URL: https://github.com/avast/ioc/tree/master/CacheFlow
Title: https://github.com/avast/ioc/tree/master/CacheFlow

Search URL Search Domain Scan URL

URL: https://wordpress.org/
Title: WordPress.org

Search URL Search Domain Scan URL

Redirected requests

There were HTTP redirect chains for the following requests:

60 HTTP transactions
0 data transactions

Method
Protocol Status Resource
Path Size
x-fer Time
Latency Type
MIME-Type IP
Location

GET
H2 200 Primary Request / Show response
decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/ 143 KB
48 KB 940ms
574ms Document
text/html 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 3bf57d9862cb7c6fc8aa2177bc448b8c12432adc8633a29b199c49bb4d42147b

Request headers

:method: GET
:authority: decoded.avast.io
:scheme: https
:path: /janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
pragma: no-cache
cache-control: no-cache
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:36 GMT
server: nginx/1.19.5
content-type: text/html; charset=UTF-8
link: <https://decoded.avast.io/wp-json/>; rel="https://api.w.org/", <https://decoded.avast.io/wp-json/wp/v2/posts/2460>; rel="alternate"; type="application/json", <https://decoded.avast.io/?p=2460>; rel=shortlink
vary: Accept-Encoding
content-encoding: gzip
host-header: d3AuYmx1ZWhvc3QuY29t
x-server-cache: false

GET
H2 200 style.min.css
decoded.avast.io/wp-includes/css/dist/block-library/ 50 KB
10 KB 337ms
335ms Stylesheet
text/css 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://decoded.avast.io/wp-includes/css/dist/block-library/style.min.css?ver=5.6.1
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 5c2288ca7b324881faae5e368eb4d69457e2784e042e868de335d3827bb90981

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
content-encoding: gzip
last-modified: Tue, 08 Dec 2020 23:42:15 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
vary: Accept-Encoding
content-type: text/css
host-header: d3AuYmx1ZWhvc3QuY29t
content-length: 10424

GET
H2 200 css
fonts.googleapis.com/ 3 KB
551 B 16ms
15ms Stylesheet
text/css 2a00:1450:4001:82a::200a
GOOGLE

General

Check archive.org

Show headers Download Go to

Full URL

https://fonts.googleapis.com/css?family=Muli%3Aregular%2C900%2C700&ver=1.1.3

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:82a::200a Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

ESF /

Resource Hash

8d97a7cf891b0c3f0448f17d5319aa621e66755fe12f23cd10b83830c2ac8a12

Security Headers

Name	Value
Strict-Transport-Security	max-age=31536000
X-Content-Type-Options	nosniff
X-Frame-Options	SAMEORIGIN
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

strict-transport-security: max-age=31536000
content-encoding: gzip
x-content-type-options: nosniff
cross-origin-resource-policy: cross-origin
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
x-xss-protection: 0
last-modified: Fri, 05 Feb 2021 02:40:36 GMT
server: ESF
date: Fri, 05 Feb 2021 02:40:36 GMT
x-frame-options: SAMEORIGIN
content-type: text/css; charset=utf-8
access-control-allow-origin: *
cache-control: private, max-age=86400, stale-while-revalidate=604800
timing-allow-origin: *
link: <https://fonts.gstatic.com>; rel=preconnect; crossorigin
expires: Fri, 05 Feb 2021 02:40:36 GMT

GET
H2 200 min.css
decoded.avast.io/wp-content/themes/johannes/assets/css/ 180 KB
43 KB 338ms
337ms Stylesheet
text/css 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://decoded.avast.io/wp-content/themes/johannes/assets/css/min.css?ver=1.1.3
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 8b7f6b3b98d203b064eeb91445b8bfc6f5bec3a2e7b76af8a23a7cb6cd0d8add

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
content-encoding: gzip
last-modified: Mon, 24 Jun 2019 11:19:20 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
vary: Accept-Encoding
content-type: text/css
host-header: d3AuYmx1ZWhvc3QuY29t

GET
H2 200 main.css
decoded.avast.io/wp-content/plugins/meks-easy-social-share/assets/css/ 9 KB
2 KB 224ms
223ms Stylesheet
text/css 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://decoded.avast.io/wp-content/plugins/meks-easy-social-share/assets/css/main.css?ver=1.2.1
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: a61e94c6cee47c0f689736d8b6d3a8ba98f9501a3e834b2cdedc374e4b88c6cf

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
content-encoding: gzip
last-modified: Wed, 17 Jul 2019 11:03:00 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
vary: Accept-Encoding
content-type: text/css
host-header: d3AuYmx1ZWhvc3QuY29t
content-length: 1995

GET
H2 200 frontend.min.js Show response
decoded.avast.io/wp-content/plugins/google-analytics-for-wordpress/assets/js/ 9 KB
3 KB 337ms
336ms Script
application/javascript 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://decoded.avast.io/wp-content/plugins/google-analytics-for-wordpress/assets/js/frontend.min.js?ver=7.12.2
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 63a6d926d277a3d64d30e349fa0ea2b0630e9801d173e1947ff3bd6060147ef4

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
content-encoding: gzip
last-modified: Mon, 10 Aug 2020 23:31:20 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
vary: Accept-Encoding
content-type: application/javascript
host-header: d3AuYmx1ZWhvc3QuY29t
content-length: 3153

GET
H2 200 jquery.min.js Show response
decoded.avast.io/wp-includes/js/jquery/ 87 KB
38 KB 229ms
228ms Script
application/javascript 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://decoded.avast.io/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 60240d5a27ede94fd35fea44bd110b88c7d8cfc08127f032d13b0c622b8be827

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
content-encoding: gzip
last-modified: Tue, 08 Dec 2020 23:42:15 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
vary: Accept-Encoding
content-type: application/javascript
host-header: d3AuYmx1ZWhvc3QuY29t

GET
H2 200 jquery-migrate.min.js Show response
decoded.avast.io/wp-includes/js/jquery/ 11 KB
5 KB 224ms
224ms Script
application/javascript 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://decoded.avast.io/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
content-encoding: gzip
last-modified: Tue, 08 Dec 2020 23:42:15 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
vary: Accept-Encoding
content-type: application/javascript
host-header: d3AuYmx1ZWhvc3QuY29t
content-length: 4618

GET
H2 200 analytics.js Show response
www.google-analytics.com/ 46 KB
18 KB 10ms
5ms Script
text/javascript 2a00:1450:4001:809::200e
GOOGLE

General

Check archive.org

Show headers Download Go to

Full URL

https://www.google-analytics.com/analytics.js

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:809::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

Golfe2 /

Resource Hash

e441c3e2771625ba05630ab464275136a82c99650ee2145ca5aa9853bedeb01b

Security Headers

Name	Value
Strict-Transport-Security	max-age=10886400; includeSubDomains; preload
X-Content-Type-Options	nosniff

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

strict-transport-security: max-age=10886400; includeSubDomains; preload
content-encoding: gzip
x-content-type-options: nosniff
last-modified: Fri, 23 Oct 2020 03:00:57 GMT
server: Golfe2
age: 4530
date: Fri, 05 Feb 2021 01:25:07 GMT
vary: Accept-Encoding
content-type: text/javascript
cache-control: public, max-age=7200
cross-origin-resource-policy: cross-origin
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 18817
expires: Fri, 05 Feb 2021 03:25:07 GMT

GET
H2 200 wp-emoji-release.min.js Show response
decoded.avast.io/wp-includes/js/ 14 KB
5 KB 306ms
302ms Script
application/javascript 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://decoded.avast.io/wp-includes/js/wp-emoji-release.min.js?ver=5.6.1
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 0c5f584d1ea2c3313dc8c55824c2a572d3cf2eae87c5ca62a58e598aec9ddb5c

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
content-encoding: gzip
last-modified: Wed, 03 Feb 2021 23:04:33 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
vary: Accept-Encoding
content-type: application/javascript
host-header: d3AuYmx1ZWhvc3QuY29t
content-length: 4942

GET
H2 200 Asset-22ldpi.png
decoded.avast.io/wp-content/uploads/sites/2/2019/06/ 3 KB
3 KB 166ms
162ms Image
image/png 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://decoded.avast.io/wp-content/uploads/sites/2/2019/06/Asset-22ldpi.png
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 250fd3e1a88e39683d7798ac68311b15d4dd859903bc8faec08c37c0142f2c72

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
last-modified: Thu, 27 Jun 2019 10:05:00 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
content-type: image/png
host-header: d3AuYmx1ZWhvc3QuY29t
content-length: 3109

