Technical Analysis of Files Used in 3CX Desktop App Malware Campaign

On 29th March 2023, reports emerged of malicious activities originating from a signed 3CX desktop application. Trojanized versions of the 3CX desktop app load a DLL with malicious content. The DLL launches a multi-staged attack on the victim machine, the final stage being the deployment of an unidentified info stealer.

Mehardeep Singh Sawhney
April 4, 2023
Green Alert
Last Update posted on
February 3, 2024
Make sure there's no weak link in your supply chain.

2023 was marked by a rise in supply chain attacks. Ensure robust protection across your software supply chain with CloudSEK SVigil.

Schedule a Demo
Table of Contents
Author(s)
No items found.
  • Category: Malware Intelligence
  • Type/Family: Infostealer
  • Industry: IT & Technology
  • Region: Global

Executive Summary

THREAT

  • Trojanized versions of the 3CX desktop app load a DLL with malicious content.
  • The DLL launches a multi-staged attack on the victim machine, the final stage being the deployment of an unidentified info stealer.
  • It’s multi-platform with a macOS version.

IMPACT

  • Critical data such as saved passwords can be compromised through browsers installed on the victim system.

Analysis and Attribution

On 29th March 2023, reports emerged of malicious activities originating from a signed 3CX desktop application. CrowdStrike’s Falcon Overwatch has claimed to have observed malicious activities from both Windows and macOS versions of the application.

The product is a softphone application that allows you to make and receive calls on your physical desktop. The application is currently available for all major operating systems including Windows, Linux, and macOS. 3CX claims to have more than 600,000 customers globally, hence, this campaign can have devastating effects.

Attack Overview

Upon installing the affected versions of the 3CX desktop application, three files are dropped by the installer:

  • 3CXDesktopApp.exe: Used to load the first trojanized DLL.
  • ffmpeg.dll: Trojanized DLL. It contains data that is used to read, decrypt, and execute shellcode from the second malicious DLL dropped by the installer.
  • d3dcompiler_47.dll: Contains malicious shellcode that fetches .ico files from a GitHub repository (now taken down) and decrypts the C&C URLs from those files.

 

Technical Analysis

The affected binary starts by loading the trojanized DLL ffmpeg.dll. This DLL looks for the next malicious DLL in the source directory (d3dcompiler_47.dll) and loads it. 

Using CreateFileW() to load d3dcompiler_47.dll

d3dcompiler_47.dll has been appended to contain encrypted malicious shellcode, and is identified by a unique marker (0XCEFAEDFE). This shellcode has been encrypted using an RC4 stream cipher.

Using ReadFile() to read shellcode from the DLL after the marker 0XCEFAEDFE

The shellcode is then decrypted using a key (3jB(2bsG#@c7), and stored in memory for use.

Start of the decryption loop, and the key used for decryption

Then, VirtualProtect() is used to change the permissions of the memory region where the shellcode is stored to PAGE_EXECUTE_READWRITE (0x40). The shellcode also has a DLL embedded within it.

Using VirtualProtect() to make the memory region executable, and embedded DLL seen within shellcode

This shellcode is a downloader, and it is responsible for downloading the malicious .ico files from a now taken-down GitHub repository. It makes this request using a unique User-Agent string.

User-Agent string used to make request

A total of 16 .ico files are downloaded https://raw.githubusercontent[.]com/IconStorages/images/main/ and each .ico file is appended to have an encrypted string at the end. This string is encrypted using AES and GCM and is encoded in base64.

An example of the encrypted URL string in the .ico files

When decrypted, each .ico file contains a C&C URL, which is used to download the final stage payload. Below are the decrypted C&Cs for each .ico, credits to this script. The first URL was most likely used as a test URL by the threat actor since this address never hosted malware.

