localspl.dll

File Path: C:\Windows\system32\localspl.dll
Description: Local Spooler DLL

Hashes

Type	Hash
MD5	`31FCB6A7FAEE7E36ED0C06835BA73AEA`
SHA1	`DFBFE4025F3AD53210B1D9216324BCBA92160394`
SHA256	`2D7115B992CE08C3582D65E9ADB57B7CCB4E2F0BF82C01EECEADCED2041735C6`
SHA384	`032C0ED33CE2D840203DCB9F486D4BC505A6ADF17C2F1FDC9EF28A436687B5B6F27630933D70156FD8BC50C174D98A6D`
SHA512	`760A550FB295F7857677458CAFDF01AC0613B4AA3763C71254953D465E36B066C87F068BAA17EB67BA85E2C7EEB60586977C49198F6F92FC9B65063AC5EFB4EC`
SSDEEP	`24576:GJI+/giEdDEg4pBZfpVUXadrMKjiA0wQfA:GZEf4bZpaXad92gQf`
IMP	`51D3A12DA8B9292FA2F89BCE834AD647`
PESHA1	`77CF595B4B1B705639C1D78AD72EC03E0220EBE6`
PE256	`C6069D714113BF6CDD51D9AF956E61F61795D683D13B14575075E8A46F362822`

DLL Exports:

