resmon.exe

  • File Path: C:\Windows\system32\resmon.exe
  • Description: Resource Monitor

Hashes

Type Hash
MD5 A01AB6C669DCC17E87C84C0C07D2CFAE
SHA1 9B6EF117022714BADD3C0627207127AD885BAE96
SHA256 956CD8B2C832E631917281B131EE9B137D2702FFC929AEF6FC2C71AD1C761F8B
SHA384 35A153CBFD8AD962B7E79A6B76A1A109CB446195C4B955413F4CC7743DCE4CCD07F821BB2A4DD0FB818F7E047FED731D
SHA512 40330B2D3D7E82812E6471E861408832FA637F72F309E12C3F9DC61CA219F117450D93C9D97BAA670045E95F1852C81D872F246E29BE68A501E5600A8FAC27BB
SSDEEP 1536:T7n1b6HBqY3KtrtizIo9plJSs9kYuZJnGZLzOcE6Ls7HXG84PK05Z34g/CO+sH:TpOHghtYIo9piswTogiqQKy349
IMP C489853A1F490DCDAEA1E10E57C136E4
PESHA1 FA1E63FD53EE235DEA2FC7AFE943F978A189AC42
PE256 9A011C4230ED22092591A8B70B170062FCCE16A117777EE3D9FDA1AEB1D5DF11

Runtime Data

Child Processes:

perfmon.exe

Loaded Modules:

Path
C:\Windows\System32\advapi32.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\cfgmgr32.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\cryptsp.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\powrprof.dll
C:\Windows\System32\profapi.dll
C:\Windows\system32\resmon.exe
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\shlwapi.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\system32\uxtheme.dll
C:\Windows\System32\win32u.dll
C:\Windows\System32\windows.storage.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: resmon.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/956cd8b2c832e631917281b131ee9b137d2702ffc929aef6fc2c71ad1c761f8b/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\perfmon.exe 72
C:\WINDOWS\system32\perfmon.exe 71
C:\WINDOWS\system32\perfmon.exe 46
C:\windows\system32\perfmon.exe 74
C:\Windows\system32\perfmon.exe 68
C:\Windows\system32\perfmon.exe 68
C:\WINDOWS\system32\resmon.exe 91
C:\windows\system32\resmon.exe 91
C:\Windows\system32\resmon.exe 90
C:\Windows\system32\resmon.exe 93
C:\WINDOWS\system32\resmon.exe 91
C:\WINDOWS\SysWOW64\perfmon.exe 72
C:\WINDOWS\SysWOW64\perfmon.exe 69
C:\Windows\SysWOW64\perfmon.exe 74
C:\windows\SysWOW64\perfmon.exe 66
C:\Windows\SysWOW64\perfmon.exe 69
C:\Windows\SysWOW64\perfmon.exe 71
C:\WINDOWS\SysWOW64\resmon.exe 93
C:\windows\SysWOW64\resmon.exe 93
C:\Windows\SysWOW64\resmon.exe 93
C:\Windows\SysWOW64\resmon.exe 93
C:\WINDOWS\SysWOW64\resmon.exe 93
C:\Windows\SysWOW64\resmon.exe 96

Possible Misuse

The following table contains possible examples of resmon.exe being misused. While resmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_taskmgr_parent.yml - '\resmon.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.