icon0.ico

https://www.3cx[.]com/blog/event-trainings/

icon1.ico

https://msstorageazure[.]com/window

icon2.ico

https://officestoragebox[.]com/api/session

icon3.ico

https://visualstudiofactory[.]com/workload

icon4.ico

https://azuredeploystore[.]com/cloud/services

icon5.ico

https://msstorageboxes[.]com/office

icon6.ico

https://officeaddons[.]com/technologies

icon7.ico

https://sourceslabs[.]com/downloads

icon8.ico

https://zacharryblogs[.]com/feed

icon9.ico

https://pbxcloudeservices[.]com/phonesystem

icon10.ico

https://akamaitechcloudservices[.]com/v2/storage

icon11.ico

https://akamaitechcloudservices[.]com/v2/storage

icon12.ico

https://azureonlinestorage[.]com/azure/storage

icon13.ico

https://msedgepackageinfo[.]com/microsoft-edge

icon14.ico

https://glcloudservice[.]com/v1/console

icon15.ico

https://pbxsources[.]com/exchange

The final stage payload is reportedly a new info stealer, which steals data from well-known browsers such as Chrome, Edge, Brave, and Firefox.

Infostealer Payload

The final stage is a never-seen-before info stealer. Security researchers at Volexity have named this stealer ICONIC. This stealer cannot be run directly using rundll.exe, as it follows another loading process. This is why we have tried our best to draw our conclusions from static analysis.

The stealer starts by checking the OS version that is currently running on the victim system. After this, it checks for the file C:\Program Files\3CXDesktopApp\config.json. Without this file, the stealer will not continue its operations.

Gets the current OS version and looks for the file

Then, the stealer gets the hostname and domain name information and formats it in a way that it is stored with the OS version. This will most likely be sent to the C&C as a victim identifier.

Host name, domain name, and current OS version stored together

 

Next the stealer starts its file-stealing operations. It uses a loop of FindFirstFile() and FindNextFile() to find data related to popular browsers. 

Loop to read browser-related files

The stealer has the paths of popular web browsers hardcoded. Below is a list of targeted browsers and the respective files that the stealer steals.

Hardcoded browser paths

 

Browser

File

Google Chrome

AppData\Local\Google\Chrome\User Data\History

Microsoft Edge

AppData\Local\Microsoft\Edge\User Data\History

Brave

AppData\Local\BraveSoftware\Brave-Browser\History

Mozilla Firefox

AppData\Roaming\Mozilla\Firefox\Profiles\places.sqlite

The History file for Chrome, Edge, and Brave is stolen, and the places.sqlite file for Firefox is stolen. These files are responsible for storing web browsing history and are stored in the form of an SQLite database. They contain the URL, page title, last visited time, and other information related to browsing. 

At times, the URL of a page may contain sensitive information, such as encrypted credentials, or other such information, which can be used by an attacker. It should be noted, however, that this happens very rarely with major portals and websites that take such data.

The stealer also uses the InternetCrackUrlW API in order to store the broken-down components of a URL, such as protocol, hostname, port, and other parameters.

InternetCrackUrlW being used

 

The stealer implements SQL queries in order to limit the results to 500 entries only, in order to make sure that it steals the most recent information.

SQL queries used for most recent information

Finally, the stolen data is passed back to the main module, so that it can be sent to the C&C server.

macOS Variant 

The macOS installer for the 3CX was also infected, and operates slightly differently:

  • The path of the malicious component is 3CX Desktop App.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib.
  • The URLs are XOR encoded and hardcoded in the binary (not retrieved from the aforementioned GitHub repository). The URLs used are listed below. This variant also uses a slightly different web request format to communicate with the URLs.

msstorageazure[.]com/analysis

officestoragebox[.]com/api/biosync

visualstudiofactory[.]com/groupcore

azuredeploystore[.]com/cloud/images

msstorageboxes[.]com/xbox

officeaddons[.]com/quality

sourceslabs[.]com/status

zacharryblogs[.]com/xmlquery

pbxcloudeservices[.]com/network

pbxphonenetwork[.]com/phone

akamaitechcloudservices[.]com/v2/fileapi

azureonlinestorage[.]com/google/storage

msedgepackageinfo[.]com/ms-webview

glcloudservice[.]com/v1/status

pbxsources[.]com/queue

www.3cx[.]com/blog/event-trainings/

Detection

A YARA rule can be found in the references section of this report, in order to detect all stages of this campaign.