GET
H2 200 DErNJa7s3X7-EUGOvCPpQEsJkAFH3KdRvBFxQiWH37NiSAKIUFvxmKssQ6m0i5zTskNWTeV8pfeCj7secZzSG2uckKlFTISyB4r1PwuDMYvf5CkgITiXM_V2UR3QYIZsSElCeuDm
lh5.googleusercontent.com/ 339 KB
340 KB 34ms
7ms Image
image/png 2a00:1450:4001:802::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh5.googleusercontent.com/DErNJa7s3X7-EUGOvCPpQEsJkAFH3KdRvBFxQiWH37NiSAKIUFvxmKssQ6m0i5zTskNWTeV8pfeCj7secZzSG2uckKlFTISyB4r1PwuDMYvf5CkgITiXM_V2UR3QYIZsSElCeuDm

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:802::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

ed8e0098447f3d460099e1227847a7dc9b03c67cb72b8dbda8d787bc83268134

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:37:09 GMT
x-content-type-options: nosniff
age: 208
content-disposition: inline;filename="downloader_insta_chrome_store.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 347386
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Tue, 02 Feb 2021 16:50:50 GMT

GET
H2 200 plYZi8H7ohhbAAGn3HoHfsRhaKu0FOSM27Fk6aINue25-LuOKNcgZHVJBIEY8-YtNffVboZryyjaWPgSQqa7HdiL5QBnjdulWfjr30YwBNTzaI8bBoaRSZiFyDpVWMF10DOf6mnI
lh4.googleusercontent.com/ 12 KB
12 KB 33ms
7ms Image
image/png 2a00:1450:4001:80e::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh4.googleusercontent.com/plYZi8H7ohhbAAGn3HoHfsRhaKu0FOSM27Fk6aINue25-LuOKNcgZHVJBIEY8-YtNffVboZryyjaWPgSQqa7HdiL5QBnjdulWfjr30YwBNTzaI8bBoaRSZiFyDpVWMF10DOf6mnI

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:80e::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

95337df4448d72e82a54aaea61aa6e21aa0a1816e4abf7604d8810ec08afeac6

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 01:05:37 GMT
x-content-type-options: nosniff
age: 5700
content-disposition: inline;filename="pasted image 0.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 12267
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Thu, 04 Feb 2021 10:51:14 GMT

GET
H2 200 GXlvV4yTGeWbiZn6q7WjmNOfxq-jQx8pYbqFCwcgLU8Li3I_i8_YQ7C-QXdSMBm03-LaGuk-ZhkVbn15nD0UZ2a7BFYaSdFAIsXPTbGmn4rFZRXpgDn3cyBZBwS8oVq07i6NnetY
lh6.googleusercontent.com/ 16 KB
16 KB 195ms
169ms Image
image/png 2a00:1450:4001:802::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh6.googleusercontent.com/GXlvV4yTGeWbiZn6q7WjmNOfxq-jQx8pYbqFCwcgLU8Li3I_i8_YQ7C-QXdSMBm03-LaGuk-ZhkVbn15nD0UZ2a7BFYaSdFAIsXPTbGmn4rFZRXpgDn3cyBZBwS8oVq07i6NnetY

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:802::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

92f5ca85c4e433e3ac80917a44f2a2e111985bdd24e530d19e10d104e89ca058

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
x-content-type-options: nosniff
age: 0
content-disposition: inline;filename="pasted image 0.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 16662
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Tue, 02 Feb 2021 16:50:50 GMT

GET
H2 200 tflzmxXmCyqagTiUbTkHb7DfNI4It30R0hHDVjZh7WeAiV-bl4f6ve33LXphmm84N9kO_epPU1iIhI2S0vE6powG9jB5ufNMJ1ima-gEKgVyZx-_8RbfQyzCXaiPExZqMsDfpO-i
lh6.googleusercontent.com/ 5 KB
5 KB 195ms
169ms Image
image/png 2a00:1450:4001:802::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh6.googleusercontent.com/tflzmxXmCyqagTiUbTkHb7DfNI4It30R0hHDVjZh7WeAiV-bl4f6ve33LXphmm84N9kO_epPU1iIhI2S0vE6powG9jB5ufNMJ1ima-gEKgVyZx-_8RbfQyzCXaiPExZqMsDfpO-i

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:802::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

bcd71142a0bc7b77d30d5fd8ac2cdd792c7fa7c6de5c60570c2af3159766f2ed

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
x-content-type-options: nosniff
age: 0
content-disposition: inline;filename="background.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 5101
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Tue, 02 Feb 2021 16:50:50 GMT

GET
H2 200 kB_RAWUKhE4467ei82a1zl_u6pXyfB5eEtzfXI_kjFMKqXSWGjk9VHbNsndNB-EesAb3yZAUFy7nGr4jQPK3Ok7BTwm9Iih-eGXzFqVV7gBiPxdBb2ZSzNAlxjzFviBWDSJOAht3
lh6.googleusercontent.com/ 12 KB
12 KB 192ms
166ms Image
image/png 2a00:1450:4001:802::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh6.googleusercontent.com/kB_RAWUKhE4467ei82a1zl_u6pXyfB5eEtzfXI_kjFMKqXSWGjk9VHbNsndNB-EesAb3yZAUFy7nGr4jQPK3Ok7BTwm9Iih-eGXzFqVV7gBiPxdBb2ZSzNAlxjzFviBWDSJOAht3

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:802::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

66464916f13dc9f2fd1d8d67d21fb76c73c817590a3410aef74183af4a1f3d74

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
x-content-type-options: nosniff
age: 0
content-disposition: inline;filename="save_response_header.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 12581
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Tue, 02 Feb 2021 16:50:50 GMT

GET
H2 200 TeINLg0HORJ_P0DDJbaEsBs_cz5hA2fDGSSb6orJ76THL7JKjxYj1UOj-Atkn89kjg1Zfmk6tQTL-LzlneXJh4Kj1MizzyCDh66jonO8tMc3EL-sNA3dNyBLmcNTbNEOPxAumWKi
lh3.googleusercontent.com/ 4 KB
5 KB 32ms
6ms Image
image/png 2a00:1450:4001:80e::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh3.googleusercontent.com/TeINLg0HORJ_P0DDJbaEsBs_cz5hA2fDGSSb6orJ76THL7JKjxYj1UOj-Atkn89kjg1Zfmk6tQTL-LzlneXJh4Kj1MizzyCDh66jonO8tMc3EL-sNA3dNyBLmcNTbNEOPxAumWKi

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:80e::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

d65471c31e8caeb4d5287d7f9774a912305a42f563a48eb706a7f15441aad4e7

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 01:48:02 GMT
x-content-type-options: nosniff
age: 3155
content-disposition: inline;filename="parseRelative.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 4360
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Fri, 05 Feb 2021 13:04:51 GMT

GET
H2 200 goWFLSGQb0chknR4jrq9RWhhwgku6ms3lXOQy7Ix-n7YM9WsmAzRZ4OonUGJV6Pm6pmt_NHOYeSKEDdyuYt029lAhBsR6fy3VNkgJu0UU25TSAnMZpAAOpmuVfPsRzkfySTLJSI3
lh3.googleusercontent.com/ 70 KB
70 KB 38ms
12ms Image
image/png 2a00:1450:4001:80e::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh3.googleusercontent.com/goWFLSGQb0chknR4jrq9RWhhwgku6ms3lXOQy7Ix-n7YM9WsmAzRZ4OonUGJV6Pm6pmt_NHOYeSKEDdyuYt029lAhBsR6fy3VNkgJu0UU25TSAnMZpAAOpmuVfPsRzkfySTLJSI3

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:80e::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

a2ab360fc05d0c105de412a3a5567b5a0088e240e9eeb7d61cd564ab232519fa

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 01:48:02 GMT
x-content-type-options: nosniff
age: 3155
content-disposition: inline;filename="pasted image 0.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 71710
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Thu, 04 Feb 2021 10:50:40 GMT

GET
H2 200 ght_jCWk0nzs16njkDqf6SCrXlE7Va4Y_BLXzs8w8lgJXRnxFDgZa60VirwgiZ421w7dZwBnQAw-jOAvvy8A_PAborsR8hTg5fmWhtTFHK2PVDHWFF58lDRprGqhnYzibiN2FV_4
lh6.googleusercontent.com/ 103 KB
104 KB 179ms
153ms Image
image/png 2a00:1450:4001:802::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh6.googleusercontent.com/ght_jCWk0nzs16njkDqf6SCrXlE7Va4Y_BLXzs8w8lgJXRnxFDgZa60VirwgiZ421w7dZwBnQAw-jOAvvy8A_PAborsR8hTg5fmWhtTFHK2PVDHWFF58lDRprGqhnYzibiN2FV_4

