perfmon.exe

  • File Path: C:\WINDOWS\SysWOW64\perfmon.exe
  • Description: Resource and Performance Monitor

Screenshot

perfmon.exe

Hashes

Type Hash
MD5 14ACB06686DC70FAB341DE0721B71BF1
SHA1 2DB1D986522AD14621BB6992E3C784FFF5CC018D
SHA256 7551915D48416381616480ACF03A94CC3AB493682935389C5357BCC2912EAB15
SHA384 A461E9A158E70EE6B758BFCF3F6049ED28C7A0B3300499ADD0EE803B62E1FF8E93550306FF4906E8C5AF490CCB1BE259
SHA512 B73BDF19200B8FA86F76FE0067919BA2062E678DEF212AA22C1FBA98390CA4E053DD388215079064E19B6A438A1D0EBE261A6F96E1227FB9C96F41C1468468A7
SSDEEP 3072:Xq8ijr4QZhpxd6/GghtYIo9piswTogiqQKy349:or4aHxd67hqIo9s37iTK24

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: perfmon.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.00
  • Product Version: 10.00
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\perfmon.exe 61
C:\WINDOWS\system32\perfmon.exe 66
C:\WINDOWS\system32\perfmon.exe 50
C:\windows\system32\perfmon.exe 72
C:\Windows\system32\perfmon.exe 65
C:\Windows\system32\perfmon.exe 66
C:\WINDOWS\system32\resmon.exe 69
C:\windows\system32\resmon.exe 72
C:\Windows\system32\resmon.exe 74
C:\Windows\system32\resmon.exe 72
C:\Windows\system32\resmon.exe 74
C:\WINDOWS\system32\resmon.exe 74
C:\WINDOWS\SysWOW64\perfmon.exe 65
C:\Windows\SysWOW64\perfmon.exe 68
C:\windows\SysWOW64\perfmon.exe 66
C:\Windows\SysWOW64\perfmon.exe 65
C:\Windows\SysWOW64\perfmon.exe 63
C:\WINDOWS\SysWOW64\resmon.exe 72
C:\windows\SysWOW64\resmon.exe 74
C:\Windows\SysWOW64\resmon.exe 71
C:\Windows\SysWOW64\resmon.exe 75
C:\WINDOWS\SysWOW64\resmon.exe 74
C:\Windows\SysWOW64\resmon.exe 74

Possible Misuse

The following table contains possible examples of perfmon.exe being misused. While perfmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_cred_dump_lsass_access.yml - 'C:\Windows\System32\perfmon.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - 'C:\WINDOWS\System32\perfmon.exe' DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


perfmon

Start Windows Reliability and Performance Monitor in a specific standalone mode.

Syntax

perfmon </res|report|rel|sys>

Parameters

Parameter Description
/res Starts the Resource View.
/report Starts the System Diagnostics Data Collector Set and displays a report of the results.
/rel Starts the Reliability Monitor.
/sys Starts the Performance Monitor.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.