External ip connected to windows pid system(0)

[Zebuddi123]

Hi to All, I have found 2 external ip connections (both from the same ip) to windows pid system(0) with sate as time-wait. Could any of you network guru`s enlighten me please, should i be worried ? doing some research as my networking is really bad.
so far system(0) = windows idle process
state time-wait = ?
lol grrrrr

Thanks in advance
Zebuddi.

[Bitblazer]

Could be legitimate, could be not - you could start to investigate by "netstat -a" and use tools from Sysinternals to proceed with tracing and dissecting the potential invaders with IDA pro or Olby but it might just be a legitimate service you allowed and forgot or were not aware how they achieve what you allowed them to do. Hard to say without more info.

[Zebuddi123]

Hi Bitblazer thanks for the reply yes already done what you had mentioned basically its Microsoft. I inadvertently swapped 1 digit, it was like wtf id D.O.D connecting to me for completely different ip range.

Zebuddi.

[Marc56us]

https://stackoverflow.com/questions/228 ... y-pid-zero#

[tj1010]

Check the DNS of the IP. If it's not some popular service top-level domain it's probably malware and you need to backup offline and put a trusted image on the wiped disk. Make sure you gotta decent AV going before loading any installers, drivers, or other binaries.

Running an AV with strong HIDS like Symantec, Norton, Avira, Dr.Web, ESET, or GDATA or using a strong ARK like WinCheck or WinObjEx64 would likely expose malware. Not even government APT can hide from the latter two..

Malware usually injects in to trusted processes after UAC bypass too so don't just trust task manager and native CMD tools.

[Zebuddi123]

@ Marc56us Thanks for the link, I have read similar info and came to the same conclusion I think I understood a bit of something for a change

@tj1010 Thanks for the advice. using process hacker compiled from source (wj32), system utils, ida pro 7, X64dbg etc. The IP is 52.114.128.8:443
definitely microsoft.

I had installed wireshark & npcap to monitor the packets etc and dropped adaware in for a scan, since having uninstalled both I can only get 3mb dl on ethernet from a 230mb connection on my windows workstation, on my windows tablet(wifi) and phone android(wifi) the same3-5mb, Yet the windows tablet had not been on (off for at least 7 days) till a few hours ago to check the broadband speed (ookla many times, different servers) check with service provider also.

Rebooting my workstation into Linux:) (non dualboot separate drive) 220+mb dl. strange windows tablet factory resetting as I type clamtk scanning windows ssd too.

Zebuddi.

[tj1010]

If the IP is bound to a MS server it's definitely not a security issue. Probably telemetry or store service which you can disable with something like O&O ShutUp10. If it's 7 or 8 maybe Defender service or background updates or maybe some office updater.

If it resolves to an expected top-level domain, especially with a valid TLS stream with valid root, and a HIDS doesn't detect anything, then I usually don't bother with an ARK or reverse-engineering with IDA and a debugger. Malware with signed or unsigned binaries that don't communicate with a recognizable top-level I start digging on because APT level malware uses leaked signing keys to get past HIDS and PatchGuard.

I've seen malware before where there were only vague kernel-patching(DKOM) entries in only the best ARK, and you had to actually find the network traffic on another box using ARP poisoning because the rootkit fully patched NDIS, and then it was still all encrypted with PKI that used a generated key in driver code.. The driver code was obfuscated with custom VM technology too so IDA analysis would of took forever(it would of been like unpacking a modern AAA game DRM)..