splwow64.exe

  • File Path: C:\Windows\splwow64.exe
  • Description: Print driver host for applications

Hashes

Type Hash
MD5 AA4138C0FBC6D41F9EBC5C4EFE20ECCA
SHA1 57CE75D728BCFCAA6F373C9461D7D4DA0787842E
SHA256 EDEC0ED8FB5DF666834D1C1D49C920CE23060A81B8121E4BC8E46369E026CF7E
SHA384 BA2FEDF3C3455AC5D8ACDE9FED1A0927A41932ACB97ED96AC02246B48042F65E91C2E73FBC6816461C11455D7D5A5308
SHA512 90D7BA835E1899FF1337253D2F50DCA9BFF1F8E811398C9A037B2B9D4148331B55E5017051744A72EAC3057532C7D34795E32F4CEA44F5F6F009458AF201B876
SSDEEP 3072:Z8TRNBWRNsoGlAi++KOn2ZsQgWlUHQbPRyZ2pPTo:eTRNByNsoGlAiJSsFUU8AZ2
IMP 260422772873DF4417E4B473F68B1ADE
PESHA1 BE5737DF8069F59F813B409CF5753B79266E475F
PE256 F6E1D968E6039B13661D16027380C51B989D8B5D9B156520A9B1FD99B7F3CFC6

Runtime Data

Open Handles:

Path Type
(RW-) C:\Users\user File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\Windows\splwow64.exe
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\clbcatq.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\SYSTEM32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\SYSTEM32\PrintIsolationProxy.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\SYSTEM32\sspicli.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll
C:\Windows\SYSTEM32\WINSPOOL.DRV

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: splwow64.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.388 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.388
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/edec0ed8fb5df666834d1c1d49c920ce23060a81b8121e4bc8e46369e026cf7e/detection

File Similarity (ssdeep match)

File Score
C:\Windows\splwow64.exe 72
C:\WINDOWS\splwow64.exe 33
C:\WINDOWS\splwow64.exe 44
C:\Windows\splwow64.exe 40
C:\Windows\splwow64.exe 86
C:\Windows\splwow64.exe 40
C:\Windows\splwow64.exe 43
C:\Windows\splwow64.exe 41
C:\windows\splwow64.exe 41
C:\Windows\system32\PrintIsolationHost.exe 43
C:\Windows\system32\PrintIsolationHost.exe 49
C:\WINDOWS\system32\PrintIsolationHost.exe 47
C:\Windows\system32\PrintIsolationHost.exe 41

Possible Misuse

The following table contains possible examples of splwow64.exe being misused. While splwow64.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_splwow64.yml title: Suspicious Splwow64 Without Params DRL 1.0
sigma win_susp_splwow64.yml description: Detects suspicious Splwow64.exe process without any command line parameters DRL 1.0
sigma win_susp_splwow64.yml Image\|endswith: '\splwow64.exe' DRL 1.0
sigma win_susp_splwow64.yml CommandLine\|endswith: 'splwow64.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.