perfmon.exe

File Path: C:\WINDOWS\SysWOW64\perfmon.exe
Description: Resource and Performance Monitor

Screenshot

perfmon.exe

Hashes

Type	Hash
MD5	`14ACB06686DC70FAB341DE0721B71BF1`
SHA1	`2DB1D986522AD14621BB6992E3C784FFF5CC018D`
SHA256	`7551915D48416381616480ACF03A94CC3AB493682935389C5357BCC2912EAB15`
SHA384	`A461E9A158E70EE6B758BFCF3F6049ED28C7A0B3300499ADD0EE803B62E1FF8E93550306FF4906E8C5AF490CCB1BE259`
SHA512	`B73BDF19200B8FA86F76FE0067919BA2062E678DEF212AA22C1FBA98390CA4E053DD388215079064E19B6A438A1D0EBE261A6F96E1227FB9C96F41C1468468A7`
SSDEEP	`3072:Xq8ijr4QZhpxd6/GghtYIo9piswTogiqQKy349:or4aHxd67hqIo9s37iTK24`

Signature

Status: Signature verified.
Serial: 330000023241FB59996DCC4DFF000000000232
Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: perfmon.exe
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 10.00
Product Version: 10.00
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File	Score
C:\Windows\system32\perfmon.exe	61
C:\WINDOWS\system32\perfmon.exe	66
C:\WINDOWS\system32\perfmon.exe	50
C:\windows\system32\perfmon.exe	72
C:\Windows\system32\perfmon.exe	65
C:\Windows\system32\perfmon.exe	66
C:\WINDOWS\system32\resmon.exe	69
C:\windows\system32\resmon.exe	72
C:\Windows\system32\resmon.exe	74
C:\Windows\system32\resmon.exe	72
C:\Windows\system32\resmon.exe	74
C:\WINDOWS\system32\resmon.exe	74
C:\WINDOWS\SysWOW64\perfmon.exe	65
C:\Windows\SysWOW64\perfmon.exe	68
C:\windows\SysWOW64\perfmon.exe	66
C:\Windows\SysWOW64\perfmon.exe	65
C:\Windows\SysWOW64\perfmon.exe	63
C:\WINDOWS\SysWOW64\resmon.exe	72
C:\windows\SysWOW64\resmon.exe	74
C:\Windows\SysWOW64\resmon.exe	71
C:\Windows\SysWOW64\resmon.exe	75
C:\WINDOWS\SysWOW64\resmon.exe	74
C:\Windows\SysWOW64\resmon.exe	74

Possible Misuse

The following table contains possible examples of perfmon.exe being misused. While perfmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_access_win_cred_dump_lsass_access.yml	`- 'C:\Windows\System32\perfmon.exe'`	DRL 1.0
sigma	proc_access_win_susp_proc_access_lsass.yml	`- 'C:\WINDOWS\System32\perfmon.exe'`	DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

perfmon

Start Windows Reliability and Performance Monitor in a specific standalone mode.

Syntax

perfmon </res|report|rel|sys>

Parameters

Parameter	Description
/res	Starts the Resource View.
/report	Starts the System Diagnostics Data Collector Set and displays a report of the results.
/rel	Starts the Reliability Monitor.
/sys	Starts the Performance Monitor.

perfmon.exe

Screenshot

Hashes

Signature

File Metadata

File Similarity (ssdeep match)

Possible Misuse

Additional Info*

perfmon

Syntax

Parameters

Additional References