splwow64.exe

  • File Path: C:\windows\splwow64.exe
  • Description: Print driver host for applications

Hashes

Type Hash
MD5 BE96C8815DE31A42E93A3BE09C2EECCC
SHA1 28A9D5A66F5C8B259346A3C6BC95C8ACEA2F9025
SHA256 32F1211405B254D00F03CB7CED4570D898326B0099461E6896CE6EC8C2B517E2
SHA384 E6F16844408FD8B18628A9A78BD3D675E96C8FED0876D3FCB715A4D86FED25FFC381F0137FD9775F14F2699264AF783C
SHA512 8B29582E31355ACF3E270D3D04BFB795C1B6E42A734CD80AB347F8C468F78623BA97929613871B88CBBE66AE77F3193933AEF06DA0759F4BDD06F414FBEA1E8B
SSDEEP 1536:yLNDDCRirJYM+GmYmjR3+97wEXeGHGhIwVt3A7HPd4n+lbeRZIbSQPTxb:0D1rmM+Gyjl+eEXJwHQbPRyZ2pPTx

Signature

  • Status: The file C:\windows\splwow64.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: splwow64.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.19727 (winblue_ltsb_escrow.200529-0549)
  • Product Version: 6.3.9600.19727
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\splwow64.exe 49
C:\WINDOWS\splwow64.exe 36
C:\WINDOWS\splwow64.exe 49
C:\Windows\splwow64.exe 43
C:\Windows\splwow64.exe 44
C:\Windows\splwow64.exe 41
C:\Windows\splwow64.exe 44
C:\Windows\splwow64.exe 49
C:\Windows\splwow64.exe 54
C:\Windows\system32\ntprint.exe 41
C:\WINDOWS\system32\ntprint.exe 40
C:\windows\system32\ntprint.exe 46
C:\Windows\system32\ntprint.exe 46
C:\Windows\system32\ntprint.exe 43
C:\WINDOWS\system32\ntprint.exe 44
C:\Windows\system32\ntprint.exe 44
C:\Windows\system32\PrintIsolationHost.exe 55
C:\Windows\system32\PrintIsolationHost.exe 54
C:\Windows\system32\PrintIsolationHost.exe 55
C:\WINDOWS\system32\PrintIsolationHost.exe 54
C:\Windows\system32\PrintIsolationHost.exe 57
C:\WINDOWS\system32\PrintIsolationHost.exe 55
C:\windows\system32\PrintIsolationHost.exe 57
C:\Windows\system32\printui.exe 43
C:\Windows\system32\printui.exe 43
C:\Windows\system32\printui.exe 46
C:\Windows\system32\printui.exe 41
C:\WINDOWS\system32\printui.exe 44
C:\windows\system32\printui.exe 47
C:\WINDOWS\system32\printui.exe 43
C:\Windows\system32\printui.exe 43
C:\windows\SysWOW64\ntprint.exe 43
C:\WINDOWS\SysWOW64\ntprint.exe 46
C:\Windows\SysWOW64\ntprint.exe 46
C:\WINDOWS\SysWOW64\ntprint.exe 43
C:\Windows\SysWOW64\ntprint.exe 43
C:\Windows\SysWOW64\ntprint.exe 46
C:\Windows\SysWOW64\ntprint.exe 44
C:\WINDOWS\SysWOW64\printui.exe 43
C:\Windows\SysWOW64\printui.exe 43
C:\Windows\SysWOW64\printui.exe 44
C:\WINDOWS\SysWOW64\printui.exe 41
C:\windows\SysWOW64\printui.exe 43
C:\Windows\SysWOW64\printui.exe 47
C:\Windows\SysWOW64\printui.exe 41
C:\Windows\SysWOW64\printui.exe 43

Possible Misuse

The following table contains possible examples of splwow64.exe being misused. While splwow64.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_splwow64.yml title: Suspicious Splwow64 Without Params DRL 1.0
sigma proc_creation_win_susp_splwow64.yml description: Detects suspicious Splwow64.exe process without any command line parameters DRL 1.0
sigma proc_creation_win_susp_splwow64.yml Image\|endswith: '\splwow64.exe' DRL 1.0
sigma proc_creation_win_susp_splwow64.yml CommandLine\|endswith: 'splwow64.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.