resmon.exe

  • File Path: C:\Windows\SysWOW64\resmon.exe
  • Description: Resource Monitor

Hashes

Type Hash
MD5 87427E88F06D7C568E3E4A8BD838E380
SHA1 29D4E265961206589988BD58EAA9E1F13E4D2AB8
SHA256 0091DEA72E25148784E5FEB32C51142957B24AB66688747EF5B8BD74AC9817DC
SHA384 DD86C19AC93F9713A295ABF2CC5E57454246102D589488AB577B103624A29024BB0273D50B7BDD94324C4FE99026C1C6
SHA512 06523880AB8FCF072E2216FAE170CF554B952475BD920CDC504CC16521A6B3BFFAB3B324E0B8131EFF6F682464B1FCD847F41F04472E05BFF21033E0412C818A
SSDEEP 1536:SmEqBqY3KtrtizIo9plJSs9kYuZJnGZLzOcE6Ls7HXG84PK05Z34g/CO+sH:SqghtYIo9piswTogiqQKy349

Runtime Data

Child Processes:

perfmon.exe

Signature

  • Status: Signature verified.
  • Serial: 33000001733031072665B8B9B3000000000173
  • Thumbprint: 14590DC5C3AAF238FCFD7785B4B93F4071402C34
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: resmon.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\perfmon.exe 68
C:\WINDOWS\system32\perfmon.exe 68
C:\WINDOWS\system32\perfmon.exe 47
C:\windows\system32\perfmon.exe 77
C:\Windows\system32\perfmon.exe 66
C:\Windows\system32\perfmon.exe 69
C:\WINDOWS\system32\resmon.exe 96
C:\windows\system32\resmon.exe 93
C:\Windows\system32\resmon.exe 93
C:\Windows\system32\resmon.exe 93
C:\Windows\system32\resmon.exe 96
C:\WINDOWS\system32\resmon.exe 94
C:\WINDOWS\SysWOW64\perfmon.exe 75
C:\WINDOWS\SysWOW64\perfmon.exe 69
C:\Windows\SysWOW64\perfmon.exe 74
C:\windows\SysWOW64\perfmon.exe 71
C:\Windows\SysWOW64\perfmon.exe 74
C:\Windows\SysWOW64\perfmon.exe 69
C:\WINDOWS\SysWOW64\resmon.exe 94
C:\windows\SysWOW64\resmon.exe 96
C:\Windows\SysWOW64\resmon.exe 94
C:\WINDOWS\SysWOW64\resmon.exe 94
C:\Windows\SysWOW64\resmon.exe 94

Possible Misuse

The following table contains possible examples of resmon.exe being misused. While resmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_taskmgr_parent.yml - '\resmon.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.