resmon.exePermalink

  • File Path: C:\WINDOWS\system32\resmon.exe
  • Description: Resource Monitor

HashesPermalink

Type Hash
MD5 45D0C6A8CAD3E768E5827BBCEEB1D7E8
SHA1 2DC726BEF97C79377BB4671E3DAEBB64F0AD3BBD
SHA256 48222FDB4F54DE6CB2A3318B5BBA6E8DE3384F31C7D1CDED1B9C39C89FA41C4D
SHA384 735302B6670A0FA5A7FD9D2054FD76D1D1726E62658727DA7063B652D35B0616AD9BA34202B2886132A251FE2FFB7A41
SHA512 CEB8A376D011D9C5A4499AF437573CE75BBB8F5CFC47382B4F0F54FDDA430793DCBC22C9F1B2574ACCD4504A87893E43E7EFBF104AB602BAE5F94742815A838D
SSDEEP 1536:5ImzDBqY3KtrtizIo9plJSs9kYuZJnGZLzOcE6Ls7HXG84PK05Z34g/CO+sH:5IaDghtYIo9piswTogiqQKy349
IMP 58331E6CF4F0AAFEA98BEFC13524D945
PESHA1 071148BCC3684484ECF3F304235B6F3F82E97DE6
PE256 AC9EC57BDEDB9C8092D688E4E7E7131139CB71E09060898C8725654470C69F1A

Runtime DataPermalink

Child Processes:Permalink

perfmon.exe

Loaded Modules:Permalink

Path
C:\WINDOWS\System32\bcryptPrimitives.dll
C:\WINDOWS\System32\combase.dll
C:\WINDOWS\System32\GDI32.dll
C:\WINDOWS\System32\gdi32full.dll
C:\WINDOWS\System32\IMM32.DLL
C:\WINDOWS\SYSTEM32\kernel.appcore.dll
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\System32\msvcp_win.dll
C:\WINDOWS\System32\msvcrt.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\resmon.exe
C:\WINDOWS\System32\RPCRT4.dll
C:\WINDOWS\System32\SHELL32.dll
C:\WINDOWS\System32\ucrtbase.dll
C:\WINDOWS\System32\USER32.dll
C:\WINDOWS\system32\uxtheme.dll
C:\WINDOWS\System32\win32u.dll

SignaturePermalink

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File MetadataPermalink

  • Original Filename: resmon.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File ScanPermalink

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/48222fdb4f54de6cb2a3318b5bba6e8de3384f31c7d1cded1b9c39c89fa41c4d/detection

File Similarity (ssdeep match)Permalink

File Score
C:\Windows\system32\perfmon.exe 72
C:\WINDOWS\system32\perfmon.exe 68
C:\WINDOWS\system32\perfmon.exe 46
C:\windows\system32\perfmon.exe 79
C:\Windows\system32\perfmon.exe 68
C:\Windows\system32\perfmon.exe 71
C:\windows\system32\resmon.exe 93
C:\Windows\system32\resmon.exe 93
C:\Windows\system32\resmon.exe 91
C:\Windows\system32\resmon.exe 93
C:\WINDOWS\system32\resmon.exe 94
C:\WINDOWS\SysWOW64\perfmon.exe 69
C:\WINDOWS\SysWOW64\perfmon.exe 68
C:\Windows\SysWOW64\perfmon.exe 71
C:\windows\SysWOW64\perfmon.exe 66
C:\Windows\SysWOW64\perfmon.exe 72
C:\Windows\SysWOW64\perfmon.exe 68
C:\WINDOWS\SysWOW64\resmon.exe 96
C:\windows\SysWOW64\resmon.exe 94
C:\Windows\SysWOW64\resmon.exe 94
C:\Windows\SysWOW64\resmon.exe 96
C:\WINDOWS\SysWOW64\resmon.exe 94
C:\Windows\SysWOW64\resmon.exe 94

Possible MisusePermalink

The following table contains possible examples of resmon.exe being misused. While resmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_taskmgr_parent.yml - '\resmon.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.