Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
http://support.ec2-amazonaws.net?incident=RofwZT0

Overview

General Information

Sample URL:http://support.ec2-amazonaws.net?incident=RofwZT0
Analysis ID:1635038
Infos:

Detection

Score:88
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for dropped file
Early bird code injection technique detected
Multi AV Scanner detection for dropped file
AI detected landing page (webpage, office document or email)
AI detected suspicious URL
Hides threads from debuggers
Hijacks the control flow in another process
Queues an APC in another process (thread injection)
Suspicious execution chain found
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports
Sigma detected: Potentially Suspicious Rundll32 Activity
Stores large binary data to the registry

Classification

Process Tree

  • System is w10x64_ra
  • chrome.exe (PID: 6236 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 7008 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,2424559189209343873,6072516767240843164,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1564 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
    • rundll32.exe (PID: 7940 cmdline: "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbApplication C:\Users\user\Downloads\Secure Source.application MD5: EF3179D498793BF4234F708D3BE28633)
      • dfsvc.exe (PID: 7972 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" MD5: B4088F44B80D363902E11F897A7BAC09)
        • dfsvc.exe (PID: 7472 cmdline: "C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exe" MD5: F187EE517C983057ED77B1141AE422B3)
          • dllhost.exe (PID: 7428 cmdline: C:\Windows\system32\dllhost.exe /Processid:{D2F96C54-DF80-4E18-BDED-94706F6A66C0} MD5: 08EB78E5BE019DF044C26B14703BD1FA)
            • WerFault.exe (PID: 3392 cmdline: C:\Windows\system32\WerFault.exe -u -p 7428 -s 272 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • chrome.exe (PID: 6720 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://support.ec2-amazonaws.net?incident=RofwZT0" MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Dfsvc.EXE Network Connection To Uncommon Ports
Source: Network ConnectionAuthor: Nasreddine Bencherchali (Nextron Systems): Data: DestinationIp: 192.168.2.17, DestinationIsIpv6: false, DestinationPort: 49743, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe, Initiated: true, ProcessId: 7972, Protocol: tcp, SourceIp: 51.103.246.168, SourceIsIpv6: false, SourcePort: 443
Sigma detected: Potentially Suspicious Rundll32 Activity
Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbApplication C:\Users\user\Downloads\Secure Source.application, CommandLine: "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbApplication C:\Users\user\Downloads\Secure Source.application, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank", ParentImage: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentProcessId: 6236, ParentProcessName: chrome.exe, ProcessCommandLine: "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbApplication C:\Users\user\Downloads\Secure Source.application, ProcessId: 7940, ProcessName: rundll32.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\AppDomain.dllAvira: detection malicious, Label: TR/Redcap.fbcak
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\AppDomain.dllReversingLabs: Detection: 58%

Phishing

barindex
AI detected landing page (webpage, office document or email)
Source: https://client.meetingdashboard.com/securesource/index.htmlJoe Sandbox AI: Page contains button: 'Download & Install' Source: '2.1.pages.csv'
AI detected suspicious URL
Source: http://support.ec2-amazonaws.netJoe Sandbox AI: The URL 'support.ec2-amazonaws.net' closely resembles Amazon's AWS service, which is typically accessed through 'aws.amazon.com'. The use of 'ec2' and 'amazonaws' suggests an attempt to mimic Amazon's Elastic Compute Cloud (EC2) service. The domain extension '.net' is a common alternative to '.com', which could confuse users. The subdomain 'support' is plausible for a legitimate service but, combined with the rest of the URL, it increases the likelihood of typosquatting. The structural similarity and the use of Amazon-related terms contribute to a high likelihood of user confusion, suggesting a potential typosquatting attempt.
Source: https://support.ec2-amazonaws.netJoe Sandbox AI: The URL 'https://support.ec2-amazonaws.net' closely resembles Amazon's AWS service URL. The legitimate AWS URL is 'https://aws.amazon.com', which is a well-known global brand. The analyzed URL uses 'ec2-amazonaws' as a subdomain, which mimics the legitimate 'amazonaws.com' domain used by Amazon Web Services. The use of 'ec2' is a reference to Amazon's Elastic Compute Cloud service, which adds to the potential for user confusion. The top-level domain '.net' is different from the legitimate '.com', which is a common tactic in typosquatting to mislead users. The structural similarity and the use of Amazon-related terms suggest a high likelihood of typosquatting, as it could easily confuse users into thinking they are interacting with a legitimate Amazon service.
Source: https://support.ec2-amazonaws.net/?incident=RofwZT0HTTP Parser: No favicon
Source: https://client.meetingdashboard.com/securesource/index.htmlHTTP Parser: No favicon
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\LICENSE.txt
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\README.txt
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu..urce_0000000000000000_0001.0000_none_39b1e8abac836ad0\LICENSE.txt
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu..urce_0000000000000000_0001.0000_none_39b1e8abac836ad0\README.txt
Source: unknownHTTPS traffic detected: 51.103.246.168:443 -> 192.168.2.17:49743 version: TLS 1.2
Source: unknownHTTPS traffic detected: 51.103.246.168:443 -> 192.168.2.17:49753 version: TLS 1.2
Source: unknownHTTPS traffic detected: 51.103.246.168:443 -> 192.168.2.17:49754 version: TLS 1.2
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeFile opened: C:\Users\user\AppData\Local\Apps\
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeFile opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeFile opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeFile opened: C:\Users\user\
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\

