perfmon.exe

  • File Path: C:\Windows\SysWOW64\perfmon.exe
  • Description: Resource and Performance Monitor

Screenshot

perfmon.exe

Hashes

Type Hash
MD5 805F9B64745C730A6BD789083D0EF4E2
SHA1 DF46DE4C9866BCB49381A406E9CF4D22B6EA2E7F
SHA256 4A58628ABFA58DCD4E683EBEF43018B663228CB562C27716A799257A7434B6A5
SHA384 185485973AF883F58E37948D316C367CE3EB3229A17966ADB9D6E33380B5968A290D447240AC415ADF9FC3B0BE6054CE
SHA512 51C5A88956A17ED37A5D49445EC7E589E9A93B11A0198EBD847D40446D66B7DC7A891E61574750BEC3D615601603394F6B2CF382315D1DD50679797ED6F7588F
SSDEEP 3072:qWuWAqeMLVf7kaFGghtYIo9piswTogiqQKy349t:q8eCVTkaJhqIo9s37iTK24

Runtime Data

Usage (stdout):

Argument 'help' is unknown.

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: perfmon.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.00
  • Product Version: 10.00
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\perfmon.exe 66
C:\WINDOWS\system32\perfmon.exe 63
C:\WINDOWS\system32\perfmon.exe 52
C:\windows\system32\perfmon.exe 72
C:\Windows\system32\perfmon.exe 65
C:\Windows\system32\perfmon.exe 63
C:\WINDOWS\system32\resmon.exe 72
C:\windows\system32\resmon.exe 69
C:\Windows\system32\resmon.exe 69
C:\Windows\system32\resmon.exe 69
C:\Windows\system32\resmon.exe 72
C:\WINDOWS\system32\resmon.exe 72
C:\WINDOWS\SysWOW64\perfmon.exe 65
C:\WINDOWS\SysWOW64\perfmon.exe 66
C:\Windows\SysWOW64\perfmon.exe 65
C:\windows\SysWOW64\perfmon.exe 58
C:\Windows\SysWOW64\perfmon.exe 65
C:\WINDOWS\SysWOW64\resmon.exe 71
C:\windows\SysWOW64\resmon.exe 72
C:\Windows\SysWOW64\resmon.exe 72
C:\Windows\SysWOW64\resmon.exe 74
C:\WINDOWS\SysWOW64\resmon.exe 69
C:\Windows\SysWOW64\resmon.exe 69

Possible Misuse

The following table contains possible examples of perfmon.exe being misused. While perfmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_cred_dump_lsass_access.yml - 'C:\Windows\System32\perfmon.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - 'C:\WINDOWS\System32\perfmon.exe' DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


perfmon

Start Windows Reliability and Performance Monitor in a specific standalone mode.

Syntax

perfmon </res|report|rel|sys>

Parameters

Parameter Description
/res Starts the Resource View.
/report Starts the System Diagnostics Data Collector Set and displays a report of the results.
/rel Starts the Reliability Monitor.
/sys Starts the Performance Monitor.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.