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:802::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

98e2f58cdaab41b2d1ce2ee9dfd2c0d1ad164d3b5279d5d09cb17a073fb4e69a

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
x-content-type-options: nosniff
age: 0
content-disposition: inline;filename="pasted image 0.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 105630
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Tue, 02 Feb 2021 16:50:50 GMT

GET
H2 200 evazuvvQ91jdK50XsV34gbeOAkRH_vJz6mptWRlJtBgQQbyK-JOEPrAsshMkMLZdHcxZUJORtwLANqhWO1e6W_QLMx1K2e5JNi6rg9zDYr2n7IK_beX5bKLYfJDobQyfe2hy9o7G
lh3.googleusercontent.com/ 26 KB
26 KB 32ms
6ms Image
image/png 2a00:1450:4001:80e::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh3.googleusercontent.com/evazuvvQ91jdK50XsV34gbeOAkRH_vJz6mptWRlJtBgQQbyK-JOEPrAsshMkMLZdHcxZUJORtwLANqhWO1e6W_QLMx1K2e5JNi6rg9zDYr2n7IK_beX5bKLYfJDobQyfe2hy9o7G

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:80e::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

f107a7be39f5a215fdd3dbfe36289ccee6193ce73a34b2b4e56f6ecd8be5df74

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 01:48:02 GMT
x-content-type-options: nosniff
age: 3155
content-disposition: inline;filename="cache-control.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 26867
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Fri, 05 Feb 2021 13:04:50 GMT

GET
H2 200 HzpS4w4egO3t741XBG4cHz2MsUZa1l9Yd9Bb6BzhxWHUPRipYkbOSypucgSWLsxyZS3zIYzvR2B8j1SqTxuhomnxtLP9F7Jx7WzHRUNnD-5OaK4gl5yuKwojg7cJXv7zfip0vmsT
lh4.googleusercontent.com/ 11 KB
11 KB 21ms
6ms Image
image/png 2a00:1450:4001:80e::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh4.googleusercontent.com/HzpS4w4egO3t741XBG4cHz2MsUZa1l9Yd9Bb6BzhxWHUPRipYkbOSypucgSWLsxyZS3zIYzvR2B8j1SqTxuhomnxtLP9F7Jx7WzHRUNnD-5OaK4gl5yuKwojg7cJXv7zfip0vmsT

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:80e::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

3c3383ded542e7ff677b1c9d41a5d9cb3094190cc8832e291aaf0ceb814d01d6

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 01:48:02 GMT
x-content-type-options: nosniff
age: 3155
content-disposition: inline;filename="download_second_stage.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 10945
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Fri, 05 Feb 2021 13:04:47 GMT

GET
H3-Q050 200 -gEOf_dGK-L6HKG_d7rFlBZXCDY0Rmt0AMKblfH8Xec2D88jtwSMxhKh-mN34uEKxlPWrxrW6SKOdQfx2QE63UTJD93s3gU8_8FrKpGYT4S2mE3pzuzvwJy4wpxWD60KtRliJJVT
lh3.googleusercontent.com/ 123 KB
123 KB 43ms
25ms Image
image/png 2a00:1450:4001:80e::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh3.googleusercontent.com/-gEOf_dGK-L6HKG_d7rFlBZXCDY0Rmt0AMKblfH8Xec2D88jtwSMxhKh-mN34uEKxlPWrxrW6SKOdQfx2QE63UTJD93s3gU8_8FrKpGYT4S2mE3pzuzvwJy4wpxWD60KtRliJJVT

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

H3-Q050

Security

QUIC, , AES_128_GCM

Server

2a00:1450:4001:80e::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

d2d32eef7bf872390d0d707d663a5587c133798554a67c44b0657c98b3d4223d

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 01:48:02 GMT
x-content-type-options: nosniff
age: 3155
content-disposition: inline;filename="loader.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 126208
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Fri, 05 Feb 2021 13:04:50 GMT

GET
H3-Q050 200 _11iDz1b-uB55rjyAGh-D5xdbO8_J353jQV_ZnSwGZ8IXb7DSfO84IlhtzIbKr8NBg3CjriNT6d3zNoOCtAvBg5qUllmKVuF4PeD68p6s6N6pC3O0J_FUuyA-NRfF5WUGFEjjGlp
lh3.googleusercontent.com/ 13 KB
13 KB 39ms
21ms Image
image/png 2a00:1450:4001:80e::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh3.googleusercontent.com/_11iDz1b-uB55rjyAGh-D5xdbO8_J353jQV_ZnSwGZ8IXb7DSfO84IlhtzIbKr8NBg3CjriNT6d3zNoOCtAvBg5qUllmKVuF4PeD68p6s6N6pC3O0J_FUuyA-NRfF5WUGFEjjGlp

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

H3-Q050

Security

QUIC, , AES_128_GCM

Server

2a00:1450:4001:80e::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

ba5a75e64ff269dc6a0f95466276cd72eafef68cfc5307f57aac0b9f14b96ec8

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 01:48:02 GMT
x-content-type-options: nosniff
age: 3155
content-disposition: inline;filename="eval_test.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 13571
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Thu, 04 Feb 2021 10:50:40 GMT

GET
H3-Q050 200 VYbAuIksEw2nd9db10dVYiMiWTYC66UQpgT2pQjrg3SJvDJQtyG-BG1UjxnwXzFF5Nc76EoOaEekV2sTEOcCkG2O70lCY7JfhCfcPSDGB-WHcHXjhB2pgcjqaotzZvsO3j2A0fdI
lh6.googleusercontent.com/ 66 KB
66 KB 191ms
174ms Image
image/png 2a00:1450:4001:802::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh6.googleusercontent.com/VYbAuIksEw2nd9db10dVYiMiWTYC66UQpgT2pQjrg3SJvDJQtyG-BG1UjxnwXzFF5Nc76EoOaEekV2sTEOcCkG2O70lCY7JfhCfcPSDGB-WHcHXjhB2pgcjqaotzZvsO3j2A0fdI

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

H3-Q050

Security

QUIC, , AES_128_GCM

Server

2a00:1450:4001:802::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

6dd2d97780eb18c346cf3d27f7335a0a339078ec6ee80bcaf147f3ae468c1d18

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
x-content-type-options: nosniff
age: 0
content-disposition: inline;filename="check_developer_tools.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 67222
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Tue, 02 Feb 2021 16:50:50 GMT

GET
H3-Q050 200 wICh4v65NBg4V-ATnChC-Uc256GjNy8Ez0GY3sANMlmqdgw5GHpK1zJwRGVgwLilrUf5uTjJDsECoGI04DAlMGRQSghnpUJLbPsygE7RlCNT74BkNV-TzmjB8jdGRTCcQlmaczIr
lh4.googleusercontent.com/ 21 KB
21 KB 40ms
22ms Image
image/png 2a00:1450:4001:80e::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh4.googleusercontent.com/wICh4v65NBg4V-ATnChC-Uc256GjNy8Ez0GY3sANMlmqdgw5GHpK1zJwRGVgwLilrUf5uTjJDsECoGI04DAlMGRQSghnpUJLbPsygE7RlCNT74BkNV-TzmjB8jdGRTCcQlmaczIr

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

H3-Q050

Security

QUIC, , AES_128_GCM

Server

2a00:1450:4001:80e::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

bad2e3c85c24b8ef48758e8d6a6e473702fdfecbdfe29b99c164cd2a3a084fbd

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 01:05:38 GMT
x-content-type-options: nosniff
age: 5699
content-disposition: inline;filename="installed_extensions_check.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 21321
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Thu, 04 Feb 2021 10:51:14 GMT

GET
H3-Q050 200 o_Vb4plXAJJ1A0tqLzaX3PBRMmhsemCcKNXuyR8Ash95l2gVnOWUQmPY7icQmPDdc76nXWWoWFmBT_xipLh7hbD2A8gOpuqMAcnHPl-201K79BU83PPHw9J0FkRIh-tIRS3r-_Ts
lh5.googleusercontent.com/ 34 KB
34 KB 36ms
18ms Image
image/png 2a00:1450:4001:802::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh5.googleusercontent.com/o_Vb4plXAJJ1A0tqLzaX3PBRMmhsemCcKNXuyR8Ash95l2gVnOWUQmPY7icQmPDdc76nXWWoWFmBT_xipLh7hbD2A8gOpuqMAcnHPl-201K79BU83PPHw9J0FkRIh-tIRS3r-_Ts

