Tcpvcon.exe

  • File Path: C:\SysinternalsSuite\Tcpvcon.exe
  • Description: TCP/UDP endpoint viewer

Hashes

Type Hash
MD5 0D9540F8ED3EC25CF65B21454BD72123
SHA1 4532822AE9CC083115C32E6AA9C4E08C3D673575
SHA256 C9C3F0C4E7519D3A1F4CA427635F994A06613E94CB049F48C10151FAB8888183
SHA384 F994C039EB4FB721D5223C682760F2FA137D76198AB03A290BADC68FF614A300FC45AF8D715650AD06C5740970006D7D
SHA512 654C482CE96473E4000BE8B7DD2A8240B958A34F8D11053BD99716ABE4269D75E0902D768F635C68FD0F9FA0BC8D2FECD965EE465D783EA88F270ACBCDD8EF2B
SSDEEP 3072:eqMPhwQ+ro7Gv6+36G9yawQj/Fx8g+bImcBFDI9lw95J:eqM2Q+rayL6G9ykUdKBpolQ3
IMP C510DEA76F6096F5CFE2C672A3E799C1
PESHA1 77312169149D3820CF41D827441C7D97D45832B4
PE256 2E5A4AB4F99B237FF90D9E3733F73D90AC0AB32B6E564157659FB0FF2B1BDD77

Runtime Data

Usage (stdout):

Usage: tcpvcon [-a] [-c] [-n] [process name or PID]
  -a       Show all endpoints (default is to show established TCP
           connections).
  -c       Print output as CSV.
  -n       Don't resolve addressed.
  process  Only show endpoints owned by the process specified.

Usage (stderr):


TCPView v3.01 - TCP/UDP endpoint viewer
Copyright (C) 1998-2010 Mark Russinovich and Bryce Cogswell
Sysinternals - www.sysinternals.com

Child Processes:

conhost.exe

Open Handles:

Path Type
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.488_none_89e6152f0b32762e File
(RW-) C:\xCyclopedia File
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\SysinternalsSuite\Tcpvcon.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll

Signature

  • Status: Signature verified.
  • Serial: 6101CF3E00000000000F
  • Thumbprint: 9617094A1CFB59AE7C1F7DFDB6739E4E7C40508F
  • Issuer: CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename:
  • Product Name: Sysinternals TCPView
  • Company Name: Sysinternals - www.sysinternals.com
  • File Version: 3.01
  • Product Version: 3.01
  • Language: English (United States)
  • Legal Copyright: Copyright (C) 1998-2010 Mark Russinovich and Bryce Cogswell
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/68
  • VirusTotal Link: https://www.virustotal.com/gui/file/c9c3f0c4e7519d3a1f4ca427635f994a06613e94cb049f48c10151fab8888183/detection/

Possible Misuse

The following table contains possible examples of Tcpvcon.exe being misused. While Tcpvcon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_false_sysinternalsuite.yml - '\tcpvcon.exe' DRL 1.0
stockpile 7a6ba833-de40-466a-8969-5c37b13603e0.yml "tcpvcon", Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.