perfmon.exe

• File Path: C:\Windows\SysWOW64\perfmon.exe
• Description: Resource and Performance Monitor

Screenshot

Hashes

Type	Hash
MD5	97F73727B423C2FEE513EB7A06E357E5
SHA1	CA1668D8D389B48A5BA574925B4496DF2950434D
SHA256	5D4C3EF49BB510B7FBB943ACF60BD6B74FC6D295B9CC93933155CBAF535F03EB
SHA384	909000B6202806525E935D9B55A51949358BE564129857760DE1D3F81F23439623349CE7EF007083A23DA5D2F8D68F9F
SHA512	E510D43DC2534DE86D2D9826B59353AA3153E14B4B4BF2286C829B37277F4BCFCEFD2E5B044132C56C528A3BC7704535D4B1EED37E90B4CF1F6239FD2BA75C6E
SSDEEP	3072:6utzRwSpaYHrz1m2dyGghtYIo9piswTogiqQKy349tm:ZaSpaAn42dyhqIo9s37iTK24nm
IMP	B9EFBBF3710DB144F0FAEC23B813B32E
PESHA1	5307B5742DACC8DB9CE4455C63D1405BD50A8C3E
PE256	F1BC7DFC850BFC45A750CA991ED0556E840CDDFD43F96F620245E0B34CA41531

Runtime Data

Usage (stdout):

Argument '-help' is unknown.

Window Title:

Resource and Performance Monitor

Open Handles:

Path	Type
(R-D) C:\Windows\Fonts\StaticCache.dat	File
(R-D) C:\Windows\System32\en-US\duser.dll.mui	File
(R-D) C:\Windows\System32\en-US\imageres.dll.mui	File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui	File
(R-D) C:\Windows\SysWOW64\en-US\perfmon.exe.mui	File
(R-D) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_3c26ab8c9470805a\comctl32.dll.mui	File
(RW-) C:\Users\user	File
(RW-) C:\Windows	File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_3c26ab8c9470805a	File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_261b62a767ca4e6d	File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db	Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db	Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro	Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0	Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0	Section
\Sessions\2\Windows\Theme2131664586	Section
\Windows\Theme966197582	Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\perfmon.exe

Signature

• Status: Signature verified.
• Serial: 3300000266BD1580EFA75CD6D3000000000266
• Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
• Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
• Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

• Original Filename: perfmon.exe.mui
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 10.00
• Product Version: 10.00
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.
• Machine Type: 32-bit

File Scan

• VirusTotal Detections: 0/69
• VirusTotal Link: https://www.virustotal.com/gui/file/5d4c3ef49bb510b7fbb943acf60bd6b74fc6d295b9cc93933155cbaf535f03eb/detection/

File Similarity (ssdeep match)

File	Score
C:\Windows\system32\perfmon.exe	65
C:\WINDOWS\system32\perfmon.exe	61
C:\WINDOWS\system32\perfmon.exe	47
C:\windows\system32\perfmon.exe	66
C:\Windows\system32\perfmon.exe	61
C:\Windows\system32\perfmon.exe	61
C:\WINDOWS\system32\resmon.exe	68
C:\windows\system32\resmon.exe	68
C:\Windows\system32\resmon.exe	69
C:\Windows\system32\resmon.exe	71
C:\Windows\system32\resmon.exe	69
C:\WINDOWS\system32\resmon.exe	66
C:\WINDOWS\SysWOW64\perfmon.exe	63
C:\WINDOWS\SysWOW64\perfmon.exe	63
C:\Windows\SysWOW64\perfmon.exe	66
C:\windows\SysWOW64\perfmon.exe	63
C:\Windows\SysWOW64\perfmon.exe	65
C:\WINDOWS\SysWOW64\resmon.exe	69
C:\windows\SysWOW64\resmon.exe	66
C:\Windows\SysWOW64\resmon.exe	66
C:\Windows\SysWOW64\resmon.exe	69
C:\WINDOWS\SysWOW64\resmon.exe	66
C:\Windows\SysWOW64\resmon.exe	72

Possible Misuse

The following table contains possible examples of perfmon.exe being misused. While perfmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_access_win_cred_dump_lsass_access.yml	- 'C:\Windows\System32\perfmon.exe'	DRL 1.0
sigma	proc_access_win_susp_proc_access_lsass.yml	- 'C:\WINDOWS\System32\perfmon.exe'	DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

---

perfmon

Start Windows Reliability and Performance Monitor in a specific standalone mode.

Syntax

perfmon </res|report|rel|sys>

Parameters

Parameter	Description
/res	Starts the Resource View.
/report	Starts the System Diagnostics Data Collector Set and displays a report of the results.
/rel	Starts the Reliability Monitor.
/sys	Starts the Performance Monitor.

Additional References

• Command-Line Syntax Key

• Windows Performance Monitor

---

MIT License. Copyright (c) 2020-2021 Strontic.