I have a process making malicious connection (as detected by my router).
I am trying to identify which process is it, but when trying to list connections I get a OwningProcess
's PID
equal to zero 0
.
I don't get what that means. Could it be because the process has ultra high privileges (more than system) ? Or could it be obfuscated somehow ?
Example below (States are TimeWait
because blocked by my router):
LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting OwningProcess
------------ --------- ------------- ---------- ----- -------------- -------------
192.168.1.5 578xx 185.59.220.198 443 TimeWait 0
192.168.1.5 578xx 138.199.36.11 443 TimeWait 0
192.168.1.5 578xx 138.199.27.229 443 TimeWait 0
192.168.1.5 578xx 89.187.169.39 443 TimeWait 0
192.168.1.5 578xx 169.150.247.33 443 TimeWait 0
FYI, IPs seems to be related to *.bunnyinfra.net
I am not sure if they are related to malicious ip or they are malicious themselves.
EDIT
I finally found the origin, but I am still looking to understand the problem: Ghostery
Extension was generating those requests (because Edge browser was running in the background) Removing the Extension fixed the issue, nevertheless:
- Why would I see the process having a PID equal to zero
0
?
Note: I was using Powershell as Administrator
PS: It seems that the IP belongs to the extension's CDN, and that it is a false positive malicious IP. Probably due to the provider being used for malicious purpose by other applications.