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

H3-Q050

Security

QUIC, , AES_128_GCM

Server

2a00:1450:4001:802::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

d8efa11e21cfbf6ef338a05312233f7fa8db8f5965e9bba45bc94cf8cb2ce0fd

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:37:09 GMT
x-content-type-options: nosniff
age: 208
content-disposition: inline;filename="google_regex.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 34329
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Tue, 02 Feb 2021 16:50:50 GMT

GET
H3-Q050 200 ecsugQwqerDpewIgHDJtYUP_BYffc_P22yE6gful5yXvMVJIz174WhMpof0I9qd6H-jyY7-lkjvMIGayAbnk7Yc8K0UP1nhtnDdJePhjZJ4RGxS7a5vpGeV1S0P9Ns5l4EAU46Ld
lh6.googleusercontent.com/ 43 KB
43 KB 189ms
172ms Image
image/png 2a00:1450:4001:802::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh6.googleusercontent.com/ecsugQwqerDpewIgHDJtYUP_BYffc_P22yE6gful5yXvMVJIz174WhMpof0I9qd6H-jyY7-lkjvMIGayAbnk7Yc8K0UP1nhtnDdJePhjZJ4RGxS7a5vpGeV1S0P9Ns5l4EAU46Ld

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

H3-Q050

Security

QUIC, , AES_128_GCM

Server

2a00:1450:4001:802::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

75667b11418c93561648fdc58a3c80ccc3e3335eeafe46d07b0d8eef203e8f06

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
x-content-type-options: nosniff
age: 0
content-disposition: inline;filename="pasted image 0.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 43571
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Tue, 02 Feb 2021 16:50:50 GMT

GET
H3-Q050 200 cJrw_RRfcPAZh8SDDdOm2_ULyeUfmiEdjpMtB7RY24UtMinUQm7AkUGOGFrv8TuOSTFoo11c9BWdKXAfH2RjdKPPx_L1iLcgDVXVdsTR9asMVowdS6Am6qv0rfWec15-PhZDwGz0
lh4.googleusercontent.com/ 17 KB
17 KB 36ms
19ms Image
image/png 2a00:1450:4001:80e::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh4.googleusercontent.com/cJrw_RRfcPAZh8SDDdOm2_ULyeUfmiEdjpMtB7RY24UtMinUQm7AkUGOGFrv8TuOSTFoo11c9BWdKXAfH2RjdKPPx_L1iLcgDVXVdsTR9asMVowdS6Am6qv0rfWec15-PhZDwGz0

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

H3-Q050

Security

QUIC, , AES_128_GCM

Server

2a00:1450:4001:80e::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

4e29164719d2257e6169e16a7e8038b2d7b4b3140904cb59fbd9742fc486926e

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 01:48:02 GMT
x-content-type-options: nosniff
age: 3155
content-disposition: inline;filename="pasted image 0.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 16932
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Fri, 05 Feb 2021 13:04:47 GMT

GET
H3-Q050 200 zyYsVbIxbi0dU54qy64hmgkqIVdk_mm7bSe0DC-RihpNWnbm6bFexD6q8dP88W3rxp2aPe3k3y_W9NVMPWIQXtntzpKlodLB-7tO6pGnhBzG-M5k-4gz2sEX_RF0Id6Uizb-TUKj
lh5.googleusercontent.com/ 10 KB
10 KB 35ms
17ms Image
image/png 2a00:1450:4001:802::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh5.googleusercontent.com/zyYsVbIxbi0dU54qy64hmgkqIVdk_mm7bSe0DC-RihpNWnbm6bFexD6q8dP88W3rxp2aPe3k3y_W9NVMPWIQXtntzpKlodLB-7tO6pGnhBzG-M5k-4gz2sEX_RF0Id6Uizb-TUKj

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

H3-Q050

Security

QUIC, , AES_128_GCM

Server

2a00:1450:4001:802::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

ed5386ed9da0b814dff0367d4711ecae9333b31e6d954dc72c2e661f21810536

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:37:09 GMT
x-content-type-options: nosniff
age: 208
content-disposition: inline;filename="register_onclick.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 9771
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Tue, 02 Feb 2021 16:50:50 GMT

GET
H3-Q050 200 w-fi7vhBAwGm3gIsa_t2CDRW5Yfap0QQ8OKTzDS81Yg58xrQYieL7LU8AFyxOLeJy-kRhsuM9QX2p4mhAHc7LaskudZZbgWm2WNSZ4kFYDcPAVYnI65Xb5q3B6bU9mdSpgX-spFB
lh6.googleusercontent.com/ 30 KB
30 KB 210ms
193ms Image
image/png 2a00:1450:4001:802::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh6.googleusercontent.com/w-fi7vhBAwGm3gIsa_t2CDRW5Yfap0QQ8OKTzDS81Yg58xrQYieL7LU8AFyxOLeJy-kRhsuM9QX2p4mhAHc7LaskudZZbgWm2WNSZ4kFYDcPAVYnI65Xb5q3B6bU9mdSpgX-spFB

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

H3-Q050

Security

QUIC, , AES_128_GCM

Server

2a00:1450:4001:802::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

89a3c9dd3ebcbb8caba54170a9d5ef8f737d4bd7f12c0916145f7b90af0fc6e4

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
x-content-type-options: nosniff
age: 0
content-disposition: inline;filename="hijack_click.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 30910
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Tue, 02 Feb 2021 16:50:50 GMT

GET
H3-Q050 200 4nFyFiE-hc3_8zqXdCo9qbDUkR1E2aFHSVcfk_KrkJiKWgJeJMesrq8gOrj4xgeYsrxgTzNYQzGApdEQyO9GwbGtK8rPi61lC-xeVo4hxgTwzpmKeHpSWap4PHgsbPenze5qSzVx
lh6.googleusercontent.com/ 19 KB
19 KB 190ms
176ms Image
image/png 2a00:1450:4001:802::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh6.googleusercontent.com/4nFyFiE-hc3_8zqXdCo9qbDUkR1E2aFHSVcfk_KrkJiKWgJeJMesrq8gOrj4xgeYsrxgTzNYQzGApdEQyO9GwbGtK8rPi61lC-xeVo4hxgTwzpmKeHpSWap4PHgsbPenze5qSzVx

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

H3-Q050

Security

QUIC, , AES_128_GCM

Server

2a00:1450:4001:802::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

bdc2b14b90b38a55d8d30e42330830d6e0f773d8652d0c9c0f32c5123ef4321d

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
x-content-type-options: nosniff
age: 0
content-disposition: inline;filename="google_get_search_query.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 19166
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Tue, 02 Feb 2021 16:50:50 GMT

GET
H3-Q050 200 pQTaHJQVg0ms71T_6Vv9FVCLHR-F870KnWjYtIYpnBtOh_z6GJNXWqtuivWxvRvhw69pVt-mARilnS7sAnyQnf0RUf-UBxxeZtEjgn0tlfLB7ulmvTQ3SWieiV3RJT2BUjeHC_FV
lh3.googleusercontent.com/ 18 KB
18 KB 36ms
19ms Image
image/png 2a00:1450:4001:80e::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh3.googleusercontent.com/pQTaHJQVg0ms71T_6Vv9FVCLHR-F870KnWjYtIYpnBtOh_z6GJNXWqtuivWxvRvhw69pVt-mARilnS7sAnyQnf0RUf-UBxxeZtEjgn0tlfLB7ulmvTQ3SWieiV3RJT2BUjeHC_FV

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

H3-Q050

Security

QUIC, , AES_128_GCM

Server

2a00:1450:4001:80e::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

2ae69c420ddbdf666d6307b0235d73f1caca7659250d0758971b08300232f4f6

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 01:48:02 GMT
x-content-type-options: nosniff
age: 3155
content-disposition: inline;filename="google_get_search_results.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 17929
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Fri, 05 Feb 2021 13:04:50 GMT

GET
H3-Q050 200 BppKg-vit4wou9oOyBOs8didbf_LJFGSnllsQ_1CnzH7q6NzKDi8pbWmDh58vf0FQZ4LvEgc_2NPgxezWijZtYrAu4xz9MScXiFZA3hP2Ba18IIQ1DRMrkilke-AEXArZnQbOQGR
lh6.googleusercontent.com/ 17 KB
17 KB 185ms
168ms Image
image/png 2a00:1450:4001:802::2001
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://lh6.googleusercontent.com/BppKg-vit4wou9oOyBOs8didbf_LJFGSnllsQ_1CnzH7q6NzKDi8pbWmDh58vf0FQZ4LvEgc_2NPgxezWijZtYrAu4xz9MScXiFZA3hP2Ba18IIQ1DRMrkilke-AEXArZnQbOQGR

