Is Resource Monitor a Trojan Horse?

  • Thread starter Thread starter bithead223
  • Start date Start date
B

bithead223

Guest
I'm not sure of the best place for this. I chose Performance and System Failures as it is about Resource Monitor, which is a performance monitoring utility. If there is a more appropriate forum, please feel free to relocate it.

==============

I recently noticed a lot of very unusual traffic being reported in my firewall logs - I was suddenly getting 50000+ blocked packets/day attempting to reach hundreds of public IP addresses on UDP port 137. Info in Wireshark reports these as "Name query NBTSTAT *<00><00><00><00><00><00><00><00><00><00><00><00><00><00><00>" traffic. Wondering where this was coming from, I methodically started closing apps and watching Wireshark to see if the traffic stopped. Eventually I came upon Resource Monitor which I had opened a couple of days ago and which was left running behind other apps on the system. When I closed Resource Monitor, the port 137 traffic destined for public IP addresses stopped.


I needed to restart the computer to let Windows install some updates. As I closed down apps in preparation for this, I opened and closed Resource Monitor several times, verifying each time that the traffic started and stopped with the program. After the updates were installed and I logged back in, this behavior with Resource Monitor continued.


The Resource Monitor executable shows no version information. Here is the info on the executable in C:\Windows\System32:

12/07/2019 02:09 AM 110,592 resmon.exe


MalwareBytes and Norton 360 find the file to be clean. It tried to contact more than 500 public IP addresses over the last 3 days. Why would it do this? If nothing else it puts quite a load on my firewall as it successfully blocks the traffic, keeping it in house. What would happen if the requests were allowed through? Is it malware phoning home (to a lot of homes)? Would it invite something bad into my system if it made contact?


Hopefully it is "just a bug" and nothing of ill intention is occurring. An explanation would certainly be appreciated.


My Windows 10 Settings indicate:


Edition - Windows 10 Pro

Version - 2004

OS Build - 19041.508

Continue reading...
 
Back
Top