resmon.exe

  • File Path: C:\Windows\system32\resmon.exe
  • Description: Resource Monitor

Hashes

Type Hash
MD5 C9221473CE8A3EF5C0FB8ABB912786FA
SHA1 C4CB701A39FE2D7461232321B8410F42C529E713
SHA256 C5CD5C04C1538BFADF5D1D8DB5230D8455F339909152D2D79F63AECCEBE56ADD
SHA384 FD49D61830906CC4878A81F4A6C5810F3324BEF696B756AAA4900AB35FBD8841CEA3C671B212B7EE5DA65B5DD2FA6B4A
SHA512 31148F802FD73396A351849AF33D534A124D0A9B618A296948B44A2DF61100E121EA032454294F3C16A5B401DA25EC6CDB50373E1CE0DCB8256801E2D683C3DC
SSDEEP 1536:6jhRwqBqY3KtrtizIo9plJSs9kYuZJnGZLzOcE6Ls7HXG84PK05Z34g/CO+sH:swqghtYIo9piswTogiqQKy349

Runtime Data

Child Processes:

perfmon.exe

Signature

  • Status: Signature verified.
  • Serial: 33000001733031072665B8B9B3000000000173
  • Thumbprint: 14590DC5C3AAF238FCFD7785B4B93F4071402C34
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: resmon.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\perfmon.exe 69
C:\WINDOWS\system32\perfmon.exe 66
C:\WINDOWS\system32\perfmon.exe 49
C:\windows\system32\perfmon.exe 75
C:\Windows\system32\perfmon.exe 65
C:\Windows\system32\perfmon.exe 72
C:\WINDOWS\system32\resmon.exe 93
C:\windows\system32\resmon.exe 91
C:\Windows\system32\resmon.exe 91
C:\Windows\system32\resmon.exe 93
C:\WINDOWS\system32\resmon.exe 93
C:\WINDOWS\SysWOW64\perfmon.exe 74
C:\WINDOWS\SysWOW64\perfmon.exe 68
C:\Windows\SysWOW64\perfmon.exe 75
C:\windows\SysWOW64\perfmon.exe 69
C:\Windows\SysWOW64\perfmon.exe 72
C:\Windows\SysWOW64\perfmon.exe 69
C:\WINDOWS\SysWOW64\resmon.exe 93
C:\windows\SysWOW64\resmon.exe 93
C:\Windows\SysWOW64\resmon.exe 93
C:\Windows\SysWOW64\resmon.exe 96
C:\WINDOWS\SysWOW64\resmon.exe 94
C:\Windows\SysWOW64\resmon.exe 93

Possible Misuse

The following table contains possible examples of resmon.exe being misused. While resmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_taskmgr_parent.yml - '\resmon.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.