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

H3-Q050

Security

QUIC, , AES_128_GCM

Server

2a00:1450:4001:802::2001 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

fife /

Resource Hash

0daf23eda42bad253bef1356e28e1561ae3bf8183889846b579eb8d77574a5dd

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
x-content-type-options: nosniff
age: 0
content-disposition: inline;filename="logo_search.png"
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 17062
x-xss-protection: 0
server: fife
etag: "v1"
vary: Origin
content-type: image/png
access-control-allow-origin: *
access-control-expose-headers: Content-Length
cache-control: public, max-age=86400, no-transform
timing-allow-origin: *
expires: Tue, 02 Feb 2021 16:50:50 GMT

GET
H2 200 imagesloaded.min.js Show response
decoded.avast.io/wp-includes/js/ 5 KB
2 KB 180ms
180ms Script
application/javascript 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://decoded.avast.io/wp-includes/js/imagesloaded.min.js?ver=4.1.4
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: ff4bd34aa98a0214833619d3d751838db015722dfbbec15cd14dadc66cd67869

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
content-encoding: gzip
last-modified: Tue, 11 Aug 2020 23:34:35 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
vary: Accept-Encoding
content-type: application/javascript
host-header: d3AuYmx1ZWhvc3QuY29t
content-length: 2103

GET
H2 200 masonry.min.js Show response
decoded.avast.io/wp-includes/js/ 24 KB
9 KB 184ms
184ms Script
application/javascript 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://decoded.avast.io/wp-includes/js/masonry.min.js?ver=4.2.2
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: e00add38134eac2fb8e8e9c09cbfff7bbe57952b210322eb2eecb0a21fc055eb

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
content-encoding: gzip
last-modified: Tue, 11 Aug 2020 23:34:35 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
vary: Accept-Encoding
content-type: application/javascript
host-header: d3AuYmx1ZWhvc3QuY29t
content-length: 9216

GET
H2 200 jquery.masonry.min.js Show response
decoded.avast.io/wp-includes/js/jquery/ 2 KB
781 B 182ms
177ms Script
application/javascript 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://decoded.avast.io/wp-includes/js/jquery/jquery.masonry.min.js?ver=3.1.2b
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: c2e606e1fc82ea3a554aad5d0520e25d2677b89a891dc5c49e7ace08fce92e25

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
content-encoding: gzip
last-modified: Mon, 24 Jun 2019 11:02:11 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
vary: Accept-Encoding
content-type: application/javascript
host-header: d3AuYmx1ZWhvc3QuY29t
content-length: 724

GET
H2 200 min.js Show response
decoded.avast.io/wp-content/themes/johannes/assets/js/ 112 KB
45 KB 204ms
199ms Script
application/javascript 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://decoded.avast.io/wp-content/themes/johannes/assets/js/min.js?ver=1.1.3
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 5f730e0adb0db34601edf0b7449dae5bcd766311ca1aadf57d58126c554fe2ef

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
content-encoding: gzip
last-modified: Mon, 24 Jun 2019 11:21:52 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
vary: Accept-Encoding
content-type: application/javascript
host-header: d3AuYmx1ZWhvc3QuY29t

GET
H2 200 main.js Show response
decoded.avast.io/wp-content/plugins/meks-easy-social-share/assets/js/ 551 B
357 B 203ms
198ms Script
application/javascript 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://decoded.avast.io/wp-content/plugins/meks-easy-social-share/assets/js/main.js?ver=1.2.1
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 8efd7ef0887f8d97df1f68248a4d6f603ab11021a0f683e61584227ee7a71909

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
content-encoding: gzip
last-modified: Wed, 17 Jul 2019 11:03:00 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
vary: Accept-Encoding
content-type: application/javascript
host-header: d3AuYmx1ZWhvc3QuY29t
content-length: 323

GET
H2 200 new-tab.js Show response
decoded.avast.io/wp-content/plugins/page-links-to/dist/ 24 KB
10 KB 205ms
200ms Script
application/javascript 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://decoded.avast.io/wp-content/plugins/page-links-to/dist/new-tab.js?ver=3.3.4
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: d455ab882af3a742e6c9680578e6a590681bda99e34847f550f1f41a7d167969

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
content-encoding: gzip
last-modified: Thu, 23 Jul 2020 11:04:52 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
vary: Accept-Encoding
content-type: application/javascript
host-header: d3AuYmx1ZWhvc3QuY29t
content-length: 10524

GET
H2 200 wp-embed.min.js Show response
decoded.avast.io/wp-includes/js/ 1 KB
834 B 203ms
199ms Script
application/javascript 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://decoded.avast.io/wp-includes/js/wp-embed.min.js?ver=5.6.1
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 5be614bce53f767993a5f5f14a6badd6aae6bf3af7cbdbf4d31520de49e27991

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
content-encoding: gzip
last-modified: Wed, 03 Feb 2021 23:04:33 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
vary: Accept-Encoding
content-type: application/javascript
host-header: d3AuYmx1ZWhvc3QuY29t
content-length: 777

GET
H2 200 7Auwp_0qiz-afTLGLQjUwkQ.woff2
fonts.gstatic.com/s/muli/v22/ 24 KB
24 KB 6ms
6ms Font
font/woff2 2a00:1450:4001:828::2003
GOOGLE

General

Check archive.org

Show headers Download Go to

Full URL

https://fonts.gstatic.com/s/muli/v22/7Auwp_0qiz-afTLGLQjUwkQ.woff2

Requested by

Host: fonts.googleapis.com
URL: https://fonts.googleapis.com/css?family=Muli%3Aregular%2C900%2C700&ver=1.1.3

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:4001:828::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

sffe /

Resource Hash

8a71c8749cc0bb450f96766d4cab3b2b9c4d5a9b30c3683f3a5863d8d2ed9c9a

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Origin: https://decoded.avast.io
Referer: https://fonts.googleapis.com/css?family=Muli%3Aregular%2C900%2C700&ver=1.1.3
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Mon, 01 Feb 2021 16:20:30 GMT
x-content-type-options: nosniff
last-modified: Wed, 15 Jul 2020 20:49:47 GMT
server: sffe
age: 296407
content-type: font/woff2
access-control-allow-origin: *
cache-control: public, max-age=31536000
accept-ranges: bytes
timing-allow-origin: *
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 24884
x-xss-protection: 0
expires: Tue, 01 Feb 2022 16:20:30 GMT

GET
H2 200 fontawesome-webfont.woff2
decoded.avast.io/wp-content/themes/johannes/assets/fonts/ 75 KB
76 KB 258ms
255ms Font
font/woff2 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://decoded.avast.io/wp-content/themes/johannes/assets/fonts/fontawesome-webfont.woff2?v=4.7.0
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/wp-content/themes/johannes/assets/css/min.css?ver=1.1.3
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 2adefcbc041e7d18fcf2d417879dc5a09997aa64d675b7a3c4b6ce33da13f3fe

Request headers

Origin: https://decoded.avast.io
Referer: https://decoded.avast.io/wp-content/themes/johannes/assets/css/min.css?ver=1.1.3
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
last-modified: Mon, 24 Jun 2019 11:19:38 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
content-type: font/woff2
host-header: d3AuYmx1ZWhvc3QuY29t
content-length: 77160

GET
H2 200 johannes-font.ttf
decoded.avast.io/wp-content/themes/johannes/assets/fonts/ 3 KB
3 KB 281ms
278ms Font
font/ttf 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://decoded.avast.io/wp-content/themes/johannes/assets/fonts/johannes-font.ttf?
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/wp-content/themes/johannes/assets/css/min.css?ver=1.1.3
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 6e1ba7b6b625d488b2be3593d5ec5c3fca1fc192e9b3475573bf75af25b4cde9

Request headers

Origin: https://decoded.avast.io
Referer: https://decoded.avast.io/wp-content/themes/johannes/assets/css/min.css?ver=1.1.3
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
last-modified: Mon, 24 Jun 2019 11:19:40 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
content-type: font/ttf
host-header: d3AuYmx1ZWhvc3QuY29t
content-length: 2952

GET
H2 200 socicon.woff
decoded.avast.io/wp-content/plugins/meks-easy-social-share/assets/fonts/ 98 KB
99 KB 161ms
160ms Font
font/woff 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to

