pslist64.exe

  • File Path: C:\SysinternalsSuite\pslist64.exe
  • Description: Process information lister

Hashes

Type Hash
MD5 A285919B3737ED691E1D029E36213050
SHA1 BB9B442A7CEE25A18811DEFB6E76433645B4F9AE
SHA256 E6901E8423DA3E54BAB25F7C90F60D3979BFA5BB61BCC46059662736253B8C72
SHA384 EBC826419DD6F4D5F82C5623DDEFD9FA8DECE2EE36AF957585C127F349AD9EE8CBE5416E1E3ADA5D70FEF3B9722DDF07
SHA512 265B31D557D38CD38A5A612D8E671AF28871BEE66FEB039788743D0B604BE290FEC9BD2D03BC938B8A933423B9D59A63A02EC64E51CE994495EB674CF3009DFF
SSDEEP 3072:jtco28jj9KSTu4WFvve/mhtTEU2QoXfVZE/L5UF4WRnApObwDmEVDIex4gVQEs8:RdxjghFHe/m3Tr2FXfD94ZOG0e4P8
IMP BE5599AD751321F04C6F8A14BFA32AC6
PESHA1 53A58475EF2622739D7615CFE8EB973E7731C242
PE256 C4193CFF8BC8183CFAD72558834C3761D75DA4B18E3F7440288B2FB3157C8E73

Runtime Data

Usage (stdout):


PsList v1.4 - Process information lister
Copyright (C) 2000-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

Process information for 37AACD8D-548A-4:

