splwow64.exe

  • File Path: C:\Windows\splwow64.exe
  • Description: Print driver host for applications

Hashes

Type Hash
MD5 93A8D365CB20A105CB97FF41451B85D5
SHA1 91C6C820FAE580826E5C6D7783CDB7CEB131C298
SHA256 70AD0FE5B39719C3D0A5EDD2BEA742BC7AF35D6EF153D92FA1D011D34510E92C
SHA384 8CECD2835750C71AACCCFD96D3A7F5D573F0F8C19ADF9FE7A08169612EA05696D9B2FE1D01B1E684C53919F2CB4EF114
SHA512 2B004FF1C5841CE6B9F2BB290F8C74E67C5EDA4834331AF8F46BB7A544B3642F7842AB50954DC9073EE548D99C6F3F252C718C8D5951324A15F76A59DD96B0E0
SSDEEP 3072:JwTes+h9eRr6d/pGuWQ/Dc+vWCfZcxOeHQbPRyZ2pPTv:eis+hAuRpGFQ/rhCt8AZ2
IMP A54B3197E11F3941F4E9261854E484BB
PESHA1 4F1F374CC854D664A53947D4091EB5E521F496BD
PE256 23A933F5745F7F100F38A799B86EB8CED78E031FCCA066B176A02973F1EE813C

Runtime Data

Open Handles:

Path Type
(RW-) C:\Users\user File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\RPC Control\DSEC12D8 Section

Loaded Modules:

Path
C:\Windows\splwow64.exe
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\bcrypt.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\clbcatq.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\SYSTEM32\IPHLPAPI.DLL
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\SYSTEM32\PrintIsolationProxy.dll
C:\Windows\SYSTEM32\PROPSYS.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\SYSTEM32\sspicli.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll
C:\Windows\SYSTEM32\WINSPOOL.DRV

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: splwow64.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1339 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1339
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/70ad0fe5b39719c3d0a5edd2bea742bc7af35d6ef153d92fa1d011d34510e92c/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\splwow64.exe 40
C:\WINDOWS\splwow64.exe 36
C:\WINDOWS\splwow64.exe 44
C:\Windows\splwow64.exe 41
C:\Windows\splwow64.exe 40
C:\Windows\splwow64.exe 41
C:\Windows\splwow64.exe 41
C:\Windows\splwow64.exe 36
C:\windows\splwow64.exe 43
C:\Windows\system32\PrintIsolationHost.exe 44
C:\Windows\system32\PrintIsolationHost.exe 43
C:\WINDOWS\system32\PrintIsolationHost.exe 44
C:\Windows\system32\PrintIsolationHost.exe 44

Possible Misuse

The following table contains possible examples of splwow64.exe being misused. While splwow64.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_splwow64.yml title: Suspicious Splwow64 Without Params DRL 1.0
sigma proc_creation_win_susp_splwow64.yml description: Detects suspicious Splwow64.exe process without any command line parameters DRL 1.0
sigma proc_creation_win_susp_splwow64.yml Image\|endswith: '\splwow64.exe' DRL 1.0
sigma proc_creation_win_susp_splwow64.yml CommandLine\|endswith: 'splwow64.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.