perfmon.exe

  • File Path: C:\Windows\system32\perfmon.exe
  • Description: Resource and Performance Monitor

Screenshot

perfmon.exe

Hashes

Type Hash
MD5 D38AA59C3BEA5456BD6F95C73AD3C964
SHA1 40170EAB389A6BA35E949F9C92962646A302D9EF
SHA256 5F041CFF346FB37E5C5C9DAB3C1272C76F8B5F579205170E97D2248D04A4EA0C
SHA384 59C1DB08828A483F26E7A71A2019619DB9078603916195EC940611FFA0E6809A9F2F31BFE7EE9E926A204DE144EAECE0
SHA512 59FA552A46E5D6237C7244B03D09D60E9489217B4319A212E822C73FE1F31A81837CB906AE7DA92072BD3D9263FE0B967E073110BA81DA3A90126F25115FFF68
SSDEEP 3072:Y0fcuMXJEzBG8IPFThJRoGghtYIo9piswTogiqQKy349:hWZEzBG8SFNJWhqIo9s37iTK24
IMP 1B5EB71BEAEE7EFF37B32AE9FCEA653A
PESHA1 1B74F88D9CA76720ADE32799A162C9554ED2C301
PE256 502976B205D5C385826BAE2034F577AE72F67B1F50F5B496BF4B1B3D3E2107F5

Runtime Data

Usage (stdout):

Argument '-help' is unknown.

Window Title:

Resource and Performance Monitor

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\duser.dll.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\perfmon.exe.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(R-D) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_cb612d02732b0fd9\comctl32.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_cb612d02732b0fd9 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme1175649999 Section
\Windows\Theme601709542 Section

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\perfmon.exe
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: perfmon.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.00
  • Product Version: 10.00
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\perfmon.exe 61
C:\WINDOWS\system32\perfmon.exe 58
C:\WINDOWS\system32\perfmon.exe 44
C:\windows\system32\perfmon.exe 66
C:\Windows\system32\perfmon.exe 58
C:\WINDOWS\system32\resmon.exe 68
C:\windows\system32\resmon.exe 65
C:\Windows\system32\resmon.exe 68
C:\Windows\system32\resmon.exe 68
C:\Windows\system32\resmon.exe 65
C:\WINDOWS\system32\resmon.exe 68
C:\WINDOWS\SysWOW64\perfmon.exe 65
C:\WINDOWS\SysWOW64\perfmon.exe 63
C:\Windows\SysWOW64\perfmon.exe 68
C:\windows\SysWOW64\perfmon.exe 58
C:\Windows\SysWOW64\perfmon.exe 65
C:\Windows\SysWOW64\perfmon.exe 61
C:\WINDOWS\SysWOW64\resmon.exe 69
C:\windows\SysWOW64\resmon.exe 68
C:\Windows\SysWOW64\resmon.exe 65
C:\Windows\SysWOW64\resmon.exe 66
C:\WINDOWS\SysWOW64\resmon.exe 68
C:\Windows\SysWOW64\resmon.exe 65

Possible Misuse

The following table contains possible examples of perfmon.exe being misused. While perfmon.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_access_win_cred_dump_lsass_access.yml - 'C:\Windows\System32\perfmon.exe' DRL 1.0
sigma proc_access_win_susp_proc_access_lsass.yml - 'C:\WINDOWS\System32\perfmon.exe' DRL 1.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


perfmon

Start Windows Reliability and Performance Monitor in a specific standalone mode.

Syntax

perfmon </res|report|rel|sys>

Parameters

Parameter Description
/res Starts the Resource View.
/report Starts the System Diagnostics Data Collector Set and displays a report of the results.
/rel Starts the Reliability Monitor.
/sys Starts the Performance Monitor.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.