splwow64.exe

  • File Path: C:\Windows\splwow64.exe
  • Description: Print driver host for applications

Hashes

Type Hash
MD5 BD86784ABDA6C4FD8ACFD3912AC192E9
SHA1 CA50E01132DEFC86AC67EADA0BD5E0FD9F87C027
SHA256 572954B4BD75BE0FCAFFF46EAC69B1DD9648D137B15C5D8B6DCE8AAA0F7914D7
SHA384 16402A38478D0A0145722FDF0F14A3899C0B2FB29FB0CEFCF8E6E890E55DDD0ECE31DB4FBFC5C02AE631427E6877A772
SHA512 3788B998C4DC719927752877668620F26F8BD0A296D03CF73D87A6FD6C62160C6CAD1C9427D01264AC61692571A7CBEBA15C50B1211E837151B4CEE0AE362EFD
SSDEEP 1536:kK4pVAPySr33W4YurzbV9TllhZp205zYqmRo50+RU/Vt3A7HPd4n+lbeRZIbSQPM:kzpi1LjrpRzYqmRowHQbPRyZ2pPTJ
IMP 260422772873DF4417E4B473F68B1ADE
PESHA1 AA281DA56DAFB37E8E1E99AAAC75382AA4E2942E
PE256 09718BEC946D58B14A5D7A10D4156163D83553AC31F37A0CD836AFE2F8EB5F41

Runtime Data

Open Handles:

Path Type
(RW-) C:\Users\user File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\Windows\splwow64.exe
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\sechost.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: splwow64.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1288 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1288
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/572954b4bd75be0fcafff46eac69b1dd9648d137b15c5d8b6dce8aaa0f7914d7/detection

File Similarity (ssdeep match)

File Score
C:\Windows\splwow64.exe 43
C:\WINDOWS\splwow64.exe 41
C:\WINDOWS\splwow64.exe 49
C:\Windows\splwow64.exe 36
C:\Windows\splwow64.exe 44
C:\Windows\splwow64.exe 41
C:\Windows\splwow64.exe 50
C:\Windows\splwow64.exe 50
C:\windows\splwow64.exe 54
C:\Windows\system32\ntprint.exe 38
C:\WINDOWS\system32\ntprint.exe 40
C:\windows\system32\ntprint.exe 40
C:\Windows\system32\ntprint.exe 41
C:\Windows\system32\ntprint.exe 40
C:\WINDOWS\system32\ntprint.exe 40
C:\Windows\system32\ntprint.exe 44
C:\Windows\system32\PrintIsolationHost.exe 54
C:\Windows\system32\PrintIsolationHost.exe 57
C:\Windows\system32\PrintIsolationHost.exe 52
C:\WINDOWS\system32\PrintIsolationHost.exe 49
C:\Windows\system32\PrintIsolationHost.exe 55
C:\WINDOWS\system32\PrintIsolationHost.exe 54
C:\windows\system32\PrintIsolationHost.exe 50
C:\Windows\system32\printui.exe 38
C:\Windows\system32\printui.exe 41
C:\Windows\system32\printui.exe 41
C:\Windows\system32\printui.exe 38
C:\WINDOWS\system32\printui.exe 41
C:\windows\system32\printui.exe 41
C:\WINDOWS\system32\printui.exe 41
C:\Windows\system32\printui.exe 40
C:\windows\SysWOW64\ntprint.exe 40
C:\WINDOWS\SysWOW64\ntprint.exe 38
C:\Windows\SysWOW64\ntprint.exe 40
C:\WINDOWS\SysWOW64\ntprint.exe 43
C:\Windows\SysWOW64\ntprint.exe 43
C:\Windows\SysWOW64\ntprint.exe 40
C:\Windows\SysWOW64\ntprint.exe 41
C:\WINDOWS\SysWOW64\printui.exe 38
C:\Windows\SysWOW64\printui.exe 43
C:\Windows\SysWOW64\printui.exe 41
C:\WINDOWS\SysWOW64\printui.exe 40
C:\windows\SysWOW64\printui.exe 44
C:\Windows\SysWOW64\printui.exe 41
C:\Windows\SysWOW64\printui.exe 43
C:\Windows\SysWOW64\printui.exe 43

Possible Misuse

The following table contains possible examples of splwow64.exe being misused. While splwow64.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_splwow64.yml title: Suspicious Splwow64 Without Params DRL 1.0
sigma proc_creation_win_susp_splwow64.yml description: Detects suspicious Splwow64.exe process without any command line parameters DRL 1.0
sigma proc_creation_win_susp_splwow64.yml Image\|endswith: '\splwow64.exe' DRL 1.0
sigma proc_creation_win_susp_splwow64.yml CommandLine\|endswith: 'splwow64.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.