splwow64.exe

  • File Path: C:\WINDOWS\splwow64.exe
  • Description: Print driver host for applications

Hashes

Type Hash
MD5 7FF9B78730CCCCEE4DA267DED5C5C7DA
SHA1 4104C3C2CB942F30EEE50EB610CBA5EDDD6C23AE
SHA256 4B4CF1DAA89CC701A00CB3BC94DB9433E01A37FC738318DCC76D2F62F34D0A15
SHA384 5F89644879F50B2E9714900A6AB9EF77F5CDAD6B7FE91C7FC1998E4FD3D9992D35F78712E0D945197DCA29ED8ABB33C3
SHA512 387CC4094C6E0BE6D5B14D44C9FB05FE17AA7AD901DB31C2D5B181D3A53A7619F49F041CF5B9E1D689BFB79BBCBB12AF04AB421BDCA9C314406A5CEF2AC6161D
SSDEEP 3072:qa76Xv5rrKFBEFB28pbcLnrEOjpecsNRt3Avafe/HQbPRyZ2pPTO:vWXdrKFGFB28xiljpecsNRtg8AZ2
IMP A59C09F03244F0F5F6BA43A408CAD486
PESHA1 E922726165CD3E82A577EE49A59F8EF04379F1A4
PE256 56D6735A4B8027791A09CA04C52EB2ACA1FE795DE9A6381C7BD08A68302A794D

Runtime Data

Open Handles:

Path Type
(RW-) C:\Windows\System32 File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\WINDOWS\splwow64.exe
C:\WINDOWS\System32\ADVAPI32.dll
C:\WINDOWS\System32\combase.dll
C:\WINDOWS\System32\GDI32.dll
C:\WINDOWS\System32\gdi32full.dll
C:\WINDOWS\System32\IMM32.DLL
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\System32\msvcp_win.dll
C:\WINDOWS\System32\msvcrt.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\RPCRT4.dll
C:\WINDOWS\System32\sechost.dll
C:\WINDOWS\System32\ucrtbase.dll
C:\WINDOWS\System32\USER32.dll
C:\WINDOWS\System32\win32u.dll
C:\WINDOWS\SYSTEM32\WINSPOOL.DRV

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: splwow64.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.282 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.282
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/4b4cf1daa89cc701a00cb3bc94db9433e01a37fc738318dcc76d2f62f34d0a15/detection

File Similarity (ssdeep match)

File Score
C:\Windows\splwow64.exe 35
C:\WINDOWS\splwow64.exe 40
C:\Windows\splwow64.exe 36
C:\Windows\splwow64.exe 33
C:\Windows\splwow64.exe 33
C:\Windows\splwow64.exe 44
C:\Windows\splwow64.exe 40
C:\Windows\splwow64.exe 41
C:\windows\splwow64.exe 36
C:\Windows\system32\PrintIsolationHost.exe 40
C:\Windows\system32\PrintIsolationHost.exe 38
C:\WINDOWS\system32\PrintIsolationHost.exe 40
C:\Windows\system32\PrintIsolationHost.exe 43

Possible Misuse

The following table contains possible examples of splwow64.exe being misused. While splwow64.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_splwow64.yml title: Suspicious Splwow64 Without Params DRL 1.0
sigma win_susp_splwow64.yml description: Detects suspicious Splwow64.exe process without any command line parameters DRL 1.0
sigma win_susp_splwow64.yml Image\|endswith: '\splwow64.exe' DRL 1.0
sigma win_susp_splwow64.yml CommandLine\|endswith: 'splwow64.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.