vss_ps.dll

  • File Path: C:\Windows\SysWOW64\vss_ps.dll
  • Description: Microsoft Volume Shadow Copy Service proxy/stub

Hashes

Type Hash
MD5 97B15BDAE9777F454C9A6BA25E938DB3
SHA1 0E32F46AF106EDAB283F5221B92BD5AB224C06F0
SHA256 91E7EFEFDF36976054ED5DAF82B0FC873C13C76BB3CB081AB521519F1378E7DE
SHA384 F3431460E117D49794EAF56910A69F29FCDAA868FF230E73FE74F0309EFE26A7C5850D089DF9F0D1AC3CD69435E6B4C5
SHA512 012E0BECAB2D73BFED783E3AC90D03EA6DDB84FA666DE07BC5AF4092D3041BC5E334C20F2E483608928E4924B613A4F4FF498CE9A34AE22C9F57C28865507BFC
SSDEEP 384:s0hL7kJIErVgQDT6mf3mmB7wuO0xa0khAj4THshtomPQHPnrmFnW/uWLWIoYe+9I:s87sIErVgQDTtTfbOyF/WRzA
IMP 474800DF44235BC745E38B23F9B078F7
PESHA1 F34A14D95C1C15E15A1B1EB9FD3A06B6E0E46C44
PE256 9C6347E11D05E2EECC4EE920836B25E17B28F3F8245A529E54B15AA565AA01C0

DLL Exports:

Function Name Ordinal Type
DllUnregisterServer 4 Exported Function
GetProxyDllInfo 5 Exported Function
DllRegisterServer 3 Exported Function
DllCanUnloadNow 1 Exported Function
DllGetClassObject 2 Exported Function

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: VSS_PS.DLL
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/91e7efefdf36976054ed5daf82b0fc873c13c76bb3cb081ab521519f1378e7de/detection/

Possible Misuse

The following table contains possible examples of vss_ps.dll being misused. While vss_ps.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_suspicious_vss_ps_load.yml title: Image Load of VSS_PS.dll by Uncommon Executable DRL 1.0
sigma image_load_suspicious_vss_ps_load.yml description: Detects the image load of vss_ps.dll by uncommon executables using OriginalFileName datapoint DRL 1.0
sigma image_load_suspicious_vss_ps_load.yml - '\vss_ps.dll' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.