perfmon.exe

  • File Path: C:\Windows\SysWOW64\perfmon.exe
  • Description: Resource and Performance Monitor

Screenshot

perfmon.exe

Hashes

Type Hash
MD5 6284C86A1AE399794C18FBBC86CC8340
SHA1 06D3C338A1C30921DD8544F117F43497AD111E86
SHA256 3FA716B87491BDC9A01EC636F0010A028552D224EEC64334F7669206C69CFFF2
SHA384 F362E0489C49CF03F64FAE91156C18D219DF29374A65FC929C27D90816EC8CE4C91B45DA01C7758DB6583441D0EF7E4E
SHA512 822F9150CFB661897B61D97F15EE2B3B20D6100A5B3976E401176244C1AB63978ECCCEBE313DDBCA99E8F8E66A158026106340BEBA821060C38FA62966977AA1
SSDEEP 3072:gHuEgHwz/iUZPGghtYIo9piswTogiqQKy349e:gYHcKUZrhqIo9s37iTK24I
IMP 9E1163D7390EBC6170B5E1D9EE0421D0
PESHA1 A29B197DFA7D6F3CE7BACC8A7D60A90859552483
PE256 0F1BD43D7E561CFFAFD3A41F9083D4EB3F9EE4B8647B20EDBA4D10A9D641F3DD

Runtime Data

Usage (stdout):

Argument '-help' is unknown.

Window Title:

Resource and Performance Monitor

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\duser.dll.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\perfmon.exe.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(R-D) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_130e63d987a738df\comctl32.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_130e63d987a738df File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme1175649999 Section
\Windows\Theme601709542 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\perfmon.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: perfmon.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.00
  • Product Version: 10.00
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/3fa716b87491bdc9a01ec636f0010a028552d224eec64334f7669206c69cfff2/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\perfmon.exe 66
C:\WINDOWS\system32\perfmon.exe 63
C:\WINDOWS\system32\perfmon.exe 47
C:\windows\system32\perfmon.exe 79
C:\Windows\system32\perfmon.exe 68
C:\Windows\system32\perfmon.exe 63
C:\WINDOWS\system32\resmon.exe 71
C:\windows\system32\resmon.exe 74
C:\Windows\system32\resmon.exe 72
C:\Windows\system32\resmon.exe 74
C:\Windows\system32\resmon.exe 75
C:\WINDOWS\system32\resmon.exe 75
C:\WINDOWS\SysWOW64\perfmon.exe 68
C:\WINDOWS\SysWOW64\perfmon.exe 66
C:\windows\SysWOW64\perfmon.exe 61
C:\Windows\SysWOW64\perfmon.exe 65
C:\Windows\SysWOW64\perfmon.exe 66
C:\WINDOWS\SysWOW64\resmon.exe 74
C:\windows\SysWOW64\resmon.exe 72
C:\Windows\SysWOW64\resmon.exe 75
C:\Windows\SysWOW64\resmon.exe 74
C:\WINDOWS\SysWOW64\resmon.exe 72
C:\Windows\SysWOW64\resmon.exe 75

Possible Misuse

The following table contains possible examples of perfmon.exe being misused. While perfmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_cred_dump_lsass_access.yml - 'C:\Windows\System32\perfmon.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - 'C:\WINDOWS\System32\perfmon.exe' DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


perfmon

Start Windows Reliability and Performance Monitor in a specific standalone mode.

Syntax

perfmon </res|report|rel|sys>

Parameters

Parameter Description
/res Starts the Resource View.
/report Starts the System Diagnostics Data Collector Set and displays a report of the results.
/rel Starts the Reliability Monitor.
/sys Starts the Performance Monitor.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.