I’m running Server 2012 R2.
When I look at the Network tab in the Resource Monitor, I see strange network addresses which last for a few seconds and then disappear.
The server is used as database server and should only be connected from Australian addresses. I can see many addresses from .ru, .tr, .fr, etc.
All these connections are being used by PID 4, the System image.
I have run a scan with Malwarebytes which picked up zero issues.
- Is there a way to see which System process is using these connections?
- Is this some type of worm and if so, how can I locate it?