splwow64.exe

  • File Path: C:\WINDOWS\splwow64.exe
  • Description: Print driver host for applications

Hashes

Type Hash
MD5 906E1DFC3A3A64D3452C5BA124AC9A4C
SHA1 0FC68CC9BED7E15F8BC70BB7AA184BCDE5D06924
SHA256 70BF1C950110A5F30CCC8C8D85A6051B72D7E5A95D1CF8F347C86725B88F60C6
SHA384 1E5323128982AFCA167DBB319F5840C9A60555C5C9583F875FDB7265089899F671743CD0212A5A65442E1F961FA33D6F
SHA512 5B7B7F4A681A9D1921FE7EF8537FBB9F4A03DF57DDC81715189C5D0C1C6F6211C87C136FC10DC3FEBCAAD344DE208BE5C87A3293A851DA407AEF84D36B3F56C3
SSDEEP 1536:ZCs6cgDB3XzsMVrqPfRrcE7m0pQ8LD7mNQeVt3A7HPd4n+lbeRZIbSQPT7R:ZkFgBrrdQ8LD78HQbPRyZ2pPT7

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: splwow64.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.476 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.476
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\splwow64.exe 41
C:\WINDOWS\splwow64.exe 40
C:\Windows\splwow64.exe 44
C:\Windows\splwow64.exe 41
C:\Windows\splwow64.exe 44
C:\Windows\splwow64.exe 46
C:\Windows\splwow64.exe 46
C:\Windows\splwow64.exe 49
C:\windows\splwow64.exe 49
C:\Windows\system32\ntprint.exe 44
C:\WINDOWS\system32\ntprint.exe 44
C:\windows\system32\ntprint.exe 43
C:\Windows\system32\ntprint.exe 43
C:\Windows\system32\ntprint.exe 41
C:\WINDOWS\system32\ntprint.exe 44
C:\Windows\system32\ntprint.exe 46
C:\Windows\system32\PrintIsolationHost.exe 58
C:\Windows\system32\PrintIsolationHost.exe 55
C:\Windows\system32\PrintIsolationHost.exe 55
C:\WINDOWS\system32\PrintIsolationHost.exe 57
C:\Windows\system32\PrintIsolationHost.exe 57
C:\WINDOWS\system32\PrintIsolationHost.exe 54
C:\windows\system32\PrintIsolationHost.exe 58
C:\Windows\system32\printui.exe 47
C:\Windows\system32\printui.exe 44
C:\Windows\system32\printui.exe 44
C:\Windows\system32\printui.exe 47
C:\WINDOWS\system32\printui.exe 44
C:\windows\system32\printui.exe 46
C:\WINDOWS\system32\printui.exe 44
C:\Windows\system32\printui.exe 44
C:\windows\SysWOW64\ntprint.exe 41
C:\WINDOWS\SysWOW64\ntprint.exe 44
C:\Windows\SysWOW64\ntprint.exe 44
C:\WINDOWS\SysWOW64\ntprint.exe 43
C:\Windows\SysWOW64\ntprint.exe 44
C:\Windows\SysWOW64\ntprint.exe 44
C:\Windows\SysWOW64\ntprint.exe 46
C:\WINDOWS\SysWOW64\printui.exe 44
C:\Windows\SysWOW64\printui.exe 47
C:\Windows\SysWOW64\printui.exe 46
C:\WINDOWS\SysWOW64\printui.exe 44
C:\windows\SysWOW64\printui.exe 49
C:\Windows\SysWOW64\printui.exe 44
C:\Windows\SysWOW64\printui.exe 44
C:\Windows\SysWOW64\printui.exe 44

Possible Misuse

The following table contains possible examples of splwow64.exe being misused. While splwow64.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_splwow64.yml title: Suspicious Splwow64 Without Params DRL 1.0
sigma proc_creation_win_susp_splwow64.yml description: Detects suspicious Splwow64.exe process without any command line parameters DRL 1.0
sigma proc_creation_win_susp_splwow64.yml Image\|endswith: '\splwow64.exe' DRL 1.0
sigma proc_creation_win_susp_splwow64.yml CommandLine\|endswith: 'splwow64.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.