resmon.exe

  • File Path: C:\WINDOWS\SysWOW64\resmon.exe
  • Description: Resource Monitor

Hashes

Type Hash
MD5 0D30E55CD18D7B17ED753B12031D7640
SHA1 BE3B1B6D3A0C15D5D806F616FBAA7B65F59F0CAF
SHA256 FE6CBDFF1BDD11A239D1AAC7A033C467FA48AAC943C69C20D896E4A3454F7E80
SHA384 F73430633CCE02DA43E8D3EFEBC9ED2C4560E9655A49C55088D9445D5DC193B86C4E0A287FC714F18CA954298EF6963F
SHA512 29E6948886C88C91DD2D2BA971FF0AADF0E70B8F2298D22E392E0D9283CA22D9D83C12985300C020B5A5B0016BCC9FB8B24DB97628E7DDFBC036E1503F231744
SSDEEP 1536:g/CDBqY3KtrtizIo9plJSs9kYuZJnGZLzOcE6Ls7HXG84PK05Z34g/CO+sH:RDghtYIo9piswTogiqQKy349
IMP FE988F19071B74DBF935B7F57BD3D9C8
PESHA1 4BF87B534136114EC1BCD9978D59D5EC204F5D21
PE256 B57F81C9817E63E7A0B764A45120C0715A05DF5D586E9C8E5AAFA9D8F5747FE0

Runtime Data

Child Processes:

perfmon.exe

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\resmon.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: resmon.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/fe6cbdff1bdd11a239d1aac7a033c467fa48aac943c69c20d896e4a3454f7e80/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\perfmon.exe 68
C:\WINDOWS\system32\perfmon.exe 69
C:\WINDOWS\system32\perfmon.exe 47
C:\windows\system32\perfmon.exe 80
C:\Windows\system32\perfmon.exe 69
C:\Windows\system32\perfmon.exe 69
C:\WINDOWS\system32\resmon.exe 96
C:\windows\system32\resmon.exe 93
C:\Windows\system32\resmon.exe 93
C:\Windows\system32\resmon.exe 93
C:\Windows\system32\resmon.exe 93
C:\WINDOWS\system32\resmon.exe 94
C:\WINDOWS\SysWOW64\perfmon.exe 72
C:\WINDOWS\SysWOW64\perfmon.exe 69
C:\Windows\SysWOW64\perfmon.exe 74
C:\windows\SysWOW64\perfmon.exe 71
C:\Windows\SysWOW64\perfmon.exe 71
C:\Windows\SysWOW64\perfmon.exe 69
C:\windows\SysWOW64\resmon.exe 94
C:\Windows\SysWOW64\resmon.exe 96
C:\Windows\SysWOW64\resmon.exe 94
C:\WINDOWS\SysWOW64\resmon.exe 94
C:\Windows\SysWOW64\resmon.exe 94

Possible Misuse

The following table contains possible examples of resmon.exe being misused. While resmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_taskmgr_parent.yml - '\resmon.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.