Software Vulnerabilities

barindex
Suspicious execution chain found
Source: C:\Program Files\Google\Chrome\Application\chrome.exeChild: C:\Windows\System32\rundll32.exe
Source: global trafficHTTP traffic detected: GET /securesource/Secure%20Source.application HTTP/1.1Host: client.meetingdashboard.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /securesource/Secure%20Source.manifest HTTP/1.1Host: client.meetingdashboard.comAccept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /securesource/LICENSE.txt.deploy HTTP/1.1Host: client.meetingdashboard.comAccept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /securesource/dfsvc.exe.config.deploy HTTP/1.1Host: client.meetingdashboard.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /securesource/README.txt.deploy HTTP/1.1Host: client.meetingdashboard.comAccept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /securesource/AppDomain.dll.deploy HTTP/1.1Host: client.meetingdashboard.comAccept-Encoding: gzipConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknownTCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknownTCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknownTCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknownTCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknownTCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknownTCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknownTCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknownTCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknownTCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknownTCP traffic detected without corresponding DNS query: 184.86.251.25
Source: unknownTCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknownTCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknownTCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 51.132.193.104
Source: unknownTCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknownTCP traffic detected without corresponding DNS query: 52.109.28.46
Source: unknownTCP traffic detected without corresponding DNS query: 52.123.128.14
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.60
Source: unknownTCP traffic detected without corresponding DNS query: 13.107.246.60
Source: global trafficHTTP traffic detected: GET /?incident=RofwZT0 HTTP/1.1Host: support.ec2-amazonaws.netConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /?incident=RofwZT0 HTTP/1.1Host: support.ec2-amazonaws.netConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /?incident=RofwZT0 HTTP/1.1Host: support.ec2-amazonaws.netConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /?incident=RofwZT0 HTTP/1.1Host: support.ec2-amazonaws.netConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /?incident=RofwZT0 HTTP/1.1Host: support.ec2-amazonaws.netConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /recaptcha/api.js HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*X-Client-Data: CLf3ygE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://support.ec2-amazonaws.net/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /securesource/index.html HTTP/1.1Host: client.meetingdashboard.comConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://support.ec2-amazonaws.net/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: client.meetingdashboard.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://client.meetingdashboard.com/securesource/index.htmlAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /securesource/Secure%20Source.application HTTP/1.1Host: client.meetingdashboard.comConnection: keep-aliveSec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyReferer: https://client.meetingdashboard.com/securesource/index.htmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /securesource/Secure%20Source.application HTTP/1.1Host: client.meetingdashboard.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /securesource/Secure%20Source.manifest HTTP/1.1Host: client.meetingdashboard.comAccept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /securesource/LICENSE.txt.deploy HTTP/1.1Host: client.meetingdashboard.comAccept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /securesource/dfsvc.exe.config.deploy HTTP/1.1Host: client.meetingdashboard.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /securesource/README.txt.deploy HTTP/1.1Host: client.meetingdashboard.comAccept-Encoding: gzip
Source: global trafficHTTP traffic detected: GET /securesource/AppDomain.dll.deploy HTTP/1.1Host: client.meetingdashboard.comAccept-Encoding: gzipConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: support.ec2-amazonaws.net
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficDNS traffic detected: DNS query: client.meetingdashboard.com
Source: global trafficDNS traffic detected: DNS query: beacons.gcp.gvt2.com
Source: global trafficDNS traffic detected: DNS query: beacons.gvt2.com
Source: global trafficDNS traffic detected: DNS query: beacons2.gvt2.com
Source: unknownHTTP traffic detected: POST /?incident=RofwZT0 HTTP/1.1Host: support.ec2-amazonaws.netConnection: keep-aliveContent-Length: 24Cache-Control: max-age=0sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Origin: https://support.ec2-amazonaws.netContent-Type: application/x-www-form-urlencodedUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://support.ec2-amazonaws.net/?incident=RofwZT0Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0 (Ubuntu)Date: Tue, 11 Mar 2025 09:08:04 GMTContent-Type: text/htmlContent-Length: 564Connection: close
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49682 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49677
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
Source: unknownHTTPS traffic detected: 51.103.246.168:443 -> 192.168.2.17:49743 version: TLS 1.2
Source: unknownHTTPS traffic detected: 51.103.246.168:443 -> 192.168.2.17:49753 version: TLS 1.2
Source: unknownHTTPS traffic detected: 51.103.246.168:443 -> 192.168.2.17:49754 version: TLS 1.2
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir6236_963508851
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir6236_963508851
Source: C:\Windows\System32\dllhost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7428 -s 272
Source: classification engineClassification label: mal88.expl.evad.win@38/18@39/140
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\Downloads\33dd31de-83c8-43d4-a417-6253ff02aa56.tmp
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeMutant created: NULL
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7428
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbApplication C:\Users\user\Downloads\Secure Source.application
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,2424559189209343873,6072516767240843164,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1564 /prefetch:3
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://support.ec2-amazonaws.net?incident=RofwZT0"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,2424559189209343873,6072516767240843164,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=1564 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbApplication C:\Users\user\Downloads\Secure Source.application
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\dfshim.dll",ShOpenVerbApplication C:\Users\user\Downloads\Secure Source.application
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exe "C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exe"
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{D2F96C54-DF80-4E18-BDED-94706F6A66C0}
Source: C:\Windows\System32\dllhost.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7428 -s 272
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess created: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exe "C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exe"
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{D2F96C54-DF80-4E18-BDED-94706F6A66C0}
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dfshim.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dwrite.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasapi32.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasman.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rtutils.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dhcpcsvc6.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dhcpcsvc.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: textshaping.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: windowscodecs.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: textinputframework.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: uiautomationcore.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeSection loaded: dfshim.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\dllhost.exeSection loaded: tbs.dll
Source: C:\Windows\System32\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\AppDomain.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\dfsvc_b03f5f7f11d50a3a_0004.0000_none_00f6b67d8e219c7d\dfsvc.exeJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\LICENSE.txt
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\README.txt
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu..urce_0000000000000000_0001.0000_none_39b1e8abac836ad0\LICENSE.txt
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeFile created: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu..urce_0000000000000000_0001.0000_none_39b1e8abac836ad0\README.txt
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeKey value created or modified: HKEY_CURRENT_USER_Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\secu...app_0000000000000000_0001.0000_6fc0382004c2f449 {c989bb7a-8385-4715-98cf-a741a8edb823}!ApplicationTrust
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: 1D063BD0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: 1D07D4B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeMemory allocated: 1790000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeMemory allocated: 1B0B0000 memory reserve | memory write watch
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599887
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599777
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599666
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599554
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599443
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599315
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599203
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599092
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598980
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598869
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598757
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598647
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598536
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598424
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598297
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598187
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598076
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597964
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597852
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597741
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597629
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597517
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597389
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597279
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597167
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597055
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596943
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596816
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596705
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596577
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596465
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596353
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596242
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596128
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596018
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595890
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595778
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595666
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595554
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595442
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595331
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595187
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595075
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594963
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594851
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594739
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594627
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeThread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeThread delayed: delay time: 599888
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeThread delayed: delay time: 599777
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeThread delayed: delay time: 599665
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeThread delayed: delay time: 599554
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeThread delayed: delay time: 599442
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeWindow / User API: threadDelayed 9530
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeWindow / User API: threadDelayed 351
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\AppDomain.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8028Thread sleep count: 9530 > 30
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -599887s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8028Thread sleep count: 223 > 30
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -599777s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -599666s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -599554s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -599443s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -599315s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -599203s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -599092s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -598980s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -598869s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -598757s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -598647s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -598536s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -598424s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -598297s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -598187s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -598076s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -597964s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -597852s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -597741s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -597629s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -597517s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -597389s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -597279s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -597167s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -597055s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -596943s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -596816s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -596705s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -596577s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -596465s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -596353s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -596242s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -596128s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -596018s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -595890s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -595778s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -595666s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -595554s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -595442s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -595331s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -595187s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -595075s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -594963s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -594851s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -594739s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe TID: 8016Thread sleep time: -594627s >= -30000s
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exe TID: 1992Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exe TID: 1992Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exe TID: 772Thread sleep count: 200 > 30
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exe TID: 1992Thread sleep time: -599888s >= -30000s
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exe TID: 772Thread sleep count: 351 > 30
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exe TID: 1992Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exe TID: 1992Thread sleep time: -599777s >= -30000s
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exe TID: 1992Thread sleep time: -599665s >= -30000s
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exe TID: 1992Thread sleep time: -599554s >= -30000s
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exe TID: 1992Thread sleep time: -599442s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599887
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599777
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599666
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599554
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599443
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599315
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599203
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 599092
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598980
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598869
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598757
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598647
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598536
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598424
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598297
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598187
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 598076
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597964
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597852
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597741
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597629
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597517
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597389
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597279
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597167
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 597055
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596943
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596816
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596705
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596577
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596465
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596353
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596242
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596128
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 596018
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595890
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595778
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595666
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595554
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595442
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595331
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595187
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 595075
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594963
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594851
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594739
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeThread delayed: delay time: 594627
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeThread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeThread delayed: delay time: 599888
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeThread delayed: delay time: 599777
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeThread delayed: delay time: 599665
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeThread delayed: delay time: 599554
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeThread delayed: delay time: 599442
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeFile opened: C:\Users\user\AppData\Local\Apps\
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeFile opened: C:\Users\user\AppData\Local\
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeFile opened: C:\Users\user\AppData\
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeFile opened: C:\Users\user\
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeFile opened: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\