Function Name	Ordinal	Type
`SplGetPrinterDriver`	489	Exported Function
`SplGetPrinterDriverDirectory`	490	Exported Function
`SplGetPrinterDriverEx`	491	Exported Function
`SplGetPrinterDataEx`	488	Exported Function
`SplGetPrintClassObject_4CSR`	483	Exported Function
`SplGetPrinter`	486	Exported Function
`SplGetPrinterData`	487	Exported Function
`SplGetUserPropertyBag`	494	Exported Function
`SplIsCompatibleDriver`	495	Exported Function
`SplIsDriverInstalled`	410	Exported Function
`SplGetPrintProcessorDirectory`	485	Exported Function
`SplGetPrinterExtra`	492	Exported Function
`SplGetPrinterExtraEx`	493	Exported Function
`SplGetPrintProcCacheData`	484	Exported Function
`SplGetPrintClassObject`	482	Exported Function
`SplEnumPrintProcCacheData`	470	Exported Function
`SplEnumPrintProcessorDatatypes`	471	Exported Function
`SplEnumPrintProcessors`	472	Exported Function
`SplEnumPrinters`	477	Exported Function
`SplEnumPrinterDataEx`	474	Exported Function
`SplEnumPrinterDrivers`	475	Exported Function
`SplEnumPrinterKey`	476	Exported Function
`SplGetJobExtra`	408	Exported Function
`SplGetJobNamedPropertyValue`	481	Exported Function
`SplGetLocalDevMode`	409	Exported Function
`SplGetJob`	480	Exported Function
`SplGetDriverDir`	478	Exported Function
`SplGetDriverUpdateStatus`	407	Exported Function
`SplGetForm`	479	Exported Function
`SplSetPrinter`	508	Exported Function
`SplSetPrinterData`	509	Exported Function
`SplSetPrinterDataEx`	510	Exported Function
`SplSetJobNamedProperty`	506	Exported Function
`SplSetJob`	505	Exported Function
`SplSetJobError`	417	Exported Function
`SplSetJobExtra`	418	Exported Function
`SplStartPagePrinter`	514	Exported Function
`SplWritePrinter`	515	Exported Function
`SplXcvData`	516	Exported Function
`SplStartDocPrinter`	513	Exported Function
`SplSetPrinterExtra`	511	Exported Function
`SplSetPrinterExtraEx`	512	Exported Function
`SplSetPrintProcCacheData`	507	Exported Function
`SplSetForm`	504	Exported Function
`SplNotifyServerStatus`	413	Exported Function
`SplOpenPrinter`	498	Exported Function
`SplPlayGdiScriptOnPrinterIC`	499	Exported Function
`SplMonitorIsInstalled`	497	Exported Function
`SplIsLocalDriverAvailable`	411	Exported Function
`SplIsValidUserPropertyBag`	412	Exported Function
`SplLoadLibraryTheCopyFileModule`	496	Exported Function
`SplScheduleJob`	503	Exported Function
`SplSetCSRPrinterDevnode`	415	Exported Function
`SplSetDriverUpdateStatus`	416	Exported Function
`SplResetPrinter`	502	Exported Function
`SplReenumeratePorts`	414	Exported Function
`SplRegeneratePrintDeviceCapabilities`	500	Exported Function
`SplReportJobProcessingProgress`	501	Exported Function
`SplAddJob`	435	Exported Function
`SplAddMonitor`	436	Exported Function
`SplAddPort`	437	Exported Function
`SplAddForm`	434	Exported Function
`PrintDocumentOnPrintProcessor`	432	Exported Function
`SplAbortPrinter`	433	Exported Function
`SplAddCSRPrinter`	403	Exported Function
`SplClosePrinter`	442	Exported Function
`SplCloseSpooler`	443	Exported Function
`SplConfigChange`	444	Exported Function
`SplAddPrintProcessor`	439	Exported Function
`SplAddPortEx`	438	Exported Function
`SplAddPrinter`	440	Exported Function
`SplAddPrinterDriverEx`	441	Exported Function
`OpenPrintProcessor`	431	Exported Function
`GetPrintProcessorCapabilities`	423	Exported Function
`InitializePrintMonitor2`	424	Exported Function
`InitializePrintProvidor`	425	Exported Function
`EnumPrintProcessorDatatypesW`	422	Exported Function
`ClosePrintProcessor`	419	Exported Function
`ControlPrintProcessor`	420	Exported Function
`DllMain`	421	Exported Function
`LocalEnumForms`	428	Exported Function
`LocalReadPrinter`	429	Exported Function
`LocalSetForm`	430	Exported Function
`LocalDeleteForm`	427	Exported Function
`LclIsSessionZero`	401	Exported Function
`LclPromptUIPerSessionUser`	402	Exported Function
`LocalAddForm`	426	Exported Function
`SplDriverEvent`	463	Exported Function
`SplEnableCSRPrinterDeviceInterface`	405	Exported Function
`SplEndDocPrinter`	464	Exported Function
`SplDoesCSRPrinterDevnodeExist`	404	Exported Function
`SplDeletePrintProcCacheData`	453	Exported Function
`SplDeletePrintProcessor`	454	Exported Function
`SplDeleteSpooler`	462	Exported Function
`SplEnumMonitors`	468	Exported Function
`SplEnumPorts`	469	Exported Function
`SplEnumPrinterData`	473	Exported Function
`SplEnumJobs`	467	Exported Function
`SplEndPagePrinter`	465	Exported Function
`SplEnumForms`	466	Exported Function
`SplEnumJobNamedProperties`	406	Exported Function
`SplDeletePrinterWithJobs`	461	Exported Function
`SplDeleteForm`	449	Exported Function
`SplDeleteJobNamedProperty`	450	Exported Function
`SplDeleteMonitor`	451	Exported Function
`SplCreateSpooler`	448	Exported Function
`SplCopyFileEvent`	445	Exported Function
`SplCopyNumberOfFiles`	446	Exported Function
`SplCreatePrinterIC`	447	Exported Function
`SplDeletePrinterDriverEx`	458	Exported Function
`SplDeletePrinterIC`	459	Exported Function
`SplDeletePrinterKey`	460	Exported Function
`SplDeletePrinterDataEx`	457	Exported Function
`SplDeletePort`	452	Exported Function
`SplDeletePrinter`	455	Exported Function
`SplDeletePrinterData`	456	Exported Function

Signature

Status: Signature verified.
Serial: 330000026551AE1BBD005CBFBD000000000265
Thumbprint: E168609353F30FF2373157B4EB8CD519D07A2BFF
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: localspl.dll.mui
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 10.0.19041.1 (WinBuild.160101.0800)
Product Version: 10.0.19041.1
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.
Machine Type: 64-bit

File Scan

VirusTotal Detections: 0/67
VirusTotal Link: https://www.virustotal.com/gui/file/2d7115b992ce08c3582d65e9adb57b7ccb4e2f0bf82c01eeceadced2041735c6/detection/

Possible Misuse

The following table contains possible examples of localspl.dll being misused. While localspl.dll is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
signature-base	apt_apt17_mal_sep17.yar	$s1 = “\spool\prtprocs\w32x86\localspl.dll” fullword ascii	CC BY-NC 4.0
signature-base	apt_apt17_mal_sep17.yar	$s2 = “\spool\prtprocs\x64\localspl.dll” fullword ascii	CC BY-NC 4.0