resmon.exe

  • File Path: C:\Windows\system32\resmon.exe
  • Description: Resource Monitor

Hashes

Type Hash
MD5 852ACA89972551B00B110EEE6ADA717A
SHA1 E1DB406505EC0492825E83D81C9C0274C1ACF1AD
SHA256 4C0BDF906AF0C1FDBC9FA61BF2AF95C708498F5AFE8E05C65E865E99DEAC8716
SHA384 3BECAD8F946B4B7A1D2A16ADC98A4EF7BA372A4086A050C50241E333C7C90EDDAA507FD530380DAF8A7BF63BCBF7708A
SHA512 9E388B1325CFDA2597428D9B44EE48B491D29DBF0840065DEAC7C75F3647757EEFD8AA5D1E8B33AA119C742EB71751FA94B66B47574C9A4F65A5F25025372664
SSDEEP 1536:5EZgvhlKBqY3KtrtizIo9plJSs9kYuZJnGZLzOcE6Ls7HXG84PK05Z34g/CO+sH:c6KghtYIo9piswTogiqQKy349
IMP C489853A1F490DCDAEA1E10E57C136E4
PESHA1 4A85AF6DCFFFA70C9CCFDD570444F551A5FABB1F
PE256 1A945D89A85BBD00490D29DF7A12C400EF02D3F5EE1353C2BF9388598686792F

Runtime Data

Child Processes:

perfmon.exe

Loaded Modules:

Path
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\resmon.exe
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: resmon.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/4c0bdf906af0c1fdbc9fa61bf2af95c708498f5afe8e05c65e865e99deac8716/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\perfmon.exe 68
C:\WINDOWS\system32\perfmon.exe 72
C:\WINDOWS\system32\perfmon.exe 46
C:\windows\system32\perfmon.exe 79
C:\Windows\system32\perfmon.exe 68
C:\Windows\system32\perfmon.exe 69
C:\WINDOWS\system32\resmon.exe 93
C:\windows\system32\resmon.exe 91
C:\Windows\system32\resmon.exe 90
C:\Windows\system32\resmon.exe 91
C:\WINDOWS\system32\resmon.exe 93
C:\WINDOWS\SysWOW64\perfmon.exe 74
C:\WINDOWS\SysWOW64\perfmon.exe 68
C:\Windows\SysWOW64\perfmon.exe 72
C:\windows\SysWOW64\perfmon.exe 69
C:\Windows\SysWOW64\perfmon.exe 69
C:\Windows\SysWOW64\perfmon.exe 69
C:\WINDOWS\SysWOW64\resmon.exe 93
C:\windows\SysWOW64\resmon.exe 90
C:\Windows\SysWOW64\resmon.exe 93
C:\Windows\SysWOW64\resmon.exe 93
C:\WINDOWS\SysWOW64\resmon.exe 93
C:\Windows\SysWOW64\resmon.exe 91

Possible Misuse

The following table contains possible examples of resmon.exe being misused. While resmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_taskmgr_parent.yml - '\resmon.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.