Manalyze report for 127aa81343a7c6f665c22cb1293b0a90

Summary

Architecture	`IMAGE_FILE_MACHINE_AMD64`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2012-Feb-11 05:26:22
Detected languages	English - United States
Debug artifacts	splwow64.pdb
CompanyName	Microsoft Corporation
FileDescription	Print driver host for 32bit applications
FileVersion	`6.1.7601.17777 (win7sp1_gdr.120210-1503)`
InternalName	splwow64.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	splwow64.exe
ProductName	Microsoft® Windows® Operating System
ProductVersion	`6.1.7601.17777`

Plugin Output

Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryW LoadLibraryExW` `Can access the registry: RegCloseKey RegQueryValueExW RegOpenKeyW` `Uses Windows's Native API: NtAcceptConnectPort NtCompleteConnectPort NtReplyPort NtClose NtAlpcOpenSenderThread NtCreatePort NtReplyWaitReceivePort` `Functions related to the privilege level: OpenProcessToken` `Manipulates other processes: OpenProcess`
Info	No VirusTotal score.	`A scan of the file is currently queued.`

Hashes

MD5	`127aa81343a7c6f665c22cb1293b0a90`
SHA1	`b6a476e898c019f7514d4f0a16b15cd27bee1f9c`
SHA256	`47ca5c13cabf3a24ef5d115ea181fa5bf94c8946bec5619a5b910addf0616943`
SHA3	`d3e80caecfe6dd055c908b2b630f5337697c4ebae68860235efa3ffb33d39675`
SSDeep	`1536:xkkkkkkkkkkkkkkkkw3j+U9A9q3psnWf305NUCVq:xkkkkkkkkkkkkkkkkQjd9AgZPf3CyCV`
Imports Hash	`a8b09475bdbdac8e7d7c815ed61e11e4`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_AMD64`
NumberofSections	`5`
TimeDateStamp	2012-Feb-11 05:26:22
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xf0`
Characteristics	`IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LARGE_ADDRESS_AWARE`

Image Optional Header

Magic	`PE32+`
LinkerVersion	`9.1`
SizeOfCode	`0xe600`
SizeOfInitializedData	`0x2200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x000000000000D1E4 (Section: .text)`
BaseOfCode	`0x1000`
ImageBase	`0x100000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`6.1`
ImageVersion	`6.1`
SubsystemVersion	`6.1`
Win32VersionValue	`0`
SizeOfImage	`0x14000`
SizeOfHeaders	`0x400`
Checksum	`0x1aff0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x80000`
SizeofStackCommit	`0x2000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`8a469b6d991719cceb856cbc1db2c5e7`
SHA1	`fb161759ee7dee232ad7cd8d2127e6e934a075bb`
SHA256	`97de9c1bda1e3df9f0aa2e386c1bc478c0b731e39083235b85718dc6ad85b4ac`
SHA3	`e52601f25e9ed85c9561b0400956a9fa497adf7474a1eb3629e64907237b43cd`
VirtualSize	`0xe5ac`
VirtualAddress	`0x1000`
SizeOfRawData	`0xe600`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`5.93386`

.data

MD5	`18e301c96454a8079731bd200280274e`
SHA1	`dc550795ae71fc4080b2d14ef2f57eb85be536d5`
SHA256	`2a513b05a7cf133bcc91728c416002e9280721b8fc5e8aebdacb6e0636278ef9`
SHA3	`99383e3d614322c7148f24663f0f2c3dc15277bcee9d23577fb40713da759b9b`
VirtualSize	`0x9f8`
VirtualAddress	`0x10000`
SizeOfRawData	`0x400`
PointerToRawData	`0xea00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`3.02336`

.pdata

MD5	`888940d2d11ad7cf8d37f784b3dc49f1`
SHA1	`fa8d92917eb44b057ef3dbb972e293405f399919`
SHA256	`698d6b954b86160be006b361036c41f5746ce77518081ec3df75cb8bf129f68e`
SHA3	`7d2346fd414b52ab876378ffcc9fa1ab1365415b2470756a4cd7b4fb0d985d35`
VirtualSize	`0xa38`
VirtualAddress	`0x11000`
SizeOfRawData	`0xc00`
PointerToRawData	`0xee00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`3.94435`

