Even I have a similar question.
The machines were updated with six Chinese IPs, which belonged to China Unicom China169 Backbone and Shenzhen Tencent Computer Systems Company Limited. However, the domains resolved to various names when I did an iplookup.
I even check in abuseipdb but there were no abuse reports there.
Windows update linked to Chinese IP
For the past few days, I have been facing the following issue with windows updates on 2 machines.
The machines are connecting to the following site [legitimate, as it seems] for updates: [http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?]
However, I get AV detections that the connections to this site are basically connections to the suspicious IP:
Remote IP 126.96.36.199
Remote Port 80
This IP belongs to China Telecom, as can be viewed in
https://whois.domaintools.com/188.8.131.52 and is of mixed reputation reviews.
I checked DNS, WUSUS. All good.
One of the 2 machines, was disconnected from the Internet and still connected to same http and Chinese IP.
I cannot really explain this. Your feedback would be appreciated.