Report - helpavast.work.gd

Report Overview

Visitedpublic

2025-08-04 10:49:14

Detections

urlquery

Network Intrusion Detection

Threat Detection Systems

Host Summary

Host	Rank	Registered	First Seen	Last Seen	Sent	Received	IP	Fingerprints
helpavast.work.gd	unknown	2022-06-18	2025-08-04	2025-08-04	3.7 kB	504 kB	94.23.166.45
fonts.gstatic.com	unknown	2008-02-11	2014-04-02	2025-07-30	2.0 kB	61 kB	142.250.74.35

Related reports

Network Intrusion Detection Systems

Suricata /w Emerging Threats Pro

Timestamp	Severity	Source IP	Destination IP	Alert
2025-08-04 10:48:53	medium	Client IP	94.23.166.45	ET INFO DYNAMIC_DNS HTTP Request to a *.work .gd Domain
2025-08-04 10:48:53	medium	Client IP	94.23.166.45	ET INFO DYNAMIC_DNS HTTP Request to a *.work .gd Domain
2025-08-04 10:48:53	medium	Client IP	94.23.166.45	ET INFO DYNAMIC_DNS HTTP Request to a *.work .gd Domain
2025-08-04 10:48:54	medium	Client IP	94.23.166.45	ET INFO DYNAMIC_DNS HTTP Request to a *.work .gd Domain
2025-08-04 10:48:54	medium	Client IP	94.23.166.45	ET INFO DYNAMIC_DNS HTTP Request to a *.work .gd Domain
2025-08-04 10:48:54	medium	Client IP	94.23.166.45	ET INFO DYNAMIC_DNS HTTP Request to a *.work .gd Domain
2025-08-04 10:48:54	medium	Client IP	94.23.166.45	ET INFO DYNAMIC_DNS HTTP Request to a *.work .gd Domain
2025-08-04 10:48:55	high	94.23.166.45	Client IP	ETPRO POLICY ScreenConnect Successful Connection Response Inbound
2025-08-04 10:49:04	high	94.23.166.45	Client IP	ETPRO POLICY ScreenConnect Successful Connection Response Inbound
2025-08-04 10:49:05	medium	Client IP	94.23.166.45	ET INFO DYNAMIC_DNS HTTP Request to a *.work .gd Domain

Threat Detection Systems

Detection System	Indicator	Verdict	Alert
Quad9 DNS	helpavast.work.gd	malicious	Sinkholed

JavaScript (0)

HTTP Transactions (12)

URL IP Response Size

GET helpavast.work.gd/App_Themes/LightWithRed/Default.css?__Cache=808c2aed-74bd-40fd-a9e5-73fd8ed936e0

94.23.166.45

200 OK

112 kB

URL GET HTTP

helpavast.work.gd/App_Themes/LightWithRed/Default.css?__Cache=808c2aed-74bd-40fd-a9e5-73fd8ed936e0

IP / ASN

94.23.166.45

#16276 OVH SAS

Requested byhttp://helpavast.work.gd/

Resource Information

File typeASCII text, with very long lines (2576), with CRLF line terminators

First Seen2025-08-04

Last Seen2025-08-04

Times Seen1

Size112 kB (112504 bytes)

MD56f2d1366016db2d5ee1d422244cdc839

SHA1a80c6072de9f877d6bcd1b8afec16032058c53ad

SHA2563bd6a98a54cd0055027953cea99d6597b2d614e5930e00c5eaa25baf8eae7196

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed
urlquery	suspicious	Suspicious - DynDNS domain
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.work .gd Domain

HTTP Headers

GET /App_Themes/LightWithRed/Default.css?__Cache=808c2aed-74bd-40fd-a9e5-73fd8ed936e0 HTTP/1.1
Host: helpavast.work.gd
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Referer: http://helpavast.work.gd/
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: ScreenConnect/6.3.13446.6374-347839831
Content-Encoding: gzip
Expires: Fri, 31 Dec 9999 22:59:59 GMT
Cache-Control: private, max-age=922337203685
Vary: *;
Content-Type: text/css
Date: Mon, 04 Aug 2025 10:48:53 GMT
Content-Length: 22999
Keep-Alive: timeout=15,max=99

