Traffic Monitor help

Hi. Could anyone tell me if this is normal. I live in the UK and I can’t think of any reason why I should be seeing a Traffic Connection to Thailand. This connection is there every day, all day.
I don’t know anyone in Thailand, I don’t contact Thailand, and as far as I know I don’t use any apps which connect me to Thailand.

This traffic has been the same for several weeks.

I’d block the connection then do a thorough scan. According to whois the IP range is registered to a Thailand ISP with a block description of Dynamic IP Address for residential Broadband Customers. If this is true (and not always reliable) then nt kernal and system shouldn’t be making connections to dynamic broadband customers.

If Microsoft have yet another service configured to connect to another random CDN for some sort of updates or data collection then shame on them, and I would still block it.

How do I block that?

You will probably need to use Windows Advanced Firewall to configure a targeted rule because from memory I don’t think Glasswire’s firewall system allows such granular firewall rule control. I don’t have access to a PC for another week so can’t test it and provide specific steps.

However the process I would follow is to use Glasswire to discover the process generating the traffic which in the screenshot is ntoskernal & system. Can’t remember if you can hover/click on that process on that window to give more details on the specific service or process id.

Then I use a combination of processmon and tcpmon from sysinternals to identify the exact service or executable generating the traffic and the ports being used.

Document this and then go into Windows Advanced Firewall and create a specific rule set to block this traffic.

I can provide a more detailed guide in about a week when I get back home.

What app is making that connection?
In any case, it may be a RDP brute force attempt. Try installing something like EvlWatcher or Fail2ban. You could also install PowerToys and use the host editor to “block” that ip address by redirecting it.