perfmon.exe

  • File Path: C:\WINDOWS\system32\perfmon.exe
  • Description: Resource and Performance Monitor

Screenshot

perfmon.exe

Hashes

Type Hash
MD5 C90AF971C5FE2427135D6DF8C38B720E
SHA1 D894531BA7B14DF4ADCE70CE3412EA5ECA1F23B3
SHA256 39DA579A57B33BACDAA9EECA732B060F1DAB2624C7EE1E2469E3E2A40961151E
SHA384 FA61AEA29A90F0E87E64B3191BB6863A31E2B3ECA9240DE531652236866DBFFF0D5D0ADF7FB3A1C6536BCF7758522A52
SHA512 3792780D31C5961781B4F9F27A59FB9DE87F5ABD061E41A250CA3CC8FA6D9C64BC8B76A36ED020FECFD0B51EB9C6BC368936D0BEE83B878ADCC285814A44C9BE
SSDEEP 3072:iU7qWkLMPeAktQuthnzqbLAADODiK447hdy0wty9qjgGghtYIo9piswTogiqQKyg:/7LkLMPeAktQuthnzqbhDODiK447fqjm
IMP C558B7A765839C058D47628A59E81CDD
PESHA1 A8B6395E7A628049583AD5A2B418EE86601E5FBF
PE256 D235D2EE6123AF910CF9E0ABFA21FBE6A2E1DA0E41525E327B45B18669EBE379

Runtime Data

Usage (stdout):

Argument '-help' is unknown.

Window Title:

Resource and Performance Monitor

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\duser.dll.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\perfmon.exe.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(R-D) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_en-us_6b887e04d8b70b4e\comctl32.dll.mui File
(RW-) C:\Windows\System32 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_en-us_6b887e04d8b70b4e File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme1077709572 Section
\Windows\Theme3461253685 Section

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\perfmon.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: perfmon.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.00
  • Product Version: 10.00
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/39da579a57b33bacdaa9eeca732b060f1dab2624c7ee1e2469e3e2a40961151e/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\perfmon.exe 43
C:\WINDOWS\system32\perfmon.exe 43
C:\windows\system32\perfmon.exe 46
C:\Windows\system32\perfmon.exe 44
C:\Windows\system32\perfmon.exe 47
C:\WINDOWS\system32\resmon.exe 46
C:\windows\system32\resmon.exe 46
C:\Windows\system32\resmon.exe 46
C:\Windows\system32\resmon.exe 46
C:\Windows\system32\resmon.exe 49
C:\WINDOWS\system32\resmon.exe 46
C:\WINDOWS\SysWOW64\perfmon.exe 50
C:\WINDOWS\SysWOW64\perfmon.exe 46
C:\Windows\SysWOW64\perfmon.exe 47
C:\windows\SysWOW64\perfmon.exe 44
C:\Windows\SysWOW64\perfmon.exe 52
C:\Windows\SysWOW64\perfmon.exe 47
C:\WINDOWS\SysWOW64\resmon.exe 47
C:\windows\SysWOW64\resmon.exe 46
C:\Windows\SysWOW64\resmon.exe 49
C:\Windows\SysWOW64\resmon.exe 47
C:\WINDOWS\SysWOW64\resmon.exe 46
C:\Windows\SysWOW64\resmon.exe 46

Possible Misuse

The following table contains possible examples of perfmon.exe being misused. While perfmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_cred_dump_lsass_access.yml - 'C:\Windows\System32\perfmon.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - 'C:\WINDOWS\System32\perfmon.exe' DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

perfmon

Start Windows Reliability and Performance Monitor in a specific standalone mode.

Syntax

perfmon </res|report|rel|sys>

Parameters

Parameter Description
/res Starts the Resource View.
/report Starts the System Diagnostics Data Collector Set and displays a report of the results.
/rel Starts the Reliability Monitor.
/sys Starts the Performance Monitor.

Additional References

MIT License. Copyright (c) 2020-2021 Strontic.