spoolsv.exe
- File Path:
C:\WINDOWS\system32\spoolsv.exe - Description: Spooler SubSystem App
Hashes
| Type | Hash |
|---|---|
| MD5 | A75A1EE723DB71F5F51CD732C4FB1F52 |
| SHA1 | BB34A52FAB245BE7E37FF1F6179CC7B1A2E1C89B |
| SHA256 | ED8DD3B055882E112D70E6F85ACB1E8652880B703EE44416E96DAD8B867BACA1 |
| SHA384 | 1D4D8DDB20BDE9DC0AD8A58994D8CFEBC98B719C3CB109A78470B6B9CE22E9C850CF72A36C234645A6AA7CE1B09F062A |
| SHA512 | 071048485B72D76116535B009ECB11691CEA76551C6839CD37A49DB0E2599566066806E69155354E5895197F6C4A7376F0DF66E31D11A332A08E7C846409E68B |
| SSDEEP | 24576:rncxMUrZ9FizATHg4QKQxLeOWJyuxRzBguwoTlF858Gd3nSVKwuNgz5hoKQ:rncxMU1bHvQKQxLeOWJyuxRzBguwoTlY |
| IMP | 0D8D2A6DA8848AD675E582C2FA2FC8E6 |
| PESHA1 | 85D91CBBC3C6DB8424D9F92380630D721C6F3182 |
| PE256 | AE37F0D95774802DFC38CCC7C82F3FC62A498E6D521B13D58414C411BC58D4CD |
Runtime Data
Loaded Modules:
| Path |
|---|
| C:\WINDOWS\System32\KERNEL32.DLL |
| C:\WINDOWS\System32\KERNELBASE.dll |
| C:\WINDOWS\SYSTEM32\ntdll.dll |
| C:\WINDOWS\system32\spoolsv.exe |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: spoolsv.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.1 (WinBuild.160101.0800)
- Product Version: 10.0.22000.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/72
- VirusTotal Link: https://www.virustotal.com/gui/file/ed8dd3b055882e112d70e6f85acb1e8652880b703ee44416e96dad8b867baca1/detection
Possible Misuse
The following table contains possible examples of spoolsv.exe being misused. While spoolsv.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | sysmon_suspicious_remote_thread.yml | - '\spoolsv.exe' |
DRL 1.0 |
| sigma | file_delete_win_cve_2021_1675_printspooler_del.yml | Image\|endswith: 'spoolsv.exe' |
DRL 1.0 |
| sigma | file_event_win_creation_system_file.yml | - '\spoolsv.exe' |
DRL 1.0 |
| sigma | image_load_spoolsv_dll_load.yml | Image\|endswith: 'spoolsv.exe' |
DRL 1.0 |
| sigma | proc_creation_win_abusing_debug_privilege.yml | - '\spoolsv.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | description: Detects suspicious print spool service (spoolsv.exe) child processes. |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | spoolsv: |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | ParentImage\|endswith: \\spoolsv.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_spoolsv_child_processes.yml | condition: spoolsv and ( |
DRL 1.0 |
| sigma | proc_creation_win_system_exe_anomaly.yml | - '\spoolsv.exe' |
DRL 1.0 |
| sigma | registry_event_add_port_monitor.yml | Image: 'C:\Windows\System32\spoolsv.exe' |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification_currentcontrolset.yml | Image: 'C:\Windows\System32\spoolsv.exe' |
DRL 1.0 |
| atomic-red-team | T1489.md | This technique was used by WannaCry. Upon execution, if the spoolsv service was running “SUCCESS: The process “spoolsv.exe” with PID 2316 has been terminated.” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1489.md | will be displayed. If the service was not running “ERROR: The process “spoolsv.exe” not found.” will be displayed and it can be | MIT License. © 2018 Red Canary |
| atomic-red-team | T1489.md | | process_name | Name of a process to kill | String | spoolsv.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.010.md | <blockquote>Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.010.md | Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege. | MIT License. © 2018 Red Canary |
| signature-base | generic_anomalies.yar | description = “Detects uncommon file size of spoolsv.exe” | CC BY-NC 4.0 |
| signature-base | generic_anomalies.yar | and filename == “spoolsv.exe” | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.