I noticed in my alert logs today that ‘KMS Connection Broker’ is connecting to China - IP:120.26.211.29
It seems like ‘sppextcomobj.exe’ is a legit system file, but I find it strange that it’s connecting to China - Is this normal?
Any advice would be greatly appreciated 
I found this thread https://www.bleepingcomputer.com/forums/t/504698/kms-connection-broker-did-i-just-download-install-trojan-virus-spy/.
If you click the .exe is it signed by Microsoft? If so it’s probably OK. With content delivery networks sometimes IP addresses can be in China or anywhere else in the world. https://en.wikipedia.org/wiki/Content_delivery_network
Check this link for things you can do if you think you might have malware on your PC.
https://www.glasswire.com/malware/
It is not virus.
I can only tell you that I have it on my Win 8 machine, it appears to be a legitimate part of the OS, and I think it might have something to do with KMS Licensing for Microsoft Products (like MS office) but I’m not sure because I do not have any MS Office products on my machine. Good luck.
I would like to get an update if you’ve managed to find out what it was and how you’ve solved it?
if it’s signed by Microsoft it should be a legitimate part of the OS. We made this resource page to help people see if an .exe is safe or not.
https://www.glasswire.com/processes/
Thank you! Out of all the options available to deal with this situation, I think resetting your network configurations is the best.
I don’t think that will make any difference with this situation. It appears this broker is a valid part of Windows and it will continue to behave the exact same way even if your network configuration was reset.