How to find which processes have initiated a connection

asked 2025-03-03 20:36:37 +0000

BabyShark43 gravatar image

updated 2025-03-04 17:29:02 +0000

Apologies if this question seems foolish - I am a little out of my depth trying to track down some apparent malware that MalwareBytes, Bitdefender Total Security and other virus scans don't catch.

My DNS cache shows that something on my laptop is connecting to undesirable websites, so is there a way I can use Wireshark to identify what program (etc.) is responsible. If I sit and wait long enough, I can see the connections appearing on Wireshark, but I don't see anything informative in the packet description (example below from the first in the series).

I have tried NetStat -b to see processes associated with active connections, but none of the foreign addresses it shows are the ones I am looking for. (Maybe I was too slow and didn't catch it?) So, how can I see what is invoking the unwanted connection?

Thanks.

[Edit - typos]

[Edit 2 - removed Wireshark output]

edit retag flag offensive close merge delete

Comments

If you're on Windows, discussion here might help:
Identify windows process behind short lived ephemeral port

Chuckc gravatar imageChuckc ( 2025-03-03 22:34:21 +0000 )edit

@Chuckc - Thanks. Process Monitor points to a VPN service as being the culprit. Though why it should be downloading from IP addresses with suspicious names when the VPN isn't even active is a bit of a mystery.

BabyShark43 gravatar imageBabyShark43 ( 2025-03-04 17:51:37 +0000 )edit

Are you able to name the VPN service?

grahamb gravatar imagegrahamb ( 2025-03-04 18:06:59 +0000 )edit

@grahamb - Bitdefender: bdvpnservice.exe

BabyShark43 gravatar imageBabyShark43 ( 2025-03-04 18:09:04 +0000 )edit

I am suspicious because it was accessing Sportsballhub.net and Amandahugnkiss.org, both at 104.18.22.107.

BabyShark43 gravatar imageBabyShark43 ( 2025-03-04 18:15:15 +0000 )edit
see more comments