GET helpavast.work.gd/App_Extensions/7a29d07f-a357-4f30-898d-4fa8c80ef76d/ChatStyle.css

94.23.166.45

200 OK

1.2 kB

URL GET HTTP

helpavast.work.gd/App_Extensions/7a29d07f-a357-4f30-898d-4fa8c80ef76d/ChatStyle.css

IP / ASN

94.23.166.45

#16276 OVH SAS

Requested byhttp://helpavast.work.gd/

Resource Information

File typeASCII text

First Seen2025-04-23

Last Seen2025-08-04

Times Seen2

Size1.2 kB (1162 bytes)

MD55fdb0624cd7c9fd403b4878d47c9dabf

SHA11f8557691eb08091859c4f2fa682f22104af5005

SHA256a4150b1229855604197a9b80326e862caef850aec7896869dec58ef05080ec55

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed
urlquery	suspicious	Suspicious - DynDNS domain
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.work .gd Domain

HTTP Headers

GET /App_Extensions/7a29d07f-a357-4f30-898d-4fa8c80ef76d/ChatStyle.css HTTP/1.1
Host: helpavast.work.gd
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Referer: http://helpavast.work.gd/
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: ScreenConnect/6.3.13446.6374-347839831
Content-Encoding: gzip
Expires: -1
Pragma: no-cache
Cache-Control: no-cache
Vary: *;
Content-Type: text/css
Date: Mon, 04 Aug 2025 10:48:54 GMT
Content-Length: 486
Keep-Alive: timeout=15,max=99

POST helpavast.work.gd/Services/PageService.ashx/GetGuestSessionInfo

94.23.166.45

200 OK

96 B

URL POST HTTP

helpavast.work.gd/Services/PageService.ashx/GetGuestSessionInfo

IP / ASN

94.23.166.45

#16276 OVH SAS

Requested byhttp://helpavast.work.gd/

Resource Information

File typeJSON text data

First Seen2025-08-04

Last Seen2025-08-04

Times Seen1

Size96 B (96 bytes)

MD57fa066414630de7c0bac0f155691bea5

SHA1c0b0555562ecad4f496646f8bd2f3577fa054644

SHA256ccc70a78b60773361f871fd908208633dd0cfeec2a7e83a7f8662ffc39e2532c

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed
urlquery	suspicious	Suspicious - DynDNS domain
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.work .gd Domain
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.work .gd Domain

HTTP Headers

POST /Services/PageService.ashx/GetGuestSessionInfo HTTP/1.1
Host: helpavast.work.gd
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
X-Unauthorized-Status-Code: 403
Content-Length: 9
Origin: http://helpavast.work.gd
DNT: 1
Connection: keep-alive
Referer: http://helpavast.work.gd/
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: ScreenConnect/6.3.13446.6374-347839831
Access-Control-Allow-Origin: http://helpavast.work.gd
Access-Control-Allow-Credentials: true
Content-Encoding: gzip
Expires: -1
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/json
Date: Mon, 04 Aug 2025 10:48:54 GMT
Content-Length: 100
Keep-Alive: timeout=15,max=98

GET helpavast.work.gd/Images/ActivityIndicator.gif

94.23.166.45

200 OK

32 kB

URL GET HTTP

helpavast.work.gd/Images/ActivityIndicator.gif

IP / ASN

94.23.166.45

#16276 OVH SAS

Requested byhttp://helpavast.work.gd/

Resource Information

File typeGIF image data, version 89a, 128 x 128

First Seen2023-12-06

Last Seen2025-08-04

Times Seen10

Size32 kB (31974 bytes)

MD53218756dd7a4feeb7a9ce32bd0c9c883

SHA19afe162efa7066d5664ad7657cc1717275e9b025

SHA2567eb1e02c31265a73e9230d134b6a7e261bc13c3e4b21b5d54f41a72326c9736b

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed
urlquery	suspicious	Suspicious - DynDNS domain
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.work .gd Domain
suricata	high	ETPRO POLICY ScreenConnect Successful Connection Response Inbound

