splwow64.exe

  • File Path: C:\Windows\splwow64.exe
  • Description: Print driver host for applications

Hashes

Type Hash
MD5 B626F1C0194C73D55529E729A63209A2
SHA1 5CA36C70A1942504CB0E65D94885139CBF653CF0
SHA256 BCC166B2E9FA1483CA5FE851F0C5D7477AB1D029F20CF5EBBB1BCB01B9BFE506
SHA384 A75D934CA1E22488C029E3272F36782B091802E63162CA1E61276BC50CA667176F6C1567C7E31FF81F32E026B2C0CE45
SHA512 030FAD141DEA3E972082DFA352EBBF5CEF556E23599DE6B3A249FB6E743151F326C6D93565FDDD136132D4AD3320C7BC7B0ABCFE618A7ACB70DCFD782A360181
SSDEEP 3072:SXVXRFVRrpRbtbgfw6muHQbPRyZ2pPTU:mVXhFTBc4fu8AZ2

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: splwow64.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.3630 (rs1_release.200407-1730)
  • Product Version: 10.0.14393.3630
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\splwow64.exe 41
C:\WINDOWS\splwow64.exe 44
C:\WINDOWS\splwow64.exe 46
C:\Windows\splwow64.exe 41
C:\Windows\splwow64.exe 43
C:\Windows\splwow64.exe 40
C:\Windows\splwow64.exe 46
C:\Windows\splwow64.exe 50
C:\windows\splwow64.exe 44
C:\Windows\system32\PrintIsolationHost.exe 50
C:\Windows\system32\PrintIsolationHost.exe 49
C:\WINDOWS\system32\PrintIsolationHost.exe 50
C:\Windows\system32\PrintIsolationHost.exe 50

Possible Misuse

The following table contains possible examples of splwow64.exe being misused. While splwow64.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_splwow64.yml title: Suspicious Splwow64 Without Params DRL 1.0
sigma win_susp_splwow64.yml description: Detects suspicious Splwow64.exe process without any command line parameters DRL 1.0
sigma win_susp_splwow64.yml Image\|endswith: '\splwow64.exe' DRL 1.0
sigma win_susp_splwow64.yml CommandLine\|endswith: 'splwow64.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.