perfmon.exe

  • File Path: C:\WINDOWS\SysWOW64\perfmon.exe
  • Description: Resource and Performance Monitor

Screenshot

perfmon.exe

Hashes

Type Hash
MD5 390A0223147F517FB5AA39B07A44F1A2
SHA1 94BE19199E584ED18369D364B2907560F2376205
SHA256 1654F042147EAF85200E27A5218536188E0124064463C03A6F7053FF0A28FF13
SHA384 E82443F37AB475BA59999058E71A7F59F4785C73228595E2347DA0EE87F1153622EE058FB647E5BA961259E8E2B70025
SHA512 6C9619EB3C9CBEBCEC999190D2DC5A197283BA7797C445933A29F7BBBEB0DFB4C462FF2B7C127A5CC23C98B82D8F7BA6A4A0E800157E232EAF92981C2D4441CC
SSDEEP 3072:7yo2Ur8zp8ylFC2uGghtYIo9piswTogiqQKy349Sb:Gon8zZlk22hqIo9s37iTK24I
IMP 4A38601BCA6173DF01F147EFB69C778A
PESHA1 A1A8B9A1B11306284A836E10F24CB70DC27B0A0D
PE256 C9ED3EE65FF753200AD8909BC04951F504AEB4F46092406968D01CA5827B0433

Runtime Data

Usage (stdout):

Argument '-help' is unknown.

Window Title:

Resource and Performance Monitor

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\duser.dll.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\perfmon.exe.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(R-D) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_en-us_b335b4dbed333454\comctl32.dll.mui File
(RW-) C:\Windows File
(RW-) C:\Windows\SysWOW64 File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_en-us_b335b4dbed333454 File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_e541a94fcce8ed6d File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme1077709572 Section
\Windows\Theme3461253685 Section

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\perfmon.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: perfmon.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.00
  • Product Version: 10.00
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/1654f042147eaf85200e27a5218536188e0124064463c03a6f7053ff0a28ff13/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\perfmon.exe 65
C:\WINDOWS\system32\perfmon.exe 66
C:\WINDOWS\system32\perfmon.exe 46
C:\windows\system32\perfmon.exe 69
C:\Windows\system32\perfmon.exe 63
C:\Windows\system32\perfmon.exe 61
C:\WINDOWS\system32\resmon.exe 68
C:\windows\system32\resmon.exe 69
C:\Windows\system32\resmon.exe 68
C:\Windows\system32\resmon.exe 69
C:\Windows\system32\resmon.exe 68
C:\WINDOWS\system32\resmon.exe 68
C:\WINDOWS\SysWOW64\perfmon.exe 65
C:\Windows\SysWOW64\perfmon.exe 66
C:\windows\SysWOW64\perfmon.exe 65
C:\Windows\SysWOW64\perfmon.exe 66
C:\Windows\SysWOW64\perfmon.exe 63
C:\WINDOWS\SysWOW64\resmon.exe 69
C:\windows\SysWOW64\resmon.exe 68
C:\Windows\SysWOW64\resmon.exe 68
C:\Windows\SysWOW64\resmon.exe 69
C:\WINDOWS\SysWOW64\resmon.exe 68
C:\Windows\SysWOW64\resmon.exe 68

Possible Misuse

The following table contains possible examples of perfmon.exe being misused. While perfmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_cred_dump_lsass_access.yml - 'C:\Windows\System32\perfmon.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - 'C:\WINDOWS\System32\perfmon.exe' DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

perfmon

Start Windows Reliability and Performance Monitor in a specific standalone mode.

Syntax

perfmon </res|report|rel|sys>

Parameters

Parameter Description
/res Starts the Resource View.
/report Starts the System Diagnostics Data Collector Set and displays a report of the results.
/rel Starts the Reliability Monitor.
/sys Starts the Performance Monitor.

Additional References

MIT License. Copyright (c) 2020-2021 Strontic.