spoolsv.exe
- File Path:
C:\Windows\system32\spoolsv.exe - Description: Spooler SubSystem App
Hashes
| Type | Hash |
|---|---|
| MD5 | 0E119867D0C988C1602C47CF8EC333F4 |
| SHA1 | 33C6D12701B1887F26B86E4E73A23885F97D3957 |
| SHA256 | C58A7FC742D9F2DC0CAD8CC87DF657CBAFBD35BBEC4E22BB42350CAE6EAAAB4E |
| SHA384 | 1BDCA656727845C15D932B63B25D81376EBC9DB406A6011C9BCC58BD94DD9A148C61E47BF3146337C3575639D91BC3D2 |
| SHA512 | 1AF49CF4E654B598A8407F58FB064129690797F7E14A8955E6B03EE460033461F9A226287B0937E7B6D22F9A7AF3BB1B24A827F5E68B043F6E961157BE3475A7 |
| SSDEEP | 24576:Hpd2AMdhQ1q+dmmKVHgkG4Slx8qLszpIsnm/+tLwyFN9CKeY:Jd23dh4q+dmmKVHgkG4Slx8qLszpIsn7 |
| IMP | 49CB54661D134053EF24953549A1946E |
| PESHA1 | 8E91E255071B1AB83EFC4C6C21DCF7BA80F36A4F |
| PE256 | 30FB51295D22D030546DB9C46FB6D79B0049D226776C0BEF715AE7DC80F226AB |
Runtime Data
Loaded Modules:
| Path |
|---|
| C:\Windows\System32\GDI32.dll |
| C:\Windows\System32\gdi32full.dll |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\System32\msvcp_win.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\system32\spoolsv.exe |
| C:\Windows\System32\ucrtbase.dll |
| C:\Windows\System32\USER32.dll |
| C:\Windows\System32\win32u.dll |
Signature
- Status: Signature verified.
- Serial:
33000002EC6579AD1E670890130000000002EC - Thumbprint:
F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: spoolsv.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/c58a7fc742d9f2dc0cad8cc87df657cbafbd35bbec4e22bb42350cae6eaaab4e/detection
Possible Misuse
The following table contains possible examples of spoolsv.exe being misused. While spoolsv.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | sysmon_suspicious_remote_thread.yml | - '\spoolsv.exe' |
DRL 1.0 |
| sigma | file_delete_win_cve_2021_1675_printspooler_del.yml | Image\|endswith: 'spoolsv.exe' |
DRL 1.0 |
| sigma | file_event_win_creation_system_file.yml | - '\spoolsv.exe' |
DRL 1.0 |
| sigma | image_load_spoolsv_dll_load.yml | Image\|endswith: 'spoolsv.exe' |
DRL 1.0 |
| sigma | proc_creation_win_abusing_debug_privilege.yml | - '\spoolsv.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | description: Detects suspicious print spool service (spoolsv.exe) child processes. |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | spoolsv: |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | ParentImage\|endswith: \\spoolsv.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | condition: spoolsv and ( |
DRL 1.0 |
| sigma | proc_creation_win_system_exe_anomaly.yml | - '\spoolsv.exe' |
DRL 1.0 |
| sigma | registry_event_add_port_monitor.yml | Image: 'C:\Windows\System32\spoolsv.exe' |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification_currentcontrolset.yml | Image: 'C:\Windows\System32\spoolsv.exe' |
DRL 1.0 |
| atomic-red-team | T1489.md | This technique was used by WannaCry. Upon execution, if the spoolsv service was running “SUCCESS: The process “spoolsv.exe” with PID 2316 has been terminated.” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1489.md | will be displayed. If the service was not running “ERROR: The process “spoolsv.exe” not found.” will be displayed and it can be | MIT License. © 2018 Red Canary |
| atomic-red-team | T1489.md | | process_name | Name of a process to kill | String | spoolsv.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.010.md | <blockquote>Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.010.md | Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege. | MIT License. © 2018 Red Canary |
| signature-base | generic_anomalies.yar | description = “Detects uncommon file size of spoolsv.exe” | CC BY-NC 4.0 |
| signature-base | generic_anomalies.yar | and filename == “spoolsv.exe” | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.