Anti Debugging

barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeThread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess token adjusted: Debug
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeMemory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

barindex
Early bird code injection technique detected
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess created / APC Queued / Resumed: C:\Windows\System32\dllhost.exe
Hijacks the control flow in another process
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeMemory written: PID: 7428 base: 1D8F3083000 value: FF
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeMemory written: PID: 7428 base: 1D8F30B9000 value: FF
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeMemory written: PID: 7428 base: 1D8F30C9000 value: E9
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeMemory written: PID: 7428 base: 1D8F30D2000 value: FF
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeThread APC queued: target process: C:\Windows\System32\dllhost.exe
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\dllhost.exe /Processid:{D2F96C54-DF80-4E18-BDED-94706F6A66C0}
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\dfsvc.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\AppDomain.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\dfsvc.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\dfsvc.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\AppDomain.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\LICENSE.txt VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\dfsvc.exe.config VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\README.txt VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\dfsvc.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\AppDomain.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeQueries volume information: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\AppDomain.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\dfsvc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Exploitation for Client Execution		2
Browser Extensions		311
Process Injection		11
Masquerading		OS Credential Dumping2
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Modify Registry		LSASS Memory131
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Disable or Modify Tools		Security Account Manager1
Application Window Discovery		SMB/Windows Admin SharesData from Network Shared Drive4
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook131
Virtualization/Sandbox Evasion		NTDS1
File and Directory Discovery		Distributed Component Object ModelInput Capture5
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script311
Process Injection		LSA Secrets13
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Rundll32		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
DLL Side-Loading		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
File Deletion		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
http://support.ec2-amazonaws.net?incident=RofwZT00%Avira URL Cloudsafe

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\AppDomain.dll100%AviraTR/Redcap.fbcak
C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\dfsvc_b03f5f7f11d50a3a_0004.0000_none_00f6b67d8e219c7d\dfsvc.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\AppDomain.dll58%ReversingLabsWin32.Adware.RedCap

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://support.ec2-amazonaws.net/?incident=RofwZT00%Avira URL Cloudsafe
http://support.ec2-amazonaws.net/?incident=RofwZT00%Avira URL Cloudsafe
https://client.meetingdashboard.com/favicon.ico0%Avira URL Cloudsafe
https://client.meetingdashboard.com/securesource/Secure%20Source.application0%Avira URL Cloudsafe
https://client.meetingdashboard.com/securesource/Secure%20Source.manifest0%Avira URL Cloudsafe
https://client.meetingdashboard.com/securesource/dfsvc.exe.config.deploy0%Avira URL Cloudsafe
https://client.meetingdashboard.com/securesource/LICENSE.txt.deploy0%Avira URL Cloudsafe
https://client.meetingdashboard.com/securesource/README.txt.deploy0%Avira URL Cloudsafe
https://client.meetingdashboard.com/securesource/AppDomain.dll.deploy0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
client.meetingdashboard.com
51.103.246.168
truefalse
    		unknown
    beacons-handoff.gcp.gvt2.com
    		172.217.23.99
    		truefalse
      		high
      support.ec2-amazonaws.net
      		172.161.24.166
      		truetrue
        		unknown
        www.google.com
        		216.58.212.164
        		truefalse
          		high
          beacons2.gvt2.com
          		172.217.29.163
          		truefalse
            		high
            beacons.gvt2.com
            		142.251.143.35
            		truefalse
              		high
              beacons.gcp.gvt2.com
              		unknown
              		unknownfalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://client.meetingdashboard.com/favicon.icofalse
                • Avira URL Cloud: safe
                		unknown
                https://client.meetingdashboard.com/securesource/Secure%20Source.manifestfalse
                • Avira URL Cloud: safe
                		unknown
                https://client.meetingdashboard.com/securesource/index.htmltrue
                  		unknown
                  http://support.ec2-amazonaws.net/?incident=RofwZT0true
                  • Avira URL Cloud: safe
                  		unknown
                  https://support.ec2-amazonaws.net/?incident=RofwZT0true
                  • Avira URL Cloud: safe
                  		unknown
                  https://client.meetingdashboard.com/securesource/Secure%20Source.applicationfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://client.meetingdashboard.com/securesource/dfsvc.exe.config.deployfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://client.meetingdashboard.com/securesource/LICENSE.txt.deployfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://client.meetingdashboard.com/securesource/AppDomain.dll.deployfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.com/recaptcha/api.jsfalse
                    		high
                    https://client.meetingdashboard.com/securesource/README.txt.deployfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    142.250.186.68
                    		unknownUnited States
                    		15169GOOGLEUSfalse
                    142.250.186.46
                    		unknownUnited States
                    		15169GOOGLEUSfalse
                    142.250.185.78
                    		unknownUnited States
                    		15169GOOGLEUSfalse
                    142.250.185.68
                    		unknownUnited States
                    		15169GOOGLEUSfalse
                    216.58.212.164
                    		www.google.comUnited States
                    		15169GOOGLEUSfalse
                    216.58.206.67
                    		unknownUnited States
                    		15169GOOGLEUSfalse
                    142.250.185.234
                    		unknownUnited States
                    		15169GOOGLEUSfalse
                    142.250.185.227
                    		unknownUnited States
                    		15169GOOGLEUSfalse
                    216.58.206.35
                    		unknownUnited States
                    		15169GOOGLEUSfalse
                    142.251.168.84
                    		unknownUnited States
                    		15169GOOGLEUSfalse
                    142.250.185.174
                    		unknownUnited States
                    		15169GOOGLEUSfalse
                    142.250.185.131
                    		unknownUnited States
                    		15169GOOGLEUSfalse
                    51.103.246.168
                    		client.meetingdashboard.comUnited Kingdom
                    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                    Private

