perfmon.exe

• File Path: C:\windows\SysWOW64\perfmon.exe
• Description: Resource and Performance Monitor

Screenshot

Hashes

Type	Hash
MD5	660927A8213F3A9AB378BDFB195E7277
SHA1	834BE26A51D0871195C3838C8FD3067A7B237B99
SHA256	7B2CF6E56FE262686CE9AFDABB260854EE92B257AD95D577E9ADA6A4ECCFB9F1
SHA384	80A14607ED6D7C25586D5E77D947F95336D1B587667938A2204EB70528A5005243CCA0761C357B23DCE94C393825E30E
SHA512	1CC07082423DC778D6A4C69CA9BDDCB8510A2809DD2F79D94F8D0E065AC546143D1938EEDCDE17208E06508D75B548C97EC37752AE722A67485EC2769614BACF
SSDEEP	3072:i88RlSQBQfRwxiE+/9cghtYIo9piswTogiqQKy349a:SRlyf2xO/XhqIo9s37iTK24

Signature

• Status: The file C:\windows\SysWOW64\perfmon.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
• Serial: ``
• Thumbprint: ``
• Issuer:
• Subject:

File Metadata

• Original Filename: perfmon.exe.mui
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
• Product Version: 6.3.9600.16384
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File	Score
C:\Windows\system32\perfmon.exe	58
C:\WINDOWS\system32\perfmon.exe	65
C:\WINDOWS\system32\perfmon.exe	44
C:\windows\system32\perfmon.exe	71
C:\Windows\system32\perfmon.exe	58
C:\Windows\system32\perfmon.exe	61
C:\WINDOWS\system32\resmon.exe	66
C:\windows\system32\resmon.exe	66
C:\Windows\system32\resmon.exe	69
C:\Windows\system32\resmon.exe	66
C:\Windows\system32\resmon.exe	69
C:\WINDOWS\system32\resmon.exe	69
C:\WINDOWS\SysWOW64\perfmon.exe	66
C:\WINDOWS\SysWOW64\perfmon.exe	65
C:\Windows\SysWOW64\perfmon.exe	61
C:\Windows\SysWOW64\perfmon.exe	58
C:\Windows\SysWOW64\perfmon.exe	63
C:\WINDOWS\SysWOW64\resmon.exe	71
C:\windows\SysWOW64\resmon.exe	68
C:\Windows\SysWOW64\resmon.exe	68
C:\Windows\SysWOW64\resmon.exe	71
C:\WINDOWS\SysWOW64\resmon.exe	68
C:\Windows\SysWOW64\resmon.exe	69

Possible Misuse

The following table contains possible examples of perfmon.exe being misused. While perfmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_access_win_cred_dump_lsass_access.yml	- 'C:\Windows\System32\perfmon.exe'	DRL 1.0
sigma	proc_access_win_susp_proc_access_lsass.yml	- 'C:\WINDOWS\System32\perfmon.exe'	DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

---

perfmon

Start Windows Reliability and Performance Monitor in a specific standalone mode.

Syntax

perfmon </res|report|rel|sys>

Parameters

Parameter	Description
/res	Starts the Resource View.
/report	Starts the System Diagnostics Data Collector Set and displays a report of the results.
/rel	Starts the Reliability Monitor.
/sys	Starts the Performance Monitor.

Additional References

• Command-Line Syntax Key

• Windows Performance Monitor

---

MIT License. Copyright (c) 2020-2021 Strontic.