 

Indicators of Compromise (IoCs)

Files Obtained

SHA256

3CXDesktopApp.exe

DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC

ffmpeg.dl

7290A9AEFBB759C9B40EF8A197CF20FD098FD74DD413C4D9D81E77A31E643F49

d3dcompiler_47.dll

11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03

Final payload

8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423

3CXDesktopApp-18.12.416.msi

59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983

3CXDesktopApp-18.12.416.dmg|3CXDesktopApp-latest.dmg

e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec

libffmpeg.dylib

a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67

icon0.ico

210C9882EBA94198274EBC787FE8C88311AF24932832A7FE1F1CA0261F815C3D

icon1.ico

A541E5FC421C358E0A2B07BF4771E897FB5A617998AA4876E0E1BAA5FBB8E25C

icon2.ico

D459AA0A63140CCC647E9026BFD1FCCD4C310C262A88896C57BBE3B6456BD090

icon3.ico

D459AA0A63140CCC647E9026BFD1FCCD4C310C262A88896C57BBE3B6456BD090

icon4.ico

D51A790D187439CE030CF763237E992E9196E9AA41797A94956681B6279D1B9A

icon5.ico

4E08E4FFC699E0A1DE4A5225A0B4920933FBB9CF123CDE33E1674FDE6D61444F

icon6.ico

8C0B7D90F14C55D4F1D0F17E0242EFD78FD4ED0C344AC6469611EC72DEFA6B2D

icon7.ico

F47C883F59A4802514C57680DE3F41F690871E26F250C6E890651BA71027E4D3

icon8.ico

2C9957EA04D033D68B769F333A48E228C32BCF26BD98E51310EFD48E80C1789F

icon9.ico

268D4E399DBBB42EE1CD64D0DA72C57214AC987EFBB509C46CC57EA6B214BECA

icon10.ico

C62DCE8A77D777774E059CF1720D77C47B97D97C3B0CF43ADE5D96BF724639BD

icon11.ico

C13D49ED325DEC9551906BAFB6DE9EC947E5FF936E7E40877FEB2BA4BB176396

icon12.ico

F1BF4078141D7CCB4F82E3F4F1C3571EE6DD79B5335EB0E0464F877E6E6E3182

icon13.ico

2487B4E3C950D56FB15316245B3C51FBD70717838F6F82F32DB2EFCC4D9DA6DE

icon14.ico

E059C8C8B01D6F3AF32257FC2B6FE188D5F4359C308B3684B1E0DB2071C3425C

icon15.ico

D0F1984B4FE896D0024533510CE22D71E05B20BAD74D53FAE158DC752A65782E

README.md

9B5607140EC954341035604783CD7EC0D10B887C79AE9BAAEBE915D2AB0410D7

web.pack

E7B7002D270C6316404134F796FB2B982A8F9629522160870892217712FED72D

URLs

https://www.3cx[.]com/blog/event-trainings/

https://msstorageazure[.]com/window

https://officestoragebox[.]com/api/session

https://visualstudiofactory[.]com/workload

https://azuredeploystore[.]com/cloud/services

https://msstorageboxes[.]com/office

https://officeaddons[.]com/technologies

https://sourceslabs[.]com/downloads

https://zacharryblogs[.]com/feed

https://pbxcloudeservices[.]com/phonesystem

https://akamaitechcloudservices[.]com/v2/storage

https://akamaitechcloudservices[.]com/v2/storage

https://azureonlinestorage[.]com/azure/storage

https://msedgepackageinfo[.]com/microsoft-edge

https://glcloudservice[.]com/v1/console

https://pbxsources[.]com/exchange

References

Author

Mehardeep Singh Sawhney

Extremely passionate about cyber security and it's real application in protecting Information Assets. Love learning about new ways to exploit devices

Predict Cyber threats against your organization

Related Posts

Major Payment Disruption: Ransomware Strikes Indian Banking Infrastructure

CloudSEK's threat research team has uncovered a ransomware attack disrupting India's banking system, targeting banks and payment providers. Initiated through a misconfigured Jenkins server at Brontoo Technology Solutions, the attack is linked to the RansomEXX group.