Full URL: https://decoded.avast.io/wp-content/plugins/meks-easy-social-share/assets/fonts/socicon.woff
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/wp-content/plugins/meks-easy-social-share/assets/css/main.css?ver=1.2.1
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 48c273dcbed09b6b87f9365f2f141063f5c859476b53913d94fca1befe90aa0c

Request headers

Origin: https://decoded.avast.io
Referer: https://decoded.avast.io/wp-content/plugins/meks-easy-social-share/assets/css/main.css?ver=1.2.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
last-modified: Wed, 17 Jul 2019 11:03:00 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
content-type: font/woff
host-header: d3AuYmx1ZWhvc3QuY29t
content-length: 100756

GET
H3-Q050 200 7Auwp_0qiz-afTzGLQjUwkQ1OQ.woff2
fonts.gstatic.com/s/muli/v22/ 22 KB
22 KB 34ms
21ms Font
font/woff2 2a00:1450:4001:828::2003
GOOGLE

General

Check archive.org

Show headers Download Go to

Full URL

https://fonts.gstatic.com/s/muli/v22/7Auwp_0qiz-afTzGLQjUwkQ1OQ.woff2

Requested by

Host: fonts.googleapis.com
URL: https://fonts.googleapis.com/css?family=Muli%3Aregular%2C900%2C700&ver=1.1.3

Protocol

H3-Q050

Security

QUIC, , AES_128_GCM

Server

2a00:1450:4001:828::2003 Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

sffe /

Resource Hash

ea276ad4b08f0ae806922c7d753177df1e11fcd0e924f1ef34e01593fbd0868d

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Origin: https://decoded.avast.io
Referer: https://fonts.googleapis.com/css?family=Muli%3Aregular%2C900%2C700&ver=1.1.3
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Mon, 01 Feb 2021 13:34:13 GMT
x-content-type-options: nosniff
last-modified: Wed, 15 Jul 2020 20:54:22 GMT
server: sffe
age: 306384
content-type: font/woff2
access-control-allow-origin: *
cache-control: public, max-age=31536000
accept-ranges: bytes
timing-allow-origin: *
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 22240
x-xss-protection: 0
expires: Tue, 01 Feb 2022 13:34:13 GMT

GET
H2 200 shutterstock_1187571748_edited-1536x675.jpg
decoded.avast.io/wp-content/uploads/sites/2/2021/02/ 304 KB
306 KB 237ms
236ms Image
image/jpeg 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://decoded.avast.io/wp-content/uploads/sites/2/2021/02/shutterstock_1187571748_edited-1536x675.jpg
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 52c497ddef9c8eda6f5eaf39ddf73cb6d189130c4bb7974635bbdf1a0203f850

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
last-modified: Tue, 02 Feb 2021 11:40:17 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
content-type: image/jpeg
host-header: d3AuYmx1ZWhvc3QuY29t
content-length: 311074

GET
H2 200 CacheFlow-diagram-1024x497.jpg
decoded.avast.io/wp-content/uploads/sites/2/2021/02/ 80 KB
81 KB 163ms
161ms Image
image/jpeg 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://decoded.avast.io/wp-content/uploads/sites/2/2021/02/CacheFlow-diagram-1024x497.jpg
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 6d5e4993703065f814eac79a199ca5120d30e3ed5e114817652cbbe5c0428e91

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
last-modified: Tue, 02 Feb 2021 12:36:14 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
content-type: image/jpeg
host-header: d3AuYmx1ZWhvc3QuY29t
content-length: 81869

GET
H2 200 map_VDF-not-from-tagger_31_2020-11-17_2021-01-31_guid-1024x639.png
decoded.avast.io/wp-content/uploads/sites/2/2021/02/ 184 KB
185 KB 172ms
172ms Image
image/png 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://decoded.avast.io/wp-content/uploads/sites/2/2021/02/map_VDF-not-from-tagger_31_2020-11-17_2021-01-31_guid-1024x639.png
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: b6601e9e115be36a908049c10a1cae5a09120aaa7e7decb4321d3a0771ad9ea3

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
last-modified: Tue, 02 Feb 2021 15:59:16 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
content-type: image/png
host-header: d3AuYmx1ZWhvc3QuY29t
content-length: 188044

GET
H2 200 store_review_2017.png
decoded.avast.io/wp-content/uploads/sites/2/2021/02/ 22 KB
22 KB 219ms
219ms Image
image/png 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://decoded.avast.io/wp-content/uploads/sites/2/2021/02/store_review_2017.png
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 1f582280150fac6d47e77700cad17e21543557e4e805c6bd0ed9a978d1576753

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
last-modified: Mon, 01 Feb 2021 16:51:13 GMT
server: nginx/1.19.5
accept-ranges: bytes
x-server-cache: false
content-type: image/png
host-header: d3AuYmx1ZWhvc3QuY29t
content-length: 22305

GET
H3-Q050 200 linkid.js Show response
www.google-analytics.com/plugins/ua/ 2 KB
1 KB 34ms
20ms Script
text/javascript 2a00:1450:4001:809::200e
GOOGLE

General

Check archive.org

Show headers Download Go to

Full URL

https://www.google-analytics.com/plugins/ua/linkid.js

Requested by

Host: www.google-analytics.com
URL: https://www.google-analytics.com/analytics.js

Protocol

H3-Q050

Security

QUIC, , AES_128_GCM

Server

2a00:1450:4001:809::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

sffe /

Resource Hash

92fca55833f48b4289ac8f1cedd48752b580fce4ec4b5d81670b8193d6e51b54

Security Headers

Name	Value
X-Content-Type-Options	nosniff
X-Xss-Protection	0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 01:45:17 GMT
content-encoding: gzip
x-content-type-options: nosniff
last-modified: Tue, 22 Oct 2019 18:15:00 GMT
server: sffe
age: 3320
vary: Accept-Encoding
content-type: text/javascript
cache-control: public, max-age=3600
cross-origin-resource-policy: cross-origin
accept-ranges: bytes
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 859
x-xss-protection: 0
expires: Fri, 05 Feb 2021 02:45:17 GMT

POST
H2 200 collect Show response
stats.g.doubleclick.net/j/ 1 B
87 B 16ms
15ms XHR
text/plain 2a00:1450:400c:c00::9c
GOOGLE

General

Check archive.org

Show headers Download Go to

Full URL

https://stats.g.doubleclick.net/j/collect?t=dc&aip=1&_r=3&v=1&_v=j87&tid=UA-143774004-1&cid=1089420940.1612492838&jid=809449191&gjid=1397265593&_gid=1924233635.1612492838&_u=aGBAgUAjCAAAAE~&z=1026174908

Requested by

Host: www.google-analytics.com
URL: https://www.google-analytics.com/analytics.js

Protocol

Security

TLS 1.3, , AES_128_GCM

Server

2a00:1450:400c:c00::9c Brussels, Belgium, ASN15169 (GOOGLE, US),

Reverse DNS

Software

Golfe2 /

Resource Hash

6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

Security Headers

Name	Value
Strict-Transport-Security	max-age=10886400; includeSubDomains; preload
X-Content-Type-Options	nosniff

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Content-Type: text/plain

Response headers

pragma: no-cache
strict-transport-security: max-age=10886400; includeSubDomains; preload
x-content-type-options: nosniff
last-modified: Sun, 17 May 1998 03:00:00 GMT
server: Golfe2
date: Fri, 05 Feb 2021 02:40:37 GMT
content-type: text/plain
access-control-allow-origin: https://decoded.avast.io
cache-control: no-cache, no-store, must-revalidate
access-control-allow-credentials: true
cross-origin-resource-policy: cross-origin
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 1
expires: Fri, 01 Jan 1990 00:00:00 GMT

GET
H3-Q050 200 collect
www.google-analytics.com/ 35 B
190 B 8ms
7ms Image
image/gif 2a00:1450:4001:809::200e
GOOGLE

General

Check archive.org

Show headers Download Go to Show image

Full URL

https://www.google-analytics.com/collect?v=1&_v=j87&a=1067820315&t=pageview&_s=1&dl=https%3A%2F%2Fdecoded.avast.io%2Fjanvojtesek%2Fbackdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests%2F&ul=en-us&de=UTF-8&dt=Backdoored%20Browser%20Extensions%20Hid%20Malicious%20Traffic%20in%20Analytics%20Requests%20-%20Avast%20Threat%20Labs&sd=24-bit&sr=1600x1200&vp=1600x1200&je=0&_u=aGBAgUAjC~&jid=809449191&gjid=1397265593&cid=1089420940.1612492838&tid=UA-143774004-1&_gid=1924233635.1612492838&z=1132954267