                    IP
                    192.168.2.17
                    172.161.24.166

                    General Information

                    Joe Sandbox version:42.0.0 Malachite
                    Analysis ID:1635038
                    Start date and time:2025-03-11 10:06:55 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:defaultwindowsinteractivecookbook.jbs
                    Sample URL:http://support.ec2-amazonaws.net?incident=RofwZT0
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:21
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • EGA enabled
                    Analysis Mode:stream
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal88.expl.evad.win@38/18@39/140

                    Warnings

                    • Exclude process from analysis (whitelisted): svchost.exe
                    • Excluded IPs from analysis (whitelisted): 142.250.185.78, 216.58.206.35, 142.251.168.84, 142.250.185.174, 172.217.18.14, 142.250.184.238
                    • Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, redirector.gvt1.com, clientservices.googleapis.com, clients.l.google.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • VT rate limit hit for: http://support.ec2-amazonaws.net?incident=RofwZT0

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\dfsvc_b03f5f7f11d50a3a_0004.0000_none_00f6b67d8e219c7d\dfsvc.exe

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):11592
                    Entropy (8bit):6.334441201555883
                    Encrypted:false
                    SSDEEP:
                    MD5:F187EE517C983057ED77B1141AE422B3
                    SHA1:C430C6A82351FBBF305B7237B85F451431BDD3A8
                    SHA-256:9C47FB536CDC6ABD9AD870FA592A89279688D34B582B6C3A307D2818912D2F2F
                    SHA-512:CB10241F0A21B570F296C2B555DF70F6BB0E413497A10C6816C6418CEEBB5A2317D3C2FC7A4071375839B4D36A452503E67AF0D3D1E8C0FC5F57DFEFB348AB16
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Reputation:unknown
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....K............................n)... ...@....@.. ...............................i....@................................. )..K....@..................H....`.......(............................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........ ......................P .......................................&.......hJa@.=...$(Z..S..Qag.....O..#.2k...t......;I<..N..K..8~f#...P......!.or.....:..l...b..{......6@|w..1_...M.e..c".(.....*...BSJB............v4.0.30319......l... ...#~......H...#Strings............#US.........#GUID...........#Blob...........G.........%3....................................................V.O.....g.....O...........................3.....L.....g.................................

                    C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\manifests\dfsvc_b03f5f7f11d50a3a_0004.0000_none_00f6b67d8e219c7d.cdf-ms

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):2468
                    Entropy (8bit):4.3597415927173895
                    Encrypted:false
                    SSDEEP:
                    MD5:6308BA483A5C8ECF9A3B70068881E907
                    SHA1:FAD6E6EDC024CFA71566F3EB9A2069DB63548292
                    SHA-256:3B25995CCE1818FF7978433877E7BC63FF01918756B0545EA2CA0DDB337AB20B
                    SHA-512:958BC9A3561EF2D3EFFCE11F97275AE1DC3C48DF049228A5013801E1DBFC66BF273BB59B0D5BE58F1428C5337A13371AF148C68636F64DFDECAC23808574F642
                    Malicious:false
                    Reputation:unknown
                    Preview:PcmH........o.Dn.Y`.............T....................................<.g..J.|r,..`P................f.......U..c...................'-.........B(..........$...........>.xg .\.........y*......V....X................z..w................0.......0...........................$.......<.......@.......P.......`.......h...4...p...........P...4...........@.......................(...................$.......,...(...<.......d.......l.......................................................7...............................................7...namedfsvc%%%processorArchitecture%%%msilpublicKeyToken%%b03f5f7f11d50a3aversion%4.0.0.0%....................................................MdHd........................MdSp....$........................... urn:schemas-microsoft-com:asm.v1.assembly.xmlns.1.0.manifestVersion urn:schemas-microsoft-com:asm.v2.asmv2)http://www.w3.org/2001/XMLSchema-instance.xsi6urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd.schemaLocation... .assemblyIdentity.dfsvc.name.msi

                    C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\manifests\dfsvc_b03f5f7f11d50a3a_0004.0000_none_00f6b67d8e219c7d.manifest

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):822
                    Entropy (8bit):5.135674932251925
                    Encrypted:false
                    SSDEEP:
                    MD5:A9C5A4035D42BC3FAF49B78055731233
                    SHA1:504F39D472E2280DCC79282EF3B0F609860BE97A
                    SHA-256:3B1BD54063B05CDE0561DDEC45E009A293FE46A6F5645B961E4A07EE74B0B553
                    SHA-512:9B0635CDE404F580ED87619720CCE7CD68F069FF9AA3A573FDAE8CEB0E8EF2AE5DA7BDE16CC2F0C2E0AC581EADE5415FBAB8A4E485245717A9A378E2173E55D8
                    Malicious:false
                    Reputation:unknown
                    Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="dfsvc" processorArchitecture="msil" publicKeyToken="b03f5f7f11d50a3a" version="4.0.0.0" />.. <file name="dfsvc.exe" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="4.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Deployment" publicKeyToken="b03f5f7f11d50a3a" version="4.0.0.0" />.. </dependentAssembly>.. </dependency>..</assembly>

                    C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\manifests\secu...app_0000000000000000_0001.0000_none_eda50a2129ac62dc.cdf-ms

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):3892
                    Entropy (8bit):4.523159552459641
                    Encrypted:false
                    SSDEEP:
                    MD5:FF4E1DA0A13B03E998A6F42C27F6A23F
                    SHA1:D7193F2CBA69624183C18EA6E921DD0AF2E0C9D2
                    SHA-256:E3D8EF845B269B822E48F48050CF021A1B7435F3EDE952388E2FEAB77CF177D6
                    SHA-512:8A1B53FC57757B3A905799C9B8487D171A3A7A5C7C0243343727EDF2132EBCDF4183B7A49EE52587B1F924690279F4EF17D620C023BA21E98D3CF3241F57977A
                    Malicious:false
                    Reputation:unknown
                    Preview:PcmH.........".....C!...@.......T...............8........... ........<.g..J.|r,..`P......Z.....)....E......x...\....../...........e}.b)..{.....'}.z..&....*c`.;..8..................O.........U..c...................'-.........."-h........$..........GX5....W.........8........R.......j...........K*...!.................H.......T.......\.......`.......d...0...|...................J........... .......0.......4.......8.......L.......d.......h.......x...................4.......P.......P...........l.......t.......|...........L.......................................................4.0.30319%%%Client%%4.0%FullSecure Source.manifest%%............................................7...Secure Source%%%........................https://client.meetingdashboard.com/securesource/Secure Source.application%%....................nameSecure Source.app%%%processorArchitecture%%%msilpublicKeyToken%%0000000000000000version%1.0.0.0%....................................................MdHdP.......................

