splwow64.exe

• File Path: C:\Windows\splwow64.exe
• Description: Print driver host for applications

Hashes

Type	Hash
MD5	93A8D365CB20A105CB97FF41451B85D5
SHA1	91C6C820FAE580826E5C6D7783CDB7CEB131C298
SHA256	70AD0FE5B39719C3D0A5EDD2BEA742BC7AF35D6EF153D92FA1D011D34510E92C
SHA384	8CECD2835750C71AACCCFD96D3A7F5D573F0F8C19ADF9FE7A08169612EA05696D9B2FE1D01B1E684C53919F2CB4EF114
SHA512	2B004FF1C5841CE6B9F2BB290F8C74E67C5EDA4834331AF8F46BB7A544B3642F7842AB50954DC9073EE548D99C6F3F252C718C8D5951324A15F76A59DD96B0E0
SSDEEP	3072:JwTes+h9eRr6d/pGuWQ/Dc+vWCfZcxOeHQbPRyZ2pPTv:eis+hAuRpGFQ/rhCt8AZ2
IMP	A54B3197E11F3941F4E9261854E484BB
PESHA1	4F1F374CC854D664A53947D4091EB5E521F496BD
PE256	23A933F5745F7F100F38A799B86EB8CED78E031FCCA066B176A02973F1EE813C

Runtime Data

Open Handles:

Path	Type
(RW-) C:\Users\user	File
\BaseNamedObjects__ComCatalogCache__	Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db	Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db	Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro	Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0	Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0	Section
\RPC Control\DSEC12D8	Section

Loaded Modules:

Path
C:\Windows\splwow64.exe
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\bcrypt.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\clbcatq.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\SYSTEM32\IPHLPAPI.DLL
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\SYSTEM32\PrintIsolationProxy.dll
C:\Windows\SYSTEM32\PROPSYS.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\SYSTEM32\sspicli.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll
C:\Windows\SYSTEM32\WINSPOOL.DRV

Signature

• Status: Signature verified.
• Serial: 3300000266BD1580EFA75CD6D3000000000266
• Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
• Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
• Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

• Original Filename: splwow64.exe
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 10.0.17763.1339 (WinBuild.160101.0800)
• Product Version: 10.0.17763.1339
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.
• Machine Type: 64-bit

File Scan

• VirusTotal Detections: 0/70
• VirusTotal Link: https://www.virustotal.com/gui/file/70ad0fe5b39719c3d0a5edd2bea742bc7af35d6ef153d92fa1d011d34510e92c/detection/

File Similarity (ssdeep match)

File	Score
C:\Windows\splwow64.exe	40
C:\WINDOWS\splwow64.exe	36
C:\WINDOWS\splwow64.exe	44
C:\Windows\splwow64.exe	41
C:\Windows\splwow64.exe	40
C:\Windows\splwow64.exe	41
C:\Windows\splwow64.exe	41
C:\Windows\splwow64.exe	36
C:\windows\splwow64.exe	43
C:\Windows\system32\PrintIsolationHost.exe	44
C:\Windows\system32\PrintIsolationHost.exe	43
C:\WINDOWS\system32\PrintIsolationHost.exe	44
C:\Windows\system32\PrintIsolationHost.exe	44

Possible Misuse

The following table contains possible examples of splwow64.exe being misused. While splwow64.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_susp_splwow64.yml	title: Suspicious Splwow64 Without Params	DRL 1.0
sigma	proc_creation_win_susp_splwow64.yml	description: Detects suspicious Splwow64.exe process without any command line parameters	DRL 1.0
sigma	proc_creation_win_susp_splwow64.yml	Image\|endswith: '\splwow64.exe'	DRL 1.0
sigma	proc_creation_win_susp_splwow64.yml	CommandLine\|endswith: 'splwow64.exe'	DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.