A customer of mine with a Windows 2016 Server got a ransomware infection this Monday. Turned out to be the Xorist. I got the Emsisoft decrypter tool and ran it with success and then decrypted all the files on the server.
With that part done, scanned the machine with Webroot (installed, don't know how it didn't detect this) windows defender, sophos second opinion, TDDSKiller, superantispyware and malwarebytes. a trojan was found in a zip file that was in a profile that was created by an external source.
I went through all my usual programs to look for anything further (process explorer, tcpview, netstat etc but when it got to process monitor i narrowed a lot of network traffic coming from the lsass.exe process, and it was going to random IP's (gamertalk.com.br)
I could not get this traffic to subside, and it eventually crashed the server after 6-8 hours.
I took away the servers DNS settings as well as the gateway setting and this continued to flow in process monitor.
Am I reading this program incorrectly?
How else can I go about trying to find what is making this traffic?