                    C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\manifests\secu..urce_0000000000000000_0001.0000_none_39b1e8abac836ad0.cdf-ms

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):6408
                    Entropy (8bit):4.226498918374426
                    Encrypted:false
                    SSDEEP:
                    MD5:A1CC971B7FF03358A6134E0AE7DAE8D7
                    SHA1:F3A03A2DCCB2151A551BE0CB7D30386FCF015784
                    SHA-256:0E81CF7BE60AA173EDD452DED56F7755E5C736EB5D39BE46D4744EAEA30D11D5
                    SHA-512:CB2F8515C882325BE28063DD5B55091BCAE3F86D89F5F7FDA02D376CF5326D045A9FF05F8B06CE486BB36989F791756DACFF9293CABC8D3D3096A01CBCD31CF1
                    Malicious:false
                    Reputation:unknown
                    Preview:PcmH........D...4...2...........T...........................1........<.g..J.|r,..`P.....y*.........8........R.......................f.......U..c...................'-.........B(..........$...........>.xg .\....1.>........5...M..............~.....'}.z..&......"-h.......j...........K*...!.....GX5....W....z}bz..%.......d.YzzU....3....+.......u..IV.."...0.r.....#....m..K..q&........A.U'...........,...........$...(.......8.......D.......L.......T.......X.......`.......x.......|...........................@.......0...............0...,...0...\...................................................................@.......L...$...P...p...........@...............@...........\...@...h...(.......'........................... .......(.......4...4...<.......p.......x...(...............................................,.......dfsvc.exe%%%culture%neutral%namedfsvc%%%processorArchitecture%%%msilpublicKeyToken%%b03f5f7f11d50a3aversion%4.0.0.0%............................................................

                    C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\AppDomain.cdf-ms

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):2828
                    Entropy (8bit):4.189577857216702
                    Encrypted:false
                    SSDEEP:
                    MD5:0A17744B68DD2297AE71EEA1709A5222
                    SHA1:BE0395F14667B177A6BAAF27805743FC61CA542F
                    SHA-256:375BBE1F8231AEE195E52FD18260F1F41F687BCCDF2001E2AEB05BA634BCE00F
                    SHA-512:A464B4C60B26F8612C284DA3F6DE0C3673A612783AB86E3950CB38D31C444C6EF2B5B68CC07307A1AE903F86840364B74EFB4736713E3DF0B95D9D24EFE6D0D9
                    Malicious:false
                    Reputation:unknown
                    Preview:PcmH..........T.................T....................................<.g..J.|r,..`P.............m..K..q.....U..c....................$...............A.U....1.>...............B....'-............z..w.....>.xg .\.......;..............................0.......0.......0...H.......x.......|...................................(.......h.......P...D...........@........................................... ...(...(.......P.......X...(...`...................(...............(...........................................................7...............................................7...............................................7...nameAppDomain%%%processorArchitecture%%%msilversion%0.0.0.0%........................................MdHdh...............l...d...MdSp....$........... ............... urn:schemas-microsoft-com:asm.v1.assembly.xmlns.1.0.manifestVersion urn:schemas-microsoft-com:asm.v2.asmv2)http://www.w3.org/2001/XMLSchema-instance.xsi6urn:schemas-microsoft-com:asm.v1 assembly.adaptive

                    C:\Users\user\AppData\Local\Apps\2.0\4ECGV565.ZTG\DB9DL8M0.DKV\secu...app_0000000000000000_0001.0000_973670e901929e31\AppDomain.manifest

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):968
                    Entropy (8bit):5.104381842634764
                    Encrypted:false
                    SSDEEP:
                    MD5:9F15CD14F1AAFB417D5FBB244C9AD077
                    SHA1:BEA87ECDCA614B076B93EA0BAE1F4162F13A1454
                    SHA-256:AEE89F645193494EBF2A3DB67AD9DB6257AE3D7C81A7B49943DFCE8910166198
                    SHA-512:17B3596B213FF5EC05BF467778F647E6760A06D584309B8A6AE75B89669317E7033168810AD61D1630E5E897DD6E313100910EF50BD738EAD032B3B490154392
                    Malicious:false
                    Reputation:unknown
                    Preview:.<?xml version="1.0" encoding="utf-8"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd">.. <assemblyIdentity name="AppDomain" processorArchitecture="msil" version="0.0.0.0" />.. <file name="AppDomain.dll" />.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="mscorlib" publicKeyToken="b77a5c561934e089" version="4.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System" publicKeyToken="b77a5c561934e089" version="4.0.0.0" />.. </dependentAssembly>.. </dependency>.. <dependency>.. <dependentAssembly>.. <assemblyIdentity name="System.Core" publicKeyToken="b77a5c561934e089" version="4.0.0.0" />.. </dependentAssembly>.. </dependency>..</assembly>

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\5IQBCSP1\K6L4NBIS.log

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):10442
                    Entropy (8bit):3.6462364515106
                    Encrypted:false
                    SSDEEP:
                    MD5:69EF944DA641D180CF1E9C96120EFC9A
                    SHA1:224A85B5B027BAA7D4BFE44F7BE045A4942B6576
                    SHA-256:D93EF0395E82739DE6A6C8AA03603A9DEB04087066BE612BA7CF112D130470FB
                    SHA-512:A3501491D8CD753F749A429FF288178A6AAF9B77E1829F53986A3EF44A72F9A11E69B347FF6D1FCD41EB75431AE896F8812ABABB7A0E1BEC3E2CBA051DAB7895
                    Malicious:false
                    Reputation:unknown
                    Preview:..P.L.A.T.F.O.R.M. .V.E.R.S.I.O.N. .I.N.F.O.......W.i.n.d.o.w.s. .......:. .1.0...0...1.9.0.4.5...0. .(.W.i.n.3.2.N.T.).......C.o.m.m.o.n. .L.a.n.g.u.a.g.e. .R.u.n.t.i.m.e. ...:. .4...0...3.0.3.1.9...4.2.0.0.0.......S.y.s.t.e.m...D.e.p.l.o.y.m.e.n.t...d.l.l. .....:. .4...8...4.6.5.4...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.B.......c.l.r...d.l.l. .......:. .4...8...4.6.4.5...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.B.......d.f.d.l.l...d.l.l. .......:. .4...8...4.6.5.4...0. .b.u.i.l.t. .b.y.:. .N.E.T.4.8.R.E.L.1.L.A.S.T._.B.......d.f.s.h.i.m...d.l.l. .......:. .1.0...0...1.9.0.4.1...3.0.0.0.0. .(.W.i.n.B.u.i.l.d...1.6.0.1.0.1...0.8.0.0.).........S.O.U.R.C.E.S.......D.e.p.l.o.y.m.e.n.t. .u.r.l.......:. .f.i.l.e.:./././.C.:./.U.s.e.r.s./.t.o.r.r.e.s./.D.o.w.n.l.o.a.d.s./.S.e.c.u.r.e.%.2.0.S.o.u.r.c.e...a.p.p.l.i.c.a.t.i.o.n.......D.e.p.l.o.y.m.e.n.t. .P.r.o.v.i.d.e.r. .u.r.l.....:. .h.t.t.p.s.:././.c.l.i.e.n.t...m.e.e.t.i.n.g.d.a.s.h.b.o.a.r.d...c.o.m./.s.e.c.u.r.e.

