resmon.exe

  • File Path: C:\WINDOWS\system32\resmon.exe
  • Description: Resource Monitor

Hashes

Type Hash
MD5 FF8CA7D9F879E176A1284F16A05A618C
SHA1 B3F01A2F8F2E144BE0C4BBFD2C15B4037B856F14
SHA256 B5CE6FCC43B79F85D20D679B29BA54E9D618501ED7B39119383C570EBABD1F57
SHA384 0621E0879A62DF24E0ABB0FEF564BF158D6B20EB2F4872D3929AE0DB960A0FD1A321DA39BF71EB653EE2A0A3B35E0AC5
SHA512 CC3FED09EAC570A64DD5CE221944D7059DCF72808573034B662F1B225F868CB8BFB5BD32EEC6EAE13B444053BB88745D21F5F8AF0674B925F8F9FAF87449A5DE
SSDEEP 1536:FYyM5BqY3KtrtizIo9plJSs9kYuZJnGZLzOcE6Ls7HXG84PK05Z34g/CO+sH:/M5ghtYIo9piswTogiqQKy349

Runtime Data

Child Processes:

perfmon.exe

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: resmon.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\perfmon.exe 69
C:\WINDOWS\system32\perfmon.exe 69
C:\WINDOWS\system32\perfmon.exe 46
C:\windows\system32\perfmon.exe 79
C:\Windows\system32\perfmon.exe 68
C:\Windows\system32\perfmon.exe 66
C:\WINDOWS\system32\resmon.exe 94
C:\windows\system32\resmon.exe 94
C:\Windows\system32\resmon.exe 93
C:\Windows\system32\resmon.exe 91
C:\Windows\system32\resmon.exe 93
C:\WINDOWS\SysWOW64\perfmon.exe 74
C:\WINDOWS\SysWOW64\perfmon.exe 68
C:\Windows\SysWOW64\perfmon.exe 75
C:\windows\SysWOW64\perfmon.exe 69
C:\Windows\SysWOW64\perfmon.exe 72
C:\Windows\SysWOW64\perfmon.exe 66
C:\WINDOWS\SysWOW64\resmon.exe 94
C:\windows\SysWOW64\resmon.exe 93
C:\Windows\SysWOW64\resmon.exe 96
C:\Windows\SysWOW64\resmon.exe 94
C:\WINDOWS\SysWOW64\resmon.exe 94
C:\Windows\SysWOW64\resmon.exe 94

Possible Misuse

The following table contains possible examples of resmon.exe being misused. While resmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_taskmgr_parent.yml - '\resmon.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.