Blog Image
February 3, 2024

From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet

Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.

Blog Image
November 8, 2023

How AI is reshaping the Cyber Threat Landscape

Explore the double-edged sword of AI in cybersecurity. This insightful blog delves into how artificial intelligence is revolutionizing defenses while also empowering cybercriminals. Understand the dual-use dilemma of AI in the ever-evolving cyber threat landscape.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Malware Intelligence

8

min read

Technical Analysis of Files Used in 3CX Desktop App Malware Campaign

On 29th March 2023, reports emerged of malicious activities originating from a signed 3CX desktop application. Trojanized versions of the 3CX desktop app load a DLL with malicious content. The DLL launches a multi-staged attack on the victim machine, the final stage being the deployment of an unidentified info stealer.

Authors
Mehardeep Singh Sawhney
Extremely passionate about cyber security and it's real application in protecting Information Assets. Love learning about new ways to exploit devices
Co-Authors
No items found.
  • Category: Malware Intelligence
  • Type/Family: Infostealer
  • Industry: IT & Technology
  • Region: Global

Executive Summary

THREAT

  • Trojanized versions of the 3CX desktop app load a DLL with malicious content.
  • The DLL launches a multi-staged attack on the victim machine, the final stage being the deployment of an unidentified info stealer.
  • It’s multi-platform with a macOS version.

IMPACT

  • Critical data such as saved passwords can be compromised through browsers installed on the victim system.

Analysis and Attribution

On 29th March 2023, reports emerged of malicious activities originating from a signed 3CX desktop application. CrowdStrike’s Falcon Overwatch has claimed to have observed malicious activities from both Windows and macOS versions of the application.

The product is a softphone application that allows you to make and receive calls on your physical desktop. The application is currently available for all major operating systems including Windows, Linux, and macOS. 3CX claims to have more than 600,000 customers globally, hence, this campaign can have devastating effects.

Attack Overview

Upon installing the affected versions of the 3CX desktop application, three files are dropped by the installer:

  • 3CXDesktopApp.exe: Used to load the first trojanized DLL.
  • ffmpeg.dll: Trojanized DLL. It contains data that is used to read, decrypt, and execute shellcode from the second malicious DLL dropped by the installer.
  • d3dcompiler_47.dll: Contains malicious shellcode that fetches .ico files from a GitHub repository (now taken down) and decrypts the C&C URLs from those files.

 

Technical Analysis

The affected binary starts by loading the trojanized DLL ffmpeg.dll. This DLL looks for the next malicious DLL in the source directory (d3dcompiler_47.dll) and loads it. 

Using CreateFileW() to load d3dcompiler_47.dll

d3dcompiler_47.dll has been appended to contain encrypted malicious shellcode, and is identified by a unique marker (0XCEFAEDFE). This shellcode has been encrypted using an RC4 stream cipher.

Using ReadFile() to read shellcode from the DLL after the marker 0XCEFAEDFE

The shellcode is then decrypted using a key (3jB(2bsG#@c7), and stored in memory for use.

Start of the decryption loop, and the key used for decryption

Then, VirtualProtect() is used to change the permissions of the memory region where the shellcode is stored to PAGE_EXECUTE_READWRITE (0x40). The shellcode also has a DLL embedded within it.

Using VirtualProtect() to make the memory region executable, and embedded DLL seen within shellcode

This shellcode is a downloader, and it is responsible for downloading the malicious .ico files from a now taken-down GitHub repository. It makes this request using a unique User-Agent string.

User-Agent string used to make request

A total of 16 .ico files are downloaded https://raw.githubusercontent[.]com/IconStorages/images/main/ and each .ico file is appended to have an encrypted string at the end. This string is encrypted using AES and GCM and is encoded in base64.