                    C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\AppDomain.dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):58880
                    Entropy (8bit):5.565876799462119
                    Encrypted:false
                    SSDEEP:
                    MD5:A78559D698D8A90CA80BC2DBCB997B8A
                    SHA1:3788D22EB8CDFDA4EB73F21EC28DE68F70F23652
                    SHA-256:514EAC77158B9786D9C11F177C594416FED9A8D017415A3C87F8220CC953F252
                    SHA-512:6D17114AE8BCEF412127BBB9D11A0D026E12E500AAE7B2C58ABE880C11D3EC2C94491C183A74CA0F6ABA107B4F12CB0961B01D52F03201BF76F495B90C099F5E
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 58%
                    Reputation:unknown
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iZ............" ..0.................. ........... .......................@............@.....................................O............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............r............................................................(....*..(....*:.(......}....*..0..n.......s......(....r...p(....r#..p(....o....rm..prs..po....rw..pr}..po....r...pr...po....r...pr...po......o~...-..*.*v(....o....,.(....%-.&*o....&*..(....*..(....*.*...0..4.......(.....o.......i.6......+..........i].a...X....i2..*..(....*:.(......}....*..0...........(}...(.......(.....*...................N..({...( ....(}...*.0..........(....r...p(....o.....(....(.....

                    C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\README.txt

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                    File Type:ASCII text, with very long lines (65536), with no line terminators
                    Category:dropped
                    Size (bytes):707033
                    Entropy (8bit):5.528028420588959
                    Encrypted:false
                    SSDEEP:
                    MD5:AD414CDA697B435355A5B91640163E62
                    SHA1:11AE0DF77F154F7E7798578E5EC7880217843707
                    SHA-256:4989428B8C0F781FFD2FFE5275E61E9B7E7DC6EEE486414DC065296CFF67B4A2
                    SHA-512:A8FB54D68C44A9F8AB12D077D48B4E7B79E09FFC4FC1B5F8F35CE8B408DBDA3739F5E6D9B6C4162EB3959A6DC61178011F28C44AC840B29F35475CEB521D6A0F
                    Malicious:false
                    Reputation:unknown
                    Preview:EAEB8 xAB8RAfEwHB8RA fEwHB8 BAv8fAgi BcA4EcgmBcIJK1 gEK+R BPoSBPUAAW FnDPYI A8qAuWFqCApxA B8wIP0wANww ALsqC DkgCDc QGh8YwGt4q6 Owh2OwiyOwDc Twj jqGoH A+AL8+AJ4+ AH0q6DU A7DMw60/WJLSW BZrAZB AgRJAKA1A ATW1DXAc4 WAUoWAUIYAMor KS5Fa P0A8UxBg TSisquCMA gRBAJA7 OAGypgeK kfBFcn CGCnC1XwBzp g8FkAIipw bK4mCt pADgpwaKomCp pAC gpwZ KYmClp ABgp wYK ImChpAAQpw XK4lCdpADQpwW KolCZ pACQp wVKYl CVp ABQpwUKIlCR pAA Apw TK4kCNpADAp wSKokCJpACAp wRK YkCF pABApwQK IkCBpAAwo wPK4aB Jwj CLCaBLkaB PcjC2WQBkob BJIbBLA1AH41A LwqWD8 gaDMAaDcgJKU oaD0wIKI3AD AhCPi 3AJ03INo4A Bg4AF Yqi DkAhD0C9jQ /AAKwLJ 87C pQ0I0PC 9jQ/I0PC9 jQ/8nQ/I0PC 9jQ/oKMqCC 8CBDApCfqgnK0A mKwp CbqgmKk AkKgpC3K zDIAtiAWt iUr40KKtCAG tiAr4zK6sCA2si Mr4 yKqsCA msiIr4xKasC AWsiEr4wKKsCAG siwq4v K6rCA2 ri8q4 uKqrCAmri4q 4tKarCAWr i0q4sKKrCAGrig q4rK 6qCA2qisq4qKq qCAm qioq4 pKa qCAWqikq 4oKK5AbA IkK+pieqY nKAInKupiaqY mKAI mKepi WqYlKA IlKOpi SqYkKAIgK+o iOqYjK AIjKuoiKq YejUBgGqYhK SoiDqA gCqYgKCni/pAg +pYfKyn i7pAg6pYaD M4dKanCB W2AFO2AFGni

                    C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\Secure Source.manifest

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (504)
                    Category:dropped
                    Size (bytes):2568
                    Entropy (8bit):5.080405838685388
                    Encrypted:false
                    SSDEEP:
                    MD5:B854AD8CAF7EAEB6EB4C4D72AF2638B8
                    SHA1:5CC2A571EFBECB03739C09D15624EC30CDE4C6B9
                    SHA-256:F993360BFC8DC685BF042DDE41829144C60180AD6662CBAF639792FF7DB4F3DC
                    SHA-512:AADE7AFFF3988B997A93E0FB777D67801B4FC0061C6443D126FEE9FF78D2E7F4DF960DF24B2D3A09F78C72A8C7C350AFCEF4BF572F04EB5DE89754C62123505F
                    Malicious:false
                    Reputation:unknown
                    Preview:.<?xml version="1.0" encoding="utf-8"?>.<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">. <asmv1:assemblyIdentity name="Secure Source" version="1.0.0.0" publicKeyToken="0000000000000000" language="neutral" processorArchitecture="msil" type="win32" />. <application />. <entryPoint>. <assemblyIdentity name="dfsvc" version="4.0.0.0" publicKeyToken="b03f5f7f11d50a3a" language="neutral" processorArchitecture="msil" />. <commandLine file="dfsvc.exe" parameters="" />. </entryPoint>. <trustInfo>. <security>. <applicationReque

                    C:\Users\user\AppData\Local\Temp\Deployment\Q8BTN7XY.R4J\35OHT3B0.O4O\dfsvc.exe.config

