splwow64.exe

  • File Path: C:\windows\splwow64.exe
  • Description: Print driver host for applications

Hashes

Type Hash
MD5 B73202D296AE4FDB8ECC29CC97F8A444
SHA1 1A6BDFEE1E209CF6DB18C4FF3D4C6D5E1DAB3185
SHA256 A9EF565FA5C9882E28DD960E6507A97A727352C546C8D2F9229DCBD368952F32
SHA384 7CC732A34612C6E0AE5976184A0040FD3881FAE510FA381DC3322C7BF4A85BC7E252E0AFF27D176380414102E7CD74DA
SHA512 693409842EFD4CBBB77AFFA2791300A1E2A136CD1699A16808B93C5E10967149EDA58D6AAB508D964970AFA378A79259076C48B59714C21A3D4EC42F70E4202C
SSDEEP 1536:lG8TLS5LoKSGK/aTg3R5k6zI3Jlkob/g+Vt3A7HPd4n+lbeRZIbSQPTsu:lGh5zHih9Kkob/bHQbPRyZ2pPTs

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: splwow64.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1282 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1282
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\splwow64.exe 44
C:\WINDOWS\splwow64.exe 40
C:\WINDOWS\splwow64.exe 46
C:\Windows\splwow64.exe 41
C:\Windows\splwow64.exe 43
C:\Windows\splwow64.exe 43
C:\Windows\splwow64.exe 46
C:\Windows\splwow64.exe 50
C:\windows\splwow64.exe 49
C:\Windows\system32\ntprint.exe 40
C:\WINDOWS\system32\ntprint.exe 43
C:\windows\system32\ntprint.exe 43
C:\Windows\system32\ntprint.exe 44
C:\Windows\system32\ntprint.exe 43
C:\WINDOWS\system32\ntprint.exe 40
C:\Windows\system32\ntprint.exe 43
C:\Windows\system32\PrintIsolationHost.exe 55
C:\Windows\system32\PrintIsolationHost.exe 57
C:\Windows\system32\PrintIsolationHost.exe 58
C:\WINDOWS\system32\PrintIsolationHost.exe 57
C:\Windows\system32\PrintIsolationHost.exe 57
C:\WINDOWS\system32\PrintIsolationHost.exe 55
C:\windows\system32\PrintIsolationHost.exe 55
C:\Windows\system32\printui.exe 43
C:\Windows\system32\printui.exe 46
C:\Windows\system32\printui.exe 47
C:\Windows\system32\printui.exe 41
C:\WINDOWS\system32\printui.exe 44
C:\windows\system32\printui.exe 46
C:\WINDOWS\system32\printui.exe 44
C:\Windows\system32\printui.exe 43
C:\windows\SysWOW64\ntprint.exe 44
C:\WINDOWS\SysWOW64\ntprint.exe 41
C:\Windows\SysWOW64\ntprint.exe 43
C:\WINDOWS\SysWOW64\ntprint.exe 46
C:\Windows\SysWOW64\ntprint.exe 41
C:\Windows\SysWOW64\ntprint.exe 41
C:\Windows\SysWOW64\ntprint.exe 44
C:\WINDOWS\SysWOW64\printui.exe 40
C:\Windows\SysWOW64\printui.exe 43
C:\Windows\SysWOW64\printui.exe 44
C:\WINDOWS\SysWOW64\printui.exe 43
C:\windows\SysWOW64\printui.exe 44
C:\Windows\SysWOW64\printui.exe 43
C:\Windows\SysWOW64\printui.exe 43
C:\Windows\SysWOW64\printui.exe 43

Possible Misuse

The following table contains possible examples of splwow64.exe being misused. While splwow64.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_splwow64.yml title: Suspicious Splwow64 Without Params DRL 1.0
sigma win_susp_splwow64.yml description: Detects suspicious Splwow64.exe process without any command line parameters DRL 1.0
sigma win_susp_splwow64.yml Image\|endswith: '\splwow64.exe' DRL 1.0
sigma win_susp_splwow64.yml CommandLine\|endswith: 'splwow64.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.