An example of the encrypted URL string in the .ico files

When decrypted, each .ico file contains a C&C URL, which is used to download the final stage payload. Below are the decrypted C&Cs for each .ico, credits to this script. The first URL was most likely used as a test URL by the threat actor since this address never hosted malware.

icon0.ico

https://www.3cx[.]com/blog/event-trainings/

icon1.ico

https://msstorageazure[.]com/window

icon2.ico

https://officestoragebox[.]com/api/session

icon3.ico

https://visualstudiofactory[.]com/workload

icon4.ico

https://azuredeploystore[.]com/cloud/services

icon5.ico

https://msstorageboxes[.]com/office

icon6.ico

https://officeaddons[.]com/technologies

icon7.ico

https://sourceslabs[.]com/downloads

icon8.ico

https://zacharryblogs[.]com/feed

icon9.ico

https://pbxcloudeservices[.]com/phonesystem

icon10.ico

https://akamaitechcloudservices[.]com/v2/storage

icon11.ico

https://akamaitechcloudservices[.]com/v2/storage

icon12.ico

https://azureonlinestorage[.]com/azure/storage

icon13.ico

https://msedgepackageinfo[.]com/microsoft-edge

icon14.ico

https://glcloudservice[.]com/v1/console

icon15.ico

https://pbxsources[.]com/exchange

The final stage payload is reportedly a new info stealer, which steals data from well-known browsers such as Chrome, Edge, Brave, and Firefox.

Infostealer Payload

The final stage is a never-seen-before info stealer. Security researchers at Volexity have named this stealer ICONIC. This stealer cannot be run directly using rundll.exe, as it follows another loading process. This is why we have tried our best to draw our conclusions from static analysis.

The stealer starts by checking the OS version that is currently running on the victim system. After this, it checks for the file C:\Program Files\3CXDesktopApp\config.json. Without this file, the stealer will not continue its operations.

Gets the current OS version and looks for the file

Then, the stealer gets the hostname and domain name information and formats it in a way that it is stored with the OS version. This will most likely be sent to the C&C as a victim identifier.

Host name, domain name, and current OS version stored together

 

Next the stealer starts its file-stealing operations. It uses a loop of FindFirstFile() and FindNextFile() to find data related to popular browsers. 

Loop to read browser-related files

The stealer has the paths of popular web browsers hardcoded. Below is a list of targeted browsers and the respective files that the stealer steals.

Hardcoded browser paths

 

Browser

File

Google Chrome

AppData\Local\Google\Chrome\User Data\History

Microsoft Edge

AppData\Local\Microsoft\Edge\User Data\History

Brave

AppData\Local\BraveSoftware\Brave-Browser\History

Mozilla Firefox

AppData\Roaming\Mozilla\Firefox\Profiles\places.sqlite

The History file for Chrome, Edge, and Brave is stolen, and the places.sqlite file for Firefox is stolen. These files are responsible for storing web browsing history and are stored in the form of an SQLite database. They contain the URL, page title, last visited time, and other information related to browsing. 

At times, the URL of a page may contain sensitive information, such as encrypted credentials, or other such information, which can be used by an attacker. It should be noted, however, that this happens very rarely with major portals and websites that take such data.

The stealer also uses the InternetCrackUrlW API in order to store the broken-down components of a URL, such as protocol, hostname, port, and other parameters.

InternetCrackUrlW being used

 

The stealer implements SQL queries in order to limit the results to 500 entries only, in order to make sure that it steals the most recent information.

SQL queries used for most recent information

Finally, the stolen data is passed back to the main module, so that it can be sent to the C&C server.

macOS Variant 

The macOS installer for the 3CX was also infected, and operates slightly differently:

  • The path of the malicious component is 3CX Desktop App.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libffmpeg.dylib.
  • The URLs are XOR encoded and hardcoded in the binary (not retrieved from the aforementioned GitHub repository). The URLs used are listed below. This variant also uses a slightly different web request format to communicate with the URLs.

msstorageazure[.]com/analysis

officestoragebox[.]com/api/biosync

visualstudiofactory[.]com/groupcore

azuredeploystore[.]com/cloud/images

msstorageboxes[.]com/xbox

officeaddons[.]com/quality

sourceslabs[.]com/status

zacharryblogs[.]com/xmlquery

pbxcloudeservices[.]com/network

pbxphonenetwork[.]com/phone

akamaitechcloudservices[.]com/v2/fileapi

azureonlinestorage[.]com/google/storage

msedgepackageinfo[.]com/ms-webview

glcloudservice[.]com/v1/status

pbxsources[.]com/queue

www.3cx[.]com/blog/event-trainings/

Detection

A YARA rule can be found in the references section of this report, in order to detect all stages of this campaign.

