perfmon.exe

• File Path: C:\WINDOWS\system32\perfmon.exe
• Description: Resource and Performance Monitor

Screenshot

Hashes

Type	Hash
MD5	AE3D54BF0D325BDFB785B86511930E37
SHA1	C3B882CEA05A0371AF48F60D01E0C5DE019E2A2C
SHA256	76396D7C9650A86A425FD68F9851D0C06DDF3EB808A548FCF0C02FAD6253399F
SHA384	4FF5BAEFE75690C4FDD2B4B22D3412B1C026D04EA852E844C350276A1A36EAF38963EE91F4B2CBB3434B93BCB79EFDE1
SHA512	14819184FA083E608ED75E15EA0D834963591C7D7BA7F8934C56C8BC5DB58F8014303784FA8876A2A96B8756971F716FC7B8ABA632A56B36609FBD30E5B4F7C3
SSDEEP	3072:ypBjlcfRy/COZa6nYI7CGghtYIo9piswTogiqQKy349:P5y/NZ3YI7ihqIo9s37iTK24

Signature

• Status: Signature verified.
• Serial: 330000023241FB59996DCC4DFF000000000232
• Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
• Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
• Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

• Original Filename: perfmon.exe.mui
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 10.00
• Product Version: 10.00
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File	Score
C:\Windows\system32\perfmon.exe	63
C:\WINDOWS\system32\perfmon.exe	43
C:\windows\system32\perfmon.exe	69
C:\Windows\system32\perfmon.exe	58
C:\Windows\system32\perfmon.exe	61
C:\WINDOWS\system32\resmon.exe	68
C:\windows\system32\resmon.exe	71
C:\Windows\system32\resmon.exe	72
C:\Windows\system32\resmon.exe	71
C:\Windows\system32\resmon.exe	66
C:\WINDOWS\system32\resmon.exe	69
C:\WINDOWS\SysWOW64\perfmon.exe	66
C:\WINDOWS\SysWOW64\perfmon.exe	66
C:\Windows\SysWOW64\perfmon.exe	63
C:\windows\SysWOW64\perfmon.exe	65
C:\Windows\SysWOW64\perfmon.exe	63
C:\Windows\SysWOW64\perfmon.exe	61
C:\WINDOWS\SysWOW64\resmon.exe	69
C:\windows\SysWOW64\resmon.exe	66
C:\Windows\SysWOW64\resmon.exe	66
C:\Windows\SysWOW64\resmon.exe	68
C:\WINDOWS\SysWOW64\resmon.exe	69
C:\Windows\SysWOW64\resmon.exe	66

Possible Misuse

The following table contains possible examples of perfmon.exe being misused. While perfmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_access_win_cred_dump_lsass_access.yml	- 'C:\Windows\System32\perfmon.exe'	DRL 1.0
sigma	proc_access_win_susp_proc_access_lsass.yml	- 'C:\WINDOWS\System32\perfmon.exe'	DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

---

perfmon

Start Windows Reliability and Performance Monitor in a specific standalone mode.

Syntax

perfmon </res|report|rel|sys>

Parameters

Parameter	Description
/res	Starts the Resource View.
/report	Starts the System Diagnostics Data Collector Set and displays a report of the results.
/rel	Starts the Reliability Monitor.
/sys	Starts the Performance Monitor.

Additional References

• Command-Line Syntax Key

• Windows Performance Monitor

---

MIT License. Copyright (c) 2020-2021 Strontic.