This morning, checked netlimiter and I'd uploaded 50mb while asleep.
Tracked this to process 1448, which is Remote desktop.
Found the connection was still active, and there was remote desktop uploading data to 18.104.22.168.
You can actually RDP to that IP address and it is a windows server 2003 machine in China.
I have no idea of what this person was uploading, nor can I figure out if they were actually signed on or not. Could failed connection attempts cause this amount of data up loading? IS there any logging of RDP anywhere?
I have a strong windows password, but now I'm wondering if RDP has a security exploit which was used to gain access to my machine .
Anyway, I've removed the port forwarding and will run some full system malware scans just to be sure.