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                    File Type:XML 1.0 document, ASCII text
                    Category:dropped
                    Size (bytes):464
                    Entropy (8bit):5.057431171341659
                    Encrypted:false
                    SSDEEP:
                    MD5:F5290A93EDC9C6FD1262DB7F0BBFDEB9
                    SHA1:7AE55FE1E8551B331E58E21CE9FF6E5585B3E0FF
                    SHA-256:4876DD523FDF14974A92A19BFDE8D303E0DCA4A69AFC46E2D84F4C9B4B7EBE4B
                    SHA-512:B35892BAFE75DB3765FE22B38163AA22586BCADDE43AD45664E5041CFCBC09C3972434476F1578C71AE23848F222F677645C14FCB291B2DF46F169508EB73A5A
                    Malicious:false
                    Reputation:unknown
                    Preview:<?xml version="1.0" encoding="utf-8"?>.<configuration>. <runtime>. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"></assemblyBinding>. <appDomainManagerAssembly value="AppDomain, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null" />. <appDomainManagerType value="AppDomain" />. <etwEnable enabled="false" />. </runtime>. <startup>. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.1" />. </startup>.</configuration>

                    C:\Users\user\Downloads\33dd31de-83c8-43d4-a417-6253ff02aa56.tmp

                    Download File
                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (550)
                    Category:dropped
                    Size (bytes):1681
                    Entropy (8bit):5.071766565883557
                    Encrypted:false
                    SSDEEP:
                    MD5:493C52849FA932EBC0B7C5CE02B1E442
                    SHA1:3658F85151581BCF6EB1845135361CCC2CC2EB97
                    SHA-256:1C85AC1E6D97356B704A86E4BDBF190FF6A8DA475CA725070A31EAE277EFA0FF
                    SHA-512:ADCE95FE6EFBC6E743BF0CA01D9D0E835CAC0BB8336791590FAD68AF4C973BE3648850CE6C461AB159F9642948749E90596D385B35D0641AD3537760680543F9
                    Malicious:false
                    Reputation:unknown
                    Preview:.<?xml version="1.0" encoding="utf-8"?>.<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">. <assemblyIdentity name="Secure Source.app" version="1.0.0.0" publicKeyToken="0000000000000000" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />. <description asmv2:publisher="Secure Source" asmv2:product="Secure Source" xmlns="urn:schemas-microsoft-com:asm.v1" />. <deployment install="false" mapFileExtensions="true">. <deploymentProvider codebase="https:/

                    C:\Users\user\Downloads\Secure Source.application (copy)

                    Download File
                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (550)
                    Category:dropped
                    Size (bytes):0
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:
                    MD5:493C52849FA932EBC0B7C5CE02B1E442
                    SHA1:3658F85151581BCF6EB1845135361CCC2CC2EB97
                    SHA-256:1C85AC1E6D97356B704A86E4BDBF190FF6A8DA475CA725070A31EAE277EFA0FF
                    SHA-512:ADCE95FE6EFBC6E743BF0CA01D9D0E835CAC0BB8336791590FAD68AF4C973BE3648850CE6C461AB159F9642948749E90596D385B35D0641AD3537760680543F9
                    Malicious:false
                    Reputation:unknown
                    Preview:.<?xml version="1.0" encoding="utf-8"?>.<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">. <assemblyIdentity name="Secure Source.app" version="1.0.0.0" publicKeyToken="0000000000000000" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />. <description asmv2:publisher="Secure Source" asmv2:product="Secure Source" xmlns="urn:schemas-microsoft-com:asm.v1" />. <deployment install="false" mapFileExtensions="true">. <deploymentProvider codebase="https:/

                    C:\Users\user\Downloads\Unconfirmed 849665.crdownload (copy)

                    Download File
                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                    File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (550)
                    Category:dropped
                    Size (bytes):0
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:
                    MD5:493C52849FA932EBC0B7C5CE02B1E442
                    SHA1:3658F85151581BCF6EB1845135361CCC2CC2EB97
                    SHA-256:1C85AC1E6D97356B704A86E4BDBF190FF6A8DA475CA725070A31EAE277EFA0FF
                    SHA-512:ADCE95FE6EFBC6E743BF0CA01D9D0E835CAC0BB8336791590FAD68AF4C973BE3648850CE6C461AB159F9642948749E90596D385B35D0641AD3537760680543F9
                    Malicious:false
                    Reputation:unknown
                    Preview:.<?xml version="1.0" encoding="utf-8"?>.<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">. <assemblyIdentity name="Secure Source.app" version="1.0.0.0" publicKeyToken="0000000000000000" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />. <description asmv2:publisher="Secure Source" asmv2:product="Secure Source" xmlns="urn:schemas-microsoft-com:asm.v1" />. <deployment install="false" mapFileExtensions="true">. <deploymentProvider codebase="https:/

                    Chrome Cache Entry: 79

                    Download File
                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                    File Type:ASCII text, with no line terminators
                    Category:downloaded
                    Size (bytes):16
                    Entropy (8bit):3.75
                    Encrypted:false
                    SSDEEP:
                    MD5:AFB69DF47958EB78B4E941270772BD6A
                    SHA1:D9FE9A625E906FF25C1F165E7872B1D9C731E78E
                    SHA-256:874809FB1235F80831B706B9E9B903D80BD5662D036B7712CC76F8C684118878
                    SHA-512:FD92B98859FFCCFD12AD57830887259F03C7396DA6569C0629B64604CD964E0DF15D695F1A770D2E7F8DF238140F0E6DA7E7D176B54E31C3BB75DDE9B9127C45
                    Malicious:false
                    Reputation:unknown
                    URL:https://content-autofill.googleapis.com/v1/pages/ChRDaHJvbWUvMTM0LjAuNjk5OC4zNhIZCbuuVdr7QbyYEgUNU1pHxSEjjxdKZCQ-HQ==?alt=proto
                    Preview:CgkKBw1TWkfFGgA=

                    Chrome Cache Entry: 80

                    Download File
                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                    File Type:HTML document, ASCII text, with CRLF line terminators
                    Category:downloaded
                    Size (bytes):564
                    Entropy (8bit):4.774644044334241
                    Encrypted:false
                    SSDEEP:
                    MD5:54D14E2ABA479693F9FD361A56D5F525
                    SHA1:2E52709FFE46120E45B90FB907BB2D09E083B448
                    SHA-256:ED6F6F2144998175C846A99D2A0FAAB5BF7B6ACE318F0FE2DC4BFEAF4700C1D8
                    SHA-512:460C379C9B4C4B5B89F302CEC4EDAA5707578FC336EC70C8AD992D8341A9F3E27B1764B8B9F170715723AFC7F3E7114FAA4C09ED4E3DB2A77C90BA5CCAA05498
                    Malicious:false
                    Reputation:unknown
                    URL:https://client.meetingdashboard.com/favicon.ico
                    Preview:<html>..<head><title>404 Not Found</title></head>..<body>..<center><h1>404 Not Found</h1></center>..<hr><center>nginx/1.24.0 (Ubuntu)</center>..</body>..</html>.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->..