HTTP Headers

GET /Images/ActivityIndicator.gif HTTP/1.1
Host: helpavast.work.gd
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Referer: http://helpavast.work.gd/App_Themes/LightWithRed/Default.css?__Cache=808c2aed-74bd-40fd-a9e5-73fd8ed936e0
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: ScreenConnect/6.3.13446.6374-347839831
Last-Modified: Tue, 03 Apr 2018 13:54:58 GMT
Cache-Control: private
Content-Type: image/gif
Date: Mon, 04 Aug 2025 10:48:54 GMT
Content-Length: 31974
Keep-Alive: timeout=15,max=100

GET fonts.gstatic.com/s/roboto/v15/d-6IYplOFocCacKzxwXSOFtXRa8TVwTICgirnJhmVJw.woff2

142.250.74.35

200 OK

15 kB

URL GET HTTP

fonts.gstatic.com/s/roboto/v15/d-6IYplOFocCacKzxwXSOFtXRa8TVwTICgirnJhmVJw.woff2

IP / ASN

142.250.74.35

#15169 GOOGLE

Requested byhttp://helpavast.work.gd/

Resource Information

File typeWeb Open Font Format (Version 2), TrueType, length 14552, version 2.0

First Seen2023-05-03

Last Seen2025-08-10

Times Seen458

Size15 kB (14552 bytes)

MD50d7e71f2b5cc1ddab837f72e1fe52f3f

SHA1c4344746896e452e5f4ef45781f622836910ae46

SHA256413a32337b13f4db78efa8d6842a3769d28166c156d9d053bf70b472e4a1e41f

HTTP Headers

GET /s/roboto/v15/d-6IYplOFocCacKzxwXSOFtXRa8TVwTICgirnJhmVJw.woff2 HTTP/1.1
Host: fonts.gstatic.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Origin: http://helpavast.work.gd
DNT: 1
Connection: keep-alive
Referer: http://helpavast.work.gd/
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/apps-themes
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="apps-themes"
Report-To: {"group":"apps-themes","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/apps-themes"}]}
Timing-Allow-Origin: *
Content-Length: 14552
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Thu, 31 Jul 2025 14:01:28 GMT
Expires: Fri, 31 Jul 2026 14:01:28 GMT
Cache-Control: public, max-age=31536000
Last-Modified: Wed, 14 Jan 2015 22:48:06 GMT
Content-Type: font/woff2
Age: 334047

GET fonts.gstatic.com/s/roboto/v15/CWB0XYA8bzo0kSThX0UTuA.woff2

142.250.74.35

200 OK

15 kB

URL GET HTTP

fonts.gstatic.com/s/roboto/v15/CWB0XYA8bzo0kSThX0UTuA.woff2

IP / ASN

142.250.74.35

#15169 GOOGLE

Requested byhttp://helpavast.work.gd/

Resource Information

File typeWeb Open Font Format (Version 2), TrueType, length 14584, version 2.0

First Seen2023-04-11

Last Seen2025-08-09

Times Seen663

Size15 kB (14584 bytes)

MD57e367be02cd17a96d513ab74846bafb3

SHA11eb572d023f15389ce0aa4bc54fdd28c9f717223

SHA256f7bbc8461b2f4cc870743729ee5d44ce0466ca67618f89a8942b655f8a644e68

HTTP Headers

GET /s/roboto/v15/CWB0XYA8bzo0kSThX0UTuA.woff2 HTTP/1.1
Host: fonts.gstatic.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Origin: http://helpavast.work.gd
DNT: 1
Connection: keep-alive
Referer: http://helpavast.work.gd/
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/apps-themes
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="apps-themes"
Report-To: {"group":"apps-themes","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/apps-themes"}]}
Timing-Allow-Origin: *
Content-Length: 14584
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Thu, 31 Jul 2025 10:43:36 GMT
Expires: Fri, 31 Jul 2026 10:43:36 GMT
Cache-Control: public, max-age=31536000
Age: 345919
Last-Modified: Wed, 14 Jan 2015 22:47:37 GMT
Content-Type: font/woff2

GET helpavast.work.gd/

0.0.0.0

0 B

URL User Request GET HTTP

helpavast.work.gd/

IP / ASN

0.0.0.0

Requested byN/A

Resource Information

File typeN/A

First Seen0001-01-01

Last Seen2025-08-11

Times Seen5764519

Size0 B (0 bytes)