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time 
Idle                  0   0   8    0     60     2:58:17.062   386:30:44.459
System                4   8 165 9241    196     0:01:04.140   386:30:44.459
Registry            124   8   4    0   9260     0:00:00.718   386:30:52.413
smss                428  11   2   53   1040     0:00:00.515   386:30:44.447
csrss               528  13  11  351   1628     0:00:01.687   386:30:42.327
wininit             600  13   1  163   1348     0:00:00.156   386:30:42.176
services            644   9   5  347   3372     0:00:02.828   386:30:41.969
lsass               664   9   8 1078   6588     0:00:05.187   386:30:41.858
svchost             776   8  10  851   9020     0:00:04.171   386:30:41.285
fontdrvhost         812   8   5   39   1468     0:00:00.625   386:30:41.210
svchost             844   8   8  851   5268     0:00:07.125   386:30:41.077
svchost             968   8  44 1601  23320     0:02:00.296   386:30:40.674
svchost             984   8  42  692  77436     0:00:13.343   386:30:40.669
svchost            1020   8  16  594   7552     0:00:11.015   386:30:40.647
svchost            1064   8  11  624  17592     0:00:01.406   386:30:40.473
svchost            1080   8  18  707   9428     0:00:01.671   386:30:40.466
Memory Compression  1108   8  34    0    200     0:00:01.484   386:30:40.445
svchost            1288   8  12  341   3568     0:00:01.250   389:30:39.672
svchost            1348   8  18  786   7456     0:00:00.859   389:30:39.621
svchost            1416   8   4  377   2280     0:00:00.156   389:30:39.481
svchost            1428   8   3  127   1596     0:00:00.093   389:30:39.477
spoolsv            1560   8   7  460   6548     0:00:01.328   389:30:39.321
svchost            1684   8  12  410   7908     0:00:01.328   389:30:39.232
svchost            1992   8   6  257   4956     0:00:00.234   389:30:38.746
svchost            2020   8   5  195   2264     0:00:00.375   389:30:38.725
CExecSvc           1192   8   2   67   1120     0:00:00.234   389:30:38.703
VmComputeAgent     2152   8   2  164   2160     0:00:00.546   389:30:38.119
svchost            1760   8   3  159   1684     0:00:00.078     0:23:33.017
csrss              2468  13  12  552   1864     0:00:03.250     0:23:32.920
winlogon           2484  13   3  260   2776     0:00:00.562     0:23:32.877
fontdrvhost        2712   8   5   39   2248     0:00:00.718     0:23:32.526
WUDFHost           2732   8   7  325   3368     0:00:01.843     0:23:32.526
dwm                3024  13  23  904  43224     0:00:14.359     0:23:32.386
svchost            3208   8   2  173   2640     0:00:00.453     0:23:31.845
svchost            3252   8   5  192  13916     0:00:06.781     0:23:31.786
rdpclip            3536   8   8  328   3496     0:00:05.406     0:23:30.740
sihost             3576   8   7  489   6372     0:00:02.875     0:23:30.655
svchost            3664   8  10  564   9324     0:00:04.921     0:23:30.513
taskhostw          3716   8   8  311   6844     0:00:01.078     0:23:30.477
svchost            3916   8   3  166   1672     0:00:00.250     0:23:30.339
ctfmon             3980  13  11  433   9736     0:00:07.687     0:23:30.238
explorer           3996   8  73 2592  84208     0:01:13.937     0:23:30.230
svchost            3696   8   5  310   3988     0:00:00.656     0:23:28.243
ApplicationFrameHost  4216   8   2  330   9480     0:00:00.656     0:23:27.380
MicrosoftEdge      4252   8  46  893  22508     0:00:00.875     0:23:27.361
browser_broker     4352   8   2  174   2020     0:00:00.062     0:23:27.206
RuntimeBroker      4460   8   1  212   2728     0:00:00.171     0:23:27.079
svchost            4468   8   2  139   1584     0:00:00.046     0:23:27.072
Windows.WARP.JITService  4540   8   2  107   1312     0:00:00.015     0:23:27.028
MicrosoftEdgeSH    4652   8  21  265   4268     0:00:00.140     0:23:26.746
MicrosoftEdgeCP    4696   8  27  482   6228     0:00:00.203     0:23:26.689
SearchApp          3168   8  54 1274  96852     0:00:09.656     0:23:17.305
RuntimeBroker      2816   8   6  495  12736     0:00:06.484     0:23:17.214
RuntimeBroker       824   8   1  218   2500     0:00:00.937     0:23:16.715
svchost            5396   8   5  208   1948     0:00:00.031     0:22:04.695
SgrmBroker         3392   8   7  103   4096     0:00:00.140     0:21:45.739
svchost             976   8   8  213   2480     0:00:00.046     0:21:45.383
powershell_ise      676   8  27 1015 159116     0:01:54.421     0:21:38.440
StartMenuExperienceHost  4368   8   6  574  15724     0:00:01.187     0:21:26.853
RuntimeBroker      5996   8   1  236   3544     0:00:00.515     0:21:26.765
dllhost            2292   8   5  235   3848     0:00:00.265     0:21:25.233
cmd                 696   8   1  244   3772     0:00:00.578     0:21:23.654
conhost            2276   8   4  270   7772     0:00:07.281     0:21:23.625
dllhost            1784   8   5  139   2028     0:00:00.359     0:21:03.574
SecurityHealthService  1256   8   4  225   2652     0:00:00.140     0:19:45.105
SecurityHealthHost  4516   8   1  147   1608     0:00:00.187     0:19:44.938
Desktops            892   8   3  215   2124     0:00:00.312     0:17:38.534
conhost            1356   8   3  188   7152     0:00:00.375     0:09:37.275
WmiPrvSE           6076   8   7  157   4224     0:00:12.234     0:09:34.811
audiodg            2676   8   5  253   7880     0:00:02.156     0:09:12.453
WmiPrvSE           3928   8   9  182   2800     0:00:00.078     0:04:51.294
svchost            5968   8   5  112   1696     0:00:00.156     0:01:47.487
WmiPrvSE           1676   8   9  178   3096     0:00:00.062     0:00:24.067
pslist64           2684  13   4  216   2468     0:00:01.234     0:00:01.237
conhost            4260   8   4   99   6360     0:00:00.015     0:00:01.232

Loaded Modules:

Path
C:\SysinternalsSuite\pslist64.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 330000010A2C79AED7797BA6AC00010000010A
  • Thumbprint: 3BDA323E552DB1FDE5F4FBEE75D6D5B2B187EEDC
  • Issuer: CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Corporation, OU=MOPR, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: pslist.exe
  • Product Name: Sysinternals pslist
  • Company Name: Sysinternals - www.sysinternals.com
  • File Version: 1.4
  • Product Version: 1.4
  • Language: English (United States)
  • Legal Copyright: Copyright (C) 2000-2016 Mark Russinovich
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/68
  • VirusTotal Link: https://www.virustotal.com/gui/file/e6901e8423da3e54bab25f7c90f60d3979bfa5bb61bcc46059662736253b8c72/detection/

Possible Misuse

The following table contains possible examples of pslist64.exe being misused. While pslist64.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_false_sysinternalsuite.yml - '\pslist64.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.