maybe someone can help out here with a strange problem.
I have a system with the following outbound connections:
On the systems runs dns, exchange, dhcp (SBS2011) etc.
All those connections in the screenshot go to Port 389/LDAP - the IP is unknown, but was associated with a time server in the past.
I uploaded those files to different sites like vt etc.
All seem clean. The System is scanned with rootkit scanners, av scanners etc. -> all clean.
Malwarebytes Antimalware blocked this IP a few days ago when the process svchost.exe tried to connect to this IP on Port 123.
Port 123 and 389 are closed on the IP.
Does anybody know what to do here to find out what triggers a process like dns.exe/MSExchangeADtopologyservice.exe to go to this IP?