MD5d41d8cd98f00b204e9800998ecf8427e

SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed
urlquery	suspicious	Suspicious - DynDNS domain
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.work .gd Domain

HTTP Headers

GET / HTTP/1.1
Host: helpavast.work.gd
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: keep-alive
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Pragma: no-cache
Cache-Control: no-cache

GET helpavast.work.gd/

94.23.166.45

200 OK

74 kB

URL User Request GET HTTP

helpavast.work.gd/

IP / ASN

94.23.166.45

#16276 OVH SAS

Requested byN/A

Resource Information

File typeJavaScript source, Unicode text, UTF-8 text, with very long lines (606), with CRLF, LF line terminators

First Seen2025-08-04

Last Seen2025-08-04

Times Seen1

Size74 kB (73864 bytes)

MD5a049f1b1d44263f5eaec970106ed0000

SHA14ae05fb24e6b41422f2fbcb05f4141ee1bee2d0c

SHA25622ad578900b475e0b5ac87dd07b93ff25e4ad6b557b9ff701a223c59db709b54

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed
urlquery	suspicious	Suspicious - DynDNS domain
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.work .gd Domain

HTTP Headers

GET / HTTP/1.1
Host: helpavast.work.gd
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: ScreenConnect/6.3.13446.6374-347839831
P3P: CP="NON CUR OUR STP STA PRE"
Content-Encoding: gzip
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Mon, 04 Aug 2025 10:48:53 GMT
Content-Length: 16702
Keep-Alive: timeout=15,max=100

GET helpavast.work.gd/Script.ashx?__Cache=a655e2ac-2a2d-44f3-95a9-8e209c2bb727

94.23.166.45

200 OK

282 kB

URL GET HTTP

helpavast.work.gd/Script.ashx?__Cache=a655e2ac-2a2d-44f3-95a9-8e209c2bb727

IP / ASN

94.23.166.45

#16276 OVH SAS

Requested byhttp://helpavast.work.gd/

Resource Information

File typeUnicode text, UTF-8 text, with very long lines (43837)

First Seen2025-08-04

Last Seen2025-08-04

Times Seen1

Size282 kB (281930 bytes)

MD53e5171d1de4ef404901ce2a62ae2ab65

SHA19761b9ae28a195f8a603d9a2750c62823db4f223

SHA256788ba71b7fc169905285d639454385cb169be1b895c9914a6e440189849a2d38

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed
urlquery	suspicious	Suspicious - DynDNS domain
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.work .gd Domain

HTTP Headers

GET /Script.ashx?__Cache=a655e2ac-2a2d-44f3-95a9-8e209c2bb727 HTTP/1.1
Host: helpavast.work.gd
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Referer: http://helpavast.work.gd/
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: ScreenConnect/6.3.13446.6374-347839831
Content-Encoding: gzip
Cache-Control: private, max-age=922337203685
Vary: *;
Content-Type: text/javascript
Date: Mon, 04 Aug 2025 10:48:53 GMT
Content-Length: 57716
Keep-Alive: timeout=15,max=100

GET fonts.gstatic.com/s/roboto/v15/CWB0XYA8bzo0kSThX0UTuA.woff2

142.250.74.35

200 OK

15 kB

URL GET HTTP

fonts.gstatic.com/s/roboto/v15/CWB0XYA8bzo0kSThX0UTuA.woff2

IP / ASN

142.250.74.35

#15169 GOOGLE

Requested byhttp://helpavast.work.gd/

Resource Information

File typeWeb Open Font Format (Version 2), TrueType, length 14584, version 2.0

First Seen2023-04-11

Last Seen2025-08-09

Times Seen663

Size15 kB (14584 bytes)