Requested by

Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/

Protocol

H3-Q050

Security

QUIC, , AES_128_GCM

Server

2a00:1450:4001:809::200e Frankfurt am Main, Germany, ASN15169 (GOOGLE, US),

Reverse DNS

Software

Golfe2 /

Resource Hash

8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

Security Headers

Name	Value
X-Content-Type-Options	nosniff

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

pragma: no-cache
date: Thu, 04 Feb 2021 15:50:14 GMT
x-content-type-options: nosniff
last-modified: Sun, 17 May 1998 03:00:00 GMT
server: Golfe2
age: 39023
content-type: image/gif
access-control-allow-origin: *
cache-control: no-cache, no-store, must-revalidate
cross-origin-resource-policy: cross-origin
alt-svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
content-length: 35
expires: Mon, 01 Jan 1990 00:00:00 GMT

GET
H2 200 initAjax.png
decoded.avast.io/wp-content/uploads/sites/2/2021/02/ 33 KB
33 KB 159ms
157ms Image
image/png 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://decoded.avast.io/wp-content/uploads/sites/2/2021/02/initAjax.png
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/wp-includes/js/imagesloaded.min.js?ver=4.1.4
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: a64f202c9472074852a4f9fc71c4c276f03e6fe6c09b7f47d7bba4210c5c1ad5

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
last-modified: Tue, 02 Feb 2021 13:20:26 GMT
server: nginx/1.19.5
host-header: d3AuYmx1ZWhvc3QuY29t
x-server-cache: true
content-type: image/png
accept-ranges: bytes
content-length: 34189
x-proxy-cache: HIT

GET
H2 200 json_command-1.png
decoded.avast.io/wp-content/uploads/sites/2/2021/02/ 8 KB
8 KB 156ms
153ms Image
image/png 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://decoded.avast.io/wp-content/uploads/sites/2/2021/02/json_command-1.png
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/wp-includes/js/imagesloaded.min.js?ver=4.1.4
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 6a93acd78d637d0ce4cf1e4618a6582dbd3c2a113e8ccb112c71961a52ac8987

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
last-modified: Tue, 02 Feb 2021 11:52:56 GMT
server: nginx/1.19.5
host-header: d3AuYmx1ZWhvc3QuY29t
x-server-cache: true
content-type: image/png
accept-ranges: bytes
content-length: 8549
x-proxy-cache: HIT

GET
H2 200 execute_second_stage.png
decoded.avast.io/wp-content/uploads/sites/2/2021/02/ 11 KB
11 KB 169ms
166ms Image
image/png 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://decoded.avast.io/wp-content/uploads/sites/2/2021/02/execute_second_stage.png
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/wp-includes/js/imagesloaded.min.js?ver=4.1.4
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 814ebff3f49f4979142b736c4060d0cd251d6e7a7de209317d39c99874a9b9cd

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
last-modified: Tue, 02 Feb 2021 11:54:12 GMT
server: nginx/1.19.5
host-header: d3AuYmx1ZWhvc3QuY29t
x-server-cache: true
content-type: image/png
accept-ranges: bytes
content-length: 10752
x-proxy-cache: HIT

GET
H2 200 fridge_original-1.png
decoded.avast.io/wp-content/uploads/sites/2/2021/02/ 15 KB
15 KB 154ms
152ms Image
image/png 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://decoded.avast.io/wp-content/uploads/sites/2/2021/02/fridge_original-1.png
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/wp-includes/js/imagesloaded.min.js?ver=4.1.4
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 324b0680421ced7e723e44d514fa4b7f2d9376ebb928d603ebff289a2c43c41c

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
last-modified: Tue, 02 Feb 2021 13:05:16 GMT
server: nginx/1.19.5
host-header: d3AuYmx1ZWhvc3QuY29t
x-server-cache: true
content-type: image/png
accept-ranges: bytes
content-length: 15454
x-proxy-cache: HIT

GET
H2 200 fridge_modified-1.png
decoded.avast.io/wp-content/uploads/sites/2/2021/02/ 18 KB
18 KB 158ms
156ms Image
image/png 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://decoded.avast.io/wp-content/uploads/sites/2/2021/02/fridge_modified-1.png
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/wp-includes/js/imagesloaded.min.js?ver=4.1.4
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: f8f170a711e75d51f4cb0b60123932a7ae9cfc15da65b2afef706f1623ec8289

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
last-modified: Tue, 02 Feb 2021 13:05:24 GMT
server: nginx/1.19.5
host-header: d3AuYmx1ZWhvc3QuY29t
x-server-cache: true
content-type: image/png
accept-ranges: bytes
content-length: 18436
x-proxy-cache: HIT

GET
H2 200 taylor-vick-M5tzZtFCOfs-unsplash-540x304.jpg
decoded.avast.io/wp-content/uploads/sites/2/2020/12/ 30 KB
30 KB 159ms
157ms Image
image/jpeg 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://decoded.avast.io/wp-content/uploads/sites/2/2020/12/taylor-vick-M5tzZtFCOfs-unsplash-540x304.jpg
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/wp-includes/js/imagesloaded.min.js?ver=4.1.4
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: 2975ed4a29123eeff588bf199790c8c8d4ec3fa42558144074e847ea7fda3406

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
last-modified: Mon, 07 Dec 2020 15:17:33 GMT
server: nginx/1.19.5
host-header: d3AuYmx1ZWhvc3QuY29t
x-server-cache: true
content-type: image/jpeg
accept-ranges: bytes
content-length: 30758
x-proxy-cache: HIT

GET
H2 200 shutterstock_1673291821_edited-1-540x304.jpg
decoded.avast.io/wp-content/uploads/sites/2/2020/11/ 42 KB
42 KB 176ms
174ms Image
image/jpeg 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://decoded.avast.io/wp-content/uploads/sites/2/2020/11/shutterstock_1673291821_edited-1-540x304.jpg
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/wp-includes/js/imagesloaded.min.js?ver=4.1.4
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: f818ed7a62a1b75d11295c9d0dac2ddae0b5600e29b653f117ff24ade86e8b35

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
last-modified: Thu, 12 Nov 2020 13:15:10 GMT
server: nginx/1.19.5
host-header: d3AuYmx1ZWhvc3QuY29t
x-server-cache: true
content-type: image/jpeg
accept-ranges: bytes
content-length: 42576
x-proxy-cache: HIT

GET
H2 200 shutterstock_1187571748_edited-scaled.jpg
decoded.avast.io/wp-content/uploads/sites/2/2021/02/ 639 KB
639 KB 170ms
168ms Image
image/jpeg 162.241.248.14
UNIFIEDLAYER-AS-1

General

Check archive.org

Show headers Download Go to Show image

Full URL: https://decoded.avast.io/wp-content/uploads/sites/2/2021/02/shutterstock_1187571748_edited-scaled.jpg
Requested by: Host: decoded.avast.io
URL: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
Protocol: H2
Security: TLS 1.3, , AES_256_GCM
Server: 162.241.248.14 Brooklyn, United States, ASN46606 (UNIFIEDLAYER-AS-1, US),
Reverse DNS: wp2.bluehost.com
Software: nginx/1.19.5 /
Resource Hash: ddc522621eb585a52c1a5e838e38515938f2074f2224d8c8b0a45600b429e6c0

Request headers

Referer: https://decoded.avast.io/janvojtesek/backdoored-browser-extensions-hid-malicious-traffic-in-analytics-requests/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36

Response headers

date: Fri, 05 Feb 2021 02:40:37 GMT
last-modified: Tue, 02 Feb 2021 11:40:12 GMT
server: nginx/1.19.5
host-header: d3AuYmx1ZWhvc3QuY29t
x-server-cache: true
content-type: image/jpeg
accept-ranges: bytes
content-length: 653880
x-proxy-cache: HIT

Verdicts & Comments Add Verdict or Comment

47 JavaScript Global Variables

These are the non-standard "global" variables defined on the window object. These can be helpful in identifying possible client-side frameworks and code.

3 Cookies

Cookies are little pieces of information stored in the browser of a user. Whenever a user visits the site again, he will also send his cookie values, thus allowing the website to re-identify him even if he changed locations. This is how permanent logins work.

