resmon.exe

  • File Path: C:\Windows\SysWOW64\resmon.exe
  • Description: Resource Monitor

Hashes

Type Hash
MD5 C182C3463D5E5DFFED8F949D2BB781D3
SHA1 91C8BA668F5990B610C84EF714D80E5EFAA9449B
SHA256 10D4937D6D559D7B445AF08DFCDC953BDB9079E78C02C3C54BF4343499FB66E5
SHA384 E05B03BA0FFF12CF84195D9F1D11894E6A079B0A83F9E64BE1677FE7C99FB2F320337FF3E309D935877DFD42B9A5EE2B
SHA512 49D9CB1FDB8199484BFA947F0849386558A2F406E45FD7CDC6C98346CEFF1FA944FB2B08C3A0ABA7972E2EB282D53D590E23968B5EE0E77360F017664DF8E613
SSDEEP 1536:xbsHBqY3KtrtizIo9plJSs9kYuZJnGZLzOcE6Ls7HXG84PK05Z34g/CO+sH:xwHghtYIo9piswTogiqQKy349
IMP 86521711CB1F214E18EA188295368818
PESHA1 0D0CCCAEC859CA5219ED5413C0CAC46329C306C7
PE256 2C36E1EFD96C9B896E62798BA0C137F23F5F298BF1846E70B0D8649F1B1C5563

Runtime Data

Child Processes:

perfmon.exe

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\resmon.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: resmon.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/10d4937d6d559d7b445af08dfcdc953bdb9079e78c02c3c54bf4343499fb66e5/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\perfmon.exe 72
C:\WINDOWS\system32\perfmon.exe 66
C:\WINDOWS\system32\perfmon.exe 46
C:\windows\system32\perfmon.exe 79
C:\Windows\system32\perfmon.exe 65
C:\Windows\system32\perfmon.exe 69
C:\WINDOWS\system32\resmon.exe 94
C:\windows\system32\resmon.exe 94
C:\Windows\system32\resmon.exe 91
C:\Windows\system32\resmon.exe 96
C:\Windows\system32\resmon.exe 93
C:\WINDOWS\system32\resmon.exe 94
C:\WINDOWS\SysWOW64\perfmon.exe 74
C:\WINDOWS\SysWOW64\perfmon.exe 68
C:\Windows\SysWOW64\perfmon.exe 75
C:\windows\SysWOW64\perfmon.exe 69
C:\Windows\SysWOW64\perfmon.exe 69
C:\Windows\SysWOW64\perfmon.exe 72
C:\WINDOWS\SysWOW64\resmon.exe 94
C:\windows\SysWOW64\resmon.exe 94
C:\Windows\SysWOW64\resmon.exe 94
C:\Windows\SysWOW64\resmon.exe 94
C:\WINDOWS\SysWOW64\resmon.exe 94

Possible Misuse

The following table contains possible examples of resmon.exe being misused. While resmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_taskmgr_parent.yml - '\resmon.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.