resmon.exe

  • File Path: C:\Windows\SysWOW64\resmon.exe
  • Description: Resource Monitor

Hashes

Type Hash
MD5 29C52C15D2D68A4BBE9A36701D31100E
SHA1 6F0ECAC4D0DF233C7F20FF660A672E8C8D594232
SHA256 F3707C1D638F5487D1EF0A72173356023307DC6734DC738944C75F127FBCFD54
SHA384 AC6BD6FDB6469C78E75B9975C54B238D570C91C9982713AD350386B08226367E7AF0913056112B5A240587D4A84EA36A
SHA512 30E967CB19BE23D8595BFD0C86E3DCA888C118DA5957C8B7FE6C4DA693C69FBA1ACD5C63D296C974A55C3C76059799CFE2910737C8FBE1E8EC62D0E429A39EAE
SSDEEP 1536:L/YKBqY3KtrtizIo9plJSs9kYuZJnGZLzOcE6Ls7HXG84PK05Z34g/CO+sH:LgKghtYIo9piswTogiqQKy349
IMP 86521711CB1F214E18EA188295368818
PESHA1 4EF285A05A9C310BAA34DC3EAC3EBCE2FC268F58
PE256 6FF84E0FC3C416CE5ECDBE50B53EE084528B169A5C1BD4F63825C5AF7378A220

Runtime Data

Child Processes:

perfmon.exe

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\resmon.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: resmon.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/f3707c1d638f5487d1ef0a72173356023307dc6734dc738944c75f127fbcfd54/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\perfmon.exe 68
C:\WINDOWS\system32\perfmon.exe 66
C:\WINDOWS\system32\perfmon.exe 49
C:\windows\system32\perfmon.exe 75
C:\Windows\system32\perfmon.exe 65
C:\Windows\system32\perfmon.exe 69
C:\WINDOWS\system32\resmon.exe 94
C:\windows\system32\resmon.exe 94
C:\Windows\system32\resmon.exe 93
C:\Windows\system32\resmon.exe 93
C:\Windows\system32\resmon.exe 93
C:\WINDOWS\system32\resmon.exe 96
C:\WINDOWS\SysWOW64\perfmon.exe 71
C:\WINDOWS\SysWOW64\perfmon.exe 68
C:\Windows\SysWOW64\perfmon.exe 75
C:\windows\SysWOW64\perfmon.exe 68
C:\Windows\SysWOW64\perfmon.exe 72
C:\Windows\SysWOW64\perfmon.exe 66
C:\WINDOWS\SysWOW64\resmon.exe 96
C:\windows\SysWOW64\resmon.exe 93
C:\Windows\SysWOW64\resmon.exe 94
C:\WINDOWS\SysWOW64\resmon.exe 94
C:\Windows\SysWOW64\resmon.exe 94

Possible Misuse

The following table contains possible examples of resmon.exe being misused. While resmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_taskmgr_parent.yml - '\resmon.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.