MD57e367be02cd17a96d513ab74846bafb3

SHA11eb572d023f15389ce0aa4bc54fdd28c9f717223

SHA256f7bbc8461b2f4cc870743729ee5d44ce0466ca67618f89a8942b655f8a644e68

HTTP Headers

GET /s/roboto/v15/CWB0XYA8bzo0kSThX0UTuA.woff2 HTTP/1.1
Host: fonts.gstatic.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Origin: http://helpavast.work.gd
DNT: 1
Connection: keep-alive
Referer: http://helpavast.work.gd/
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/apps-themes
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="apps-themes"
Report-To: {"group":"apps-themes","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/apps-themes"}]}
Timing-Allow-Origin: *
Content-Length: 14584
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Thu, 31 Jul 2025 10:43:36 GMT
Expires: Fri, 31 Jul 2026 10:43:36 GMT
Cache-Control: public, max-age=31536000
Age: 345918
Last-Modified: Wed, 14 Jan 2015 22:47:37 GMT
Content-Type: font/woff2

GET helpavast.work.gd/FavIcon.axd?__Cache=bdb3d4a1-00f6-4927-be1c-7ec59b443661

94.23.166.45

200 OK

788 B

URL GET HTTP

helpavast.work.gd/FavIcon.axd?__Cache=bdb3d4a1-00f6-4927-be1c-7ec59b443661

IP / ASN

94.23.166.45

#16276 OVH SAS

Requested byhttp://helpavast.work.gd/

Resource Information

File typeMS Windows icon resource - 2 icons, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 32x32 with - PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced

First Seen2023-08-13

Last Seen2025-08-04

Times Seen10

Size788 B (788 bytes)

MD5e4c29fd77ee69a56d677d7a8ec509e66

SHA1577be6920b7cfaa3feb0ca9f356877506f95da4f

SHA25669ff80cb4fe1a91378ce17c062e8cec9dc13cca0a0313f2236d021871d9fdf66

Detections

Analyzer	Verdict	Alert
Quad9 DNS	malicious	Sinkholed
urlquery	suspicious	Suspicious - DynDNS domain
suricata	medium	ET INFO DYNAMIC_DNS HTTP Request to a *.work .gd Domain
suricata	high	ETPRO POLICY ScreenConnect Successful Connection Response Inbound

HTTP Headers

GET /FavIcon.axd?__Cache=bdb3d4a1-00f6-4927-be1c-7ec59b443661 HTTP/1.1
Host: helpavast.work.gd
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Referer: http://helpavast.work.gd/
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Server: ScreenConnect/6.3.13446.6374-347839831
Cache-Control: private
Content-Type: image/vnd.microsoft.icon
Date: Mon, 04 Aug 2025 10:48:54 GMT
Content-Length: 788
Keep-Alive: timeout=15,max=98

GET fonts.gstatic.com/s/roboto/v15/d-6IYplOFocCacKzxwXSOFtXRa8TVwTICgirnJhmVJw.woff2

142.250.74.35

200 OK

15 kB

URL GET HTTP

fonts.gstatic.com/s/roboto/v15/d-6IYplOFocCacKzxwXSOFtXRa8TVwTICgirnJhmVJw.woff2

IP / ASN

142.250.74.35

#15169 GOOGLE

Requested byhttp://helpavast.work.gd/

Resource Information

File typeWeb Open Font Format (Version 2), TrueType, length 14552, version 2.0

First Seen2023-05-03

Last Seen2025-08-10

Times Seen458

Size15 kB (14552 bytes)

MD50d7e71f2b5cc1ddab837f72e1fe52f3f

SHA1c4344746896e452e5f4ef45781f622836910ae46

SHA256413a32337b13f4db78efa8d6842a3769d28166c156d9d053bf70b472e4a1e41f

HTTP Headers

GET /s/roboto/v15/d-6IYplOFocCacKzxwXSOFtXRa8TVwTICgirnJhmVJw.woff2 HTTP/1.1
Host: fonts.gstatic.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: application/font-woff2;q=1.0,application/font-woff;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: identity
Origin: http://helpavast.work.gd
DNT: 1
Connection: keep-alive
Referer: http://helpavast.work.gd/
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 200 OK
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/apps-themes
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="apps-themes"
Report-To: {"group":"apps-themes","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/apps-themes"}]}
Timing-Allow-Origin: *
Content-Length: 14552
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Thu, 31 Jul 2025 14:01:28 GMT
Expires: Fri, 31 Jul 2026 14:01:28 GMT
Cache-Control: public, max-age=31536000
Last-Modified: Wed, 14 Jan 2015 22:48:06 GMT
Content-Type: font/woff2
Age: 334046