svchost.exe using tcp https protocol on local port 50721?

Question

I am noticing a ton of system processes running on my network from a specific computer and there are TCP https packets being sent. Here are a few IPs I notice. Is this normal? Ukraine addresses giving no results back when tracing them ip-lookup

I was told to come post here because this is where this question belonged? I was told my computer is infected with a virus and disconnect it now though this computer has been on the network for a long time now. The user reported claims of harassment from a conflict in a game and since been experiencing issues and receiving threats.

Since seeing this computer infected, I had taken it off the network, whiped it clean with a fresh copy of Windows 10 using Rufus and a copy of the ISO from Microsoft download page, installed Kaspersky then began updating the machine. These screenshots posted are roughly 1 hour or so of uptime. Obviously my security measures are not strong enough I think maybe the router is infected or another computer on the network so it automatically infects this targeted PC once back online?

Answer 1

The port 50721 is totally irrelevant: every HTTPS connection to remote HTTPS port 443 is made from a random local port between 49152 and 65535; the dynamic, private or ephemeral ports.

Port numbers are assigned in various ways, based on three ranges: System Ports (0-1023), User Ports (1024-49151), and the Dynamic and/or Private Ports (49152-65535); the difference uses of these ranges is described in [RFC 6335].

Then, they are not connections from "a ton of system processes running", but connections in a TIME_WAIT state, i.e. the socket is waiting after close to handle packets still in the network. It's completely normal that they belong to the [System Process], PID 0.

You'll soon get more of these with the fresh Windows 10 install with virus protection from Kaspersky Lab. Most of these IP addresses are in 62.128.100.0/23, netname LINX-MOW-DIA-KASPERSKY-LAB, belonging to Kaspersky Lab. Those connections were to Kaspersky's update servers or similar.