Source: RpcSsv.exe |
ReversingLabs: Detection: 34% |
Source: RpcSsv.exe |
Virustotal: Detection: 39% |
Perma Link |
Source: RpcSsv.exe |
Static PE information: certificate valid |
Source: Yara match |
File source: RpcSsv.exe, type: SAMPLE |
Source: Yara match |
File source: 00000000.00000002.2854182430.0000000000409000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000000.1611099098.0000000000409000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: RpcSsv.exe PID: 7592, type: MEMORYSTR |
Source: C:\Users\user\Desktop\RpcSsv.exe |
Code function: 0_2_0040425F _errno,listen,getsockname,inet_ntoa,htons,recvfrom,connect,accept,shutdown,closesocket,getsockname,inet_ntoa,htons,inet_ntoa,_errno,_errno,shutdown,closesocket, |
0_2_0040425F |
Source: RpcSsv.exe |
String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0 |
Source: RpcSsv.exe |
String found in binary or memory: http://crl.globalsign.net/Root.crl0 |
Source: RpcSsv.exe |
String found in binary or memory: http://crl.globalsign.net/Timestamping1.crl0 |
Source: RpcSsv.exe |
String found in binary or memory: http://crl.globalsign.net/primobject.crl0N |
Source: RpcSsv.exe |
String found in binary or memory: http://crl.globalsign.net/root.crl0 |
Source: RpcSsv.exe |
String found in binary or memory: http://eternallybored.org/misc/netcat/ |
Source: RpcSsv.exe |
String found in binary or memory: http://secure.globalsign.net/cacert/ObjectSign.crt09 |
Source: RpcSsv.exe |
String found in binary or memory: http://secure.globalsign.net/cacert/PrimObject.crt0 |
Source: RpcSsv.exe |
String found in binary or memory: http://www.globalsign.net/repository/0 |
Source: RpcSsv.exe |
String found in binary or memory: http://www.globalsign.net/repository/03 |
Source: RpcSsv.exe |
String found in binary or memory: http://www.globalsign.net/repository09 |
Source: C:\Users\user\Desktop\RpcSsv.exe |
Code function: 0_2_004011B0 |
0_2_004011B0 |
Source: C:\Users\user\Desktop\RpcSsv.exe |
Code function: String function: 004034EB appears 186 times |
|
Source: C:\Users\user\Desktop\RpcSsv.exe |
Code function: String function: 004035DB appears 145 times |
|
Source: classification engine |
Classification label: mal52.spre.winEXE@2/1@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03 |
Source: RpcSsv.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\RpcSsv.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: RpcSsv.exe |
ReversingLabs: Detection: 34% |
Source: RpcSsv.exe |
Virustotal: Detection: 39% |
Source: unknown |
Process created: C:\Users\user\Desktop\RpcSsv.exe "C:\Users\user\Desktop\RpcSsv.exe" |
Source: C:\Users\user\Desktop\RpcSsv.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\RpcSsv.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\RpcSsv.exe |
Section loaded: wsock32.dll |
Jump to behavior |
Source: RpcSsv.exe |
Static PE information: certificate valid |
Source: C:\Users\user\Desktop\RpcSsv.exe |
API coverage: 7.5 % |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: RpcSsv.exe, 00000000.00000002.2854248497.000000000073B000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\RpcSsv.exe |
Code function: 0_2_0040C554 RtlLookupFunctionEntry,SetUnhandledExceptionFilter,TlsGetValue,VirtualProtect, |
0_2_0040C554 |
Source: C:\Users\user\Desktop\RpcSsv.exe |
Code function: 0_2_00406C60 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00406C60 |
Source: C:\Users\user\Desktop\RpcSsv.exe |
Code function: 0_2_00405FD1 SetUnhandledExceptionFilter, |
0_2_00405FD1 |
Source: C:\Users\user\Desktop\RpcSsv.exe |
Code function: 0_2_004011B0 Sleep,Sleep,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleHandleA,GetProcAddress,_acmdln,__initenv,GetStartupInfoA,GetModuleHandleA,GetModuleHandleA,LoadLibraryA,GetModuleHandleA, |
0_2_004011B0 |
Source: C:\Users\user\Desktop\RpcSsv.exe |
Code function: 0_2_00406B60 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, |
0_2_00406B60 |
Source: C:\Users\user\Desktop\RpcSsv.exe |
Code function: 0_2_0040425F _errno,listen,getsockname,inet_ntoa,htons,recvfrom,connect,accept,shutdown,closesocket,getsockname,inet_ntoa,htons,inet_ntoa,_errno,_errno,shutdown,closesocket, |
0_2_0040425F |
Source: C:\Users\user\Desktop\RpcSsv.exe |
Code function: 0_2_00403EC7 _errno,WSASetLastError,socket,socket,_dup,setsockopt,htons,bind,_errno,inet_ntoa,_sleep,_errno,inet_ntoa,htons,connect,WSASetLastError,_errno,WSAGetLastError,shutdown,closesocket,_errno,WSASetLastError, |
0_2_00403EC7 |