 

Indicators of Compromise (IoCs)

Files Obtained

SHA256

3CXDesktopApp.exe

DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC

ffmpeg.dl

7290A9AEFBB759C9B40EF8A197CF20FD098FD74DD413C4D9D81E77A31E643F49

d3dcompiler_47.dll

11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03

Final payload

8ab3a5eaaf8c296080fadf56b265194681d7da5da7c02562953a4cb60e147423

3CXDesktopApp-18.12.416.msi

59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983

3CXDesktopApp-18.12.416.dmg|3CXDesktopApp-latest.dmg

e6bbc33815b9f20b0cf832d7401dd893fbc467c800728b5891336706da0dbcec

libffmpeg.dylib

a64fa9f1c76457ecc58402142a8728ce34ccba378c17318b3340083eeb7acc67

icon0.ico

210C9882EBA94198274EBC787FE8C88311AF24932832A7FE1F1CA0261F815C3D

icon1.ico

A541E5FC421C358E0A2B07BF4771E897FB5A617998AA4876E0E1BAA5FBB8E25C

icon2.ico

D459AA0A63140CCC647E9026BFD1FCCD4C310C262A88896C57BBE3B6456BD090

icon3.ico

D459AA0A63140CCC647E9026BFD1FCCD4C310C262A88896C57BBE3B6456BD090

icon4.ico

D51A790D187439CE030CF763237E992E9196E9AA41797A94956681B6279D1B9A

icon5.ico

4E08E4FFC699E0A1DE4A5225A0B4920933FBB9CF123CDE33E1674FDE6D61444F

icon6.ico

8C0B7D90F14C55D4F1D0F17E0242EFD78FD4ED0C344AC6469611EC72DEFA6B2D

icon7.ico

F47C883F59A4802514C57680DE3F41F690871E26F250C6E890651BA71027E4D3

icon8.ico

2C9957EA04D033D68B769F333A48E228C32BCF26BD98E51310EFD48E80C1789F

icon9.ico

268D4E399DBBB42EE1CD64D0DA72C57214AC987EFBB509C46CC57EA6B214BECA

icon10.ico

C62DCE8A77D777774E059CF1720D77C47B97D97C3B0CF43ADE5D96BF724639BD

icon11.ico

C13D49ED325DEC9551906BAFB6DE9EC947E5FF936E7E40877FEB2BA4BB176396

icon12.ico

F1BF4078141D7CCB4F82E3F4F1C3571EE6DD79B5335EB0E0464F877E6E6E3182

icon13.ico

2487B4E3C950D56FB15316245B3C51FBD70717838F6F82F32DB2EFCC4D9DA6DE

icon14.ico

E059C8C8B01D6F3AF32257FC2B6FE188D5F4359C308B3684B1E0DB2071C3425C

icon15.ico

D0F1984B4FE896D0024533510CE22D71E05B20BAD74D53FAE158DC752A65782E

README.md

9B5607140EC954341035604783CD7EC0D10B887C79AE9BAAEBE915D2AB0410D7

web.pack

E7B7002D270C6316404134F796FB2B982A8F9629522160870892217712FED72D

URLs

https://www.3cx[.]com/blog/event-trainings/

https://msstorageazure[.]com/window

https://officestoragebox[.]com/api/session

https://visualstudiofactory[.]com/workload

https://azuredeploystore[.]com/cloud/services

https://msstorageboxes[.]com/office

https://officeaddons[.]com/technologies

https://sourceslabs[.]com/downloads

https://zacharryblogs[.]com/feed

https://pbxcloudeservices[.]com/phonesystem

https://akamaitechcloudservices[.]com/v2/storage

https://akamaitechcloudservices[.]com/v2/storage

https://azureonlinestorage[.]com/azure/storage

https://msedgepackageinfo[.]com/microsoft-edge

https://glcloudservice[.]com/v1/console

https://pbxsources[.]com/exchange

References