Domain/Path	Expires	Name / Value
.avast.io/	1970-01-19 15:54:52	Name: _gat Value: 1
.avast.io/	1970-01-19 15:56:19	Name: _gid Value: GA1.2.1924233635.1612492838
.avast.io/	1970-01-20 09:26:04	Name: _ga Value: GA1.2.1089420940.1612492838

1 Console Messages

A page may trigger messages to the console to be logged. These are often error messages about being unable to load a resource or execute a piece of JavaScript. Sometimes they also provide insight into the technology behind a website.

Source	Level	URL Text
console-api	log	URL: https://decoded.avast.io/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2(Line 2) Message: JQMIGRATE: Migrate is installed, version 3.3.2

Indicators

This is a term in the security industry to describe indicators such as IPs, Domains, Hashes, etc. This does not imply that any of these indicate malicious activity.

decoded.avast.io
fonts.googleapis.com
fonts.gstatic.com
lh3.googleusercontent.com
lh4.googleusercontent.com
lh5.googleusercontent.com
lh6.googleusercontent.com
stats.g.doubleclick.net
www.google-analytics.com
162.241.248.14
2a00:1450:4001:802::2001
2a00:1450:4001:809::200e
2a00:1450:4001:80e::2001
2a00:1450:4001:828::2003
2a00:1450:4001:82a::200a
2a00:1450:400c:c00::9c
029e0a2e809fd6b5dbe76abe8b7a74936be306c9a8c27c814c4d44aa54623300
0c5f584d1ea2c3313dc8c55824c2a572d3cf2eae87c5ca62a58e598aec9ddb5c
0daf23eda42bad253bef1356e28e1561ae3bf8183889846b579eb8d77574a5dd
1f582280150fac6d47e77700cad17e21543557e4e805c6bd0ed9a978d1576753
250fd3e1a88e39683d7798ac68311b15d4dd859903bc8faec08c37c0142f2c72
2975ed4a29123eeff588bf199790c8c8d4ec3fa42558144074e847ea7fda3406
2adefcbc041e7d18fcf2d417879dc5a09997aa64d675b7a3c4b6ce33da13f3fe
2ae69c420ddbdf666d6307b0235d73f1caca7659250d0758971b08300232f4f6
324b0680421ced7e723e44d514fa4b7f2d9376ebb928d603ebff289a2c43c41c
3bf57d9862cb7c6fc8aa2177bc448b8c12432adc8633a29b199c49bb4d42147b
3c3383ded542e7ff677b1c9d41a5d9cb3094190cc8832e291aaf0ceb814d01d6
48c273dcbed09b6b87f9365f2f141063f5c859476b53913d94fca1befe90aa0c
4e29164719d2257e6169e16a7e8038b2d7b4b3140904cb59fbd9742fc486926e
52c497ddef9c8eda6f5eaf39ddf73cb6d189130c4bb7974635bbdf1a0203f850
5be614bce53f767993a5f5f14a6badd6aae6bf3af7cbdbf4d31520de49e27991
5c2288ca7b324881faae5e368eb4d69457e2784e042e868de335d3827bb90981
5f730e0adb0db34601edf0b7449dae5bcd766311ca1aadf57d58126c554fe2ef
60240d5a27ede94fd35fea44bd110b88c7d8cfc08127f032d13b0c622b8be827
63a6d926d277a3d64d30e349fa0ea2b0630e9801d173e1947ff3bd6060147ef4
66464916f13dc9f2fd1d8d67d21fb76c73c817590a3410aef74183af4a1f3d74
6a93acd78d637d0ce4cf1e4618a6582dbd3c2a113e8ccb112c71961a52ac8987
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
6d5e4993703065f814eac79a199ca5120d30e3ed5e114817652cbbe5c0428e91
6dd2d97780eb18c346cf3d27f7335a0a339078ec6ee80bcaf147f3ae468c1d18
6e1ba7b6b625d488b2be3593d5ec5c3fca1fc192e9b3475573bf75af25b4cde9
75667b11418c93561648fdc58a3c80ccc3e3335eeafe46d07b0d8eef203e8f06
814ebff3f49f4979142b736c4060d0cd251d6e7a7de209317d39c99874a9b9cd
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015
89a3c9dd3ebcbb8caba54170a9d5ef8f737d4bd7f12c0916145f7b90af0fc6e4
8a71c8749cc0bb450f96766d4cab3b2b9c4d5a9b30c3683f3a5863d8d2ed9c9a
8b7f6b3b98d203b064eeb91445b8bfc6f5bec3a2e7b76af8a23a7cb6cd0d8add
8d97a7cf891b0c3f0448f17d5319aa621e66755fe12f23cd10b83830c2ac8a12
8efd7ef0887f8d97df1f68248a4d6f603ab11021a0f683e61584227ee7a71909
92f5ca85c4e433e3ac80917a44f2a2e111985bdd24e530d19e10d104e89ca058
92fca55833f48b4289ac8f1cedd48752b580fce4ec4b5d81670b8193d6e51b54
95337df4448d72e82a54aaea61aa6e21aa0a1816e4abf7604d8810ec08afeac6
98e2f58cdaab41b2d1ce2ee9dfd2c0d1ad164d3b5279d5d09cb17a073fb4e69a
a2ab360fc05d0c105de412a3a5567b5a0088e240e9eeb7d61cd564ab232519fa
a61e94c6cee47c0f689736d8b6d3a8ba98f9501a3e834b2cdedc374e4b88c6cf
a64f202c9472074852a4f9fc71c4c276f03e6fe6c09b7f47d7bba4210c5c1ad5
b6601e9e115be36a908049c10a1cae5a09120aaa7e7decb4321d3a0771ad9ea3
ba5a75e64ff269dc6a0f95466276cd72eafef68cfc5307f57aac0b9f14b96ec8
bad2e3c85c24b8ef48758e8d6a6e473702fdfecbdfe29b99c164cd2a3a084fbd
bcd71142a0bc7b77d30d5fd8ac2cdd792c7fa7c6de5c60570c2af3159766f2ed
bdc2b14b90b38a55d8d30e42330830d6e0f773d8652d0c9c0f32c5123ef4321d
c2e606e1fc82ea3a554aad5d0520e25d2677b89a891dc5c49e7ace08fce92e25
d2d32eef7bf872390d0d707d663a5587c133798554a67c44b0657c98b3d4223d
d455ab882af3a742e6c9680578e6a590681bda99e34847f550f1f41a7d167969
d65471c31e8caeb4d5287d7f9774a912305a42f563a48eb706a7f15441aad4e7
d8efa11e21cfbf6ef338a05312233f7fa8db8f5965e9bba45bc94cf8cb2ce0fd
ddc522621eb585a52c1a5e838e38515938f2074f2224d8c8b0a45600b429e6c0
e00add38134eac2fb8e8e9c09cbfff7bbe57952b210322eb2eecb0a21fc055eb
e441c3e2771625ba05630ab464275136a82c99650ee2145ca5aa9853bedeb01b
ea276ad4b08f0ae806922c7d753177df1e11fcd0e924f1ef34e01593fbd0868d
ed5386ed9da0b814dff0367d4711ecae9333b31e6d954dc72c2e661f21810536
ed8e0098447f3d460099e1227847a7dc9b03c67cb72b8dbda8d787bc83268134
f107a7be39f5a215fdd3dbfe36289ccee6193ce73a34b2b4e56f6ecd8be5df74
f818ed7a62a1b75d11295c9d0dac2ddae0b5600e29b653f117ff24ade86e8b35
f8f170a711e75d51f4cb0b60123932a7ae9cfc15da65b2afef706f1623ec8289
ff4bd34aa98a0214833619d3d751838db015722dfbbec15cd14dadc66cd67869

decoded.avast.io Open in urlscan Pro 162.241.248.14 Public Scan

Summary

urlscan.io Verdict: No classification

Domain & IP information

Screenshot Live screenshot Full Image

Detected technologies

Page Statistics

60 Requests

100 %HTTPS

86 %IPv6

6 Domains

9 Subdomains

7 IPs

3 Countries

2874 kBTransfer

3340 kBSize

3 Cookies

14 Outgoing links

Redirected requests

60 HTTP transactions Everything HTML Script AJAX CSS Image Expand all 0 data transactions

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

Request headers

Response headers

decoded.avast.io Open in urlscan Pro
162.241.248.14 Public Scan

Screenshot
Live screenshot

Full Image

60
Requests

100 %
HTTPS

86 %
IPv6

6
Domains

9
Subdomains

7
IPs

3
Countries

2874 kB
Transfer

3340 kB
Size

3
Cookies

60 HTTP transactions
0 data transactions