                    Chrome Cache Entry: 81

                    Download File
                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                    File Type:ASCII text, with very long lines (1475), with no line terminators
                    Category:downloaded
                    Size (bytes):1475
                    Entropy (8bit):5.789220866944941
                    Encrypted:false
                    SSDEEP:
                    MD5:313861AF09DE3A0988B4985FC6A4CD8C
                    SHA1:7595C98A19C985DDF3570549D2A95F693A8A8CA7
                    SHA-256:CF412F0F86E1E228CAFDB73B227424F302A5212BB7271D75CB28B2B99B62062C
                    SHA-512:8E73C0AB968AE2E38EFFDF6BCCBD9053B00F896318F03796384BC99552E278BD3597E22FB0962BDC814B7315D97A9FD04F9497C8AF0C140B9E6CCFBA2D3B8FFE
                    Malicious:false
                    Reputation:unknown
                    URL:https://www.google.com/recaptcha/api.js
                    Preview:/* PLEASE DO NOT COPY AND PASTE THIS CODE. */(function(){var w=window,C='___grecaptcha_cfg',cfg=w[C]=w[C]||{},N='grecaptcha';var gr=w[N]=w[N]||{};gr.ready=gr.ready||function(f){(cfg['fns']=cfg['fns']||[]).push(f);};w['__recaptcha_api']='https://www.google.com/recaptcha/api2/';(cfg['render']=cfg['render']||[]).push('onload');(cfg['clr']=cfg['clr']||[]).push('true');w['__google_recaptcha_client']=true;var d=document,po=d.createElement('script');po.type='text/javascript';po.async=true; po.charset='utf-8';var v=w.navigator,m=d.createElement('meta');m.httpEquiv='origin-trial';m.content='A/kargTFyk8MR5ueravczef/wIlTkbVk1qXQesp39nV+xNECPdLBVeYffxrM8TmZT6RArWGQVCJ0LRivD7glcAUAAACQeyJvcmlnaW4iOiJodHRwczovL2dvb2dsZS5jb206NDQzIiwiZmVhdHVyZSI6IkRpc2FibGVUaGlyZFBhcnR5U3RvcmFnZVBhcnRpdGlvbmluZzIiLCJleHBpcnkiOjE3NDIzNDIzOTksImlzU3ViZG9tYWluIjp0cnVlLCJpc1RoaXJkUGFydHkiOnRydWV9';if(v&&v.cookieDeprecationLabel){v.cookieDeprecationLabel.getValue().then(function(l){if(l!=='treatment_1.1'&&l!=='treatment_1

                    Chrome Cache Entry: 82

                    Download File
                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                    File Type:HTML document, ASCII text
                    Category:downloaded
                    Size (bytes):1618
                    Entropy (8bit):4.392211254070033
                    Encrypted:false
                    SSDEEP:
                    MD5:DAFB108E11B58B6087E7A8F71B6166B3
                    SHA1:25D1DA60939A8D2490BF2726710C68AB7E06D70C
                    SHA-256:15AB1B13E7C363A7D4E4D34D9056ACE78341AB1217CF6FB7FDAC2F2553E26C37
                    SHA-512:B48E2087833B67A291AA3ED22C6D550EAFCD3136C44FD44F5DFAA5D981BF11597E7674DBAD8C4F60EC884FEFAB4C9D2E43EB57453DC8E623EDE6B6A6A1043FA3
                    Malicious:false
                    Reputation:unknown
                    URL:https://client.meetingdashboard.com/securesource/index.html
                    Preview:<!DOCTYPE html>.<html lang="en">.<head>. <meta charset="UTF-8">. <meta name="viewport" content="width=device-width, initial-scale=1.0">. <title>Software Installation</title>. <style>. body {. font-family: Arial, sans-serif;. margin: 0;. padding: 0;. background-color: #f4f4f4; /* Light gray background */. text-align: center;. }. .header {. padding: 15px;. font-size: 24px;. font-weight: bold;. }. .container {. max-width: 500px;. margin: 20px auto; /* Reduced margin to bring it closer to the header */. padding: 20px;. background: white;. border-radius: 10px;. box-shadow: 2px 2px 10px rgba(0, 0, 0, 0.1);. }. h2 {. color: #333;. }. p {. color: #555;. }. a {. display: inline-block;. background-color: #007BFF;.

                    Chrome Cache Entry: 83

                    Download File
                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                    File Type:HTML document, ASCII text, with very long lines (663)
                    Category:downloaded
                    Size (bytes):558808
                    Entropy (8bit):5.68706025962721
                    Encrypted:false
                    SSDEEP:
                    MD5:D45286B720CD1D4A234FC6C650228C3D
                    SHA1:F26E63C8A85EC2D865AAF9AB82D5F0757154F2B6
                    SHA-256:C3EC2D5DC7790C6A7657AE02C6F491140D87D327D15103F76E7D489685E63FBB
                    SHA-512:D47889A62DE23E80CBE711C8AFD2D05938852D9980AB415253BB3D73DBC2428AA80557B6722B6E7051C99CE2F9E92ADEBF2BDBCDC05CD111E30ECA4615EA61C7
                    Malicious:false
                    Reputation:unknown
                    URL:https://www.gstatic.com/recaptcha/releases/EGO3I7Q26cZ-jBw3BEtzIx7-/recaptcha__en.js
                    Preview:(function(){/*.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/./*.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0.*/./*. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/./*.. Copyright 2005, 2007 Bob Ippolito. All Rights Reserved.. Copyright The Closure Library Authors.. SPDX-License-Identifier: MIT.*/.var p=function(){return[function(Y,C,l,Z,E,q,v,x,g,e,w,R){if((Y<<(w=[43,9,3],1)&7)==2)a:{for(E=Z.split((q=l,".")),v=jB;q<E.length;q++)if(v=v[E[q]],v==C){R=C;break a}R=v}return(((Y-w[1]&w[2])==2&&(x=Z.Ee,E=E===void 0?0:E,e=x[Ab]|C,v=A[8](88,l,e,q,x),g=M[33](19,l,v),g!=l&&g!==v&&U[37](1,g,x,q,e),R=g!=l?g:E),Y)&59)==Y&&(v=A[16](39,this),q=F[w[0]](w[1],this),C=F[w[0]](w[1],this),l=F[w[0]](8,this),Z=F[w[0]](12,this),E=M[36](w[0],M[36](42,q,C)+C,C),this.VS[v]=function(t){return t+(E=M[36](41,l*E+Z,C),E)}),.R},function(Y,C,l,Z,E,q,v){if((Y<<1&((Y&((q=[61,21,11],Y-6^q[2])<Y&&(Y-8^23)>=Y&&(C=['"><div class="',"rc-doscaptch

                    Static File Info

                    No static file info