1. Due to issue with Microsoft’s BITS protocol and CDN environment, windows update may end up using high Bandwidth. Your WAN utilization graph will look like this, even for several months.
2. To identify the service which is downloading the data open Task Manager go to Performance manger and click Open Resource Monitor.
3. In this case Svchost.exe would be the process downloading the data and it should be connected to Microsoft update Content Delivery Network (CDN)
List of Microsoft update IPS can be found we at,
https://github.com/crazy-max/WindowsSpyBlocker/blob/master/logs/win81/firewall-test-update.csv
4. Upon exploring the sub-services you will find BITS process downloading the data.
5. Further drilling the BITS process, you will get the Job ID of the actual process transferring the data.
6. By further debugging the Job ID, you will get the remote file name which is being downloaded, it should be on windowsupdate.com.
7. Name lookup of suspected IP, which is part of Windows update CDN.
8. Due to its suspicious behaviour some of these IPs are listed as malicious domains which probably is incorrect.
https://www.malwares.com/report/ip?ip=117.18.232.200
https://www.abuseipdb.com/check/117.18.232.200