Got a Dell secure works incident today opened by our SW Patch management server. Firewall seeing a bunch of DROP's to port 135, non existent IP's in our IP range.
Noticed a netstat -a on sw patch mgmt server there was a lot of open connections for sure. In resmon.exe > Network tab > TCP connections, I see a lot of SWJobEngineWorker2.exe on various IP's but not that port 135. I see a lot of svchost.exe (RPCSS) to various IP's port 135.
I just want to verify this is normal and the server isn't compromised.
Actually tried to kill svchost.exe (RPCSS) and it said "Your PC ran into a problem and needs to restart. We're just collecting some error info and then we'll restart for you. (0% Complete).
If you'd like to know more, you can search online later for this error: 0xc000021a