.rsrc

MD5	`1d05ac407901ba20a3c437902a01c5c9`
SHA1	`7a48b779077e8dec3ab5f9b352f503e527f2c1ed`
SHA256	`098cff2fa10151263bcc8fcfdce1b3183e73ddf3b27a492657de3423ca626460`
SHA3	`6230d06dd1ebad99219c4f6ce54f4879c7f08f064f13831bcc15427428fea29d`
VirtualSize	`0x428`
VirtualAddress	`0x12000`
SizeOfRawData	`0x600`
PointerToRawData	`0xfa00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`2.56531`

.reloc

MD5	`fc61cbc65920e7af687e67a3d8ef117d`
SHA1	`c8ea1287a761c36c9c740abee47b072fb0821603`
SHA256	`b03a0fc7445207519e747f1c48d6361613c5d4156c1d6b6bf887de18234260fe`
SHA3	`f2a9dd138ddf0c40ffb6c5136d744e30788a2aad88ab2d0fd81c3710508900d0`
VirtualSize	`0x4ca`
VirtualAddress	`0x13000`
SizeOfRawData	`0x600`
PointerToRawData	`0x10000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`3.95456`

Imports

ADVAPI32.dll	`TraceMessage` `GetTokenInformation` `OpenThreadToken` `RegCloseKey` `RegQueryValueExW` `RegOpenKeyW` `GetTraceEnableFlags` `GetTraceEnableLevel` `GetTraceLoggerHandle` `RegisterTraceGuidsW` `UnregisterTraceGuids` `ConvertStringSecurityDescriptorToSecurityDescriptorW` `RevertToSelf` `GetSidSubAuthorityCount` `ConvertSidToStringSidW` `OpenProcessToken` `GetSidSubAuthority`
KERNEL32.dll	`GetCurrentThread` `CreateThread` `FreeLibrary` `GetProcAddress` `LoadLibraryW` `ReleaseActCtx` `DeactivateActCtx` `TlsAlloc` `TlsFree` `ProcessIdToSessionId` `InitializeCriticalSection` `GetCurrentProcessId` `LocalFree` `SystemTimeToFileTime` `Sleep` `GetFileAttributesW` `GetSystemDirectoryW` `GetLastError` `WaitForSingleObject` `SetLastError` `ActivateActCtx` `CreateActCtxW` `SetEvent` `CreateEventW` `GetModuleHandleW` `HeapSetInformation` `TlsSetValue` `DuplicateHandle` `GetCurrentProcess` `OpenProcess` `LoadLibraryExW` `DeleteCriticalSection` `EnterCriticalSection` `GetProcessHeap` `HeapFree` `SetThreadpoolTimer` `InitializeCriticalSectionAndSpinCount` `UnhandledExceptionFilter` `TerminateProcess` `GetSystemTimeAsFileTime` `GetCurrentThreadId` `GetTickCount` `QueryPerformanceCounter` `SetUnhandledExceptionFilter` `CloseHandle` `GetSystemTime` `LeaveCriticalSection` `GetFullPathNameW`
USER32.dll	`PostMessageW`
msvcrt.dll	`_onexit` `__CxxFrameHandler3` `?terminate@@YAXXZ` `_purecall` `_lock` `__dllonexit` `_unlock` `__set_app_type` `_fmode` `_commode` `__setusermatherr` `_amsg_exit` `_initterm` `exit` `_cexit` `_exit` `_XcptFilter` `__wgetmainargs` `memcpy` `_wtol` `__C_specific_handler` `_wcsicmp` `??3@YAXPEAX@Z` `memset` `??2@YAPEAX_K@Z` `_vsnwprintf` `sqrt`
WINSPOOL.DRV	`OpenPrinterW` `ClosePrinter` `GetPrinterDriverW` `GetPrinterDataW`
RPCRT4.dll	`RpcImpersonateClient` `RpcRevertToSelf` `RpcMgmtStopServerListening` `RpcServerUseProtseqEpW` `RpcServerRegisterIf2` `RpcServerInqBindings` `RpcBindingVectorFree` `RpcServerRegisterAuthInfoW` `NdrServerCallAll` `NdrServerCall2` `RpcServerListen`
ntdll.dll	`RtlCaptureContext` `RtlLookupFunctionEntry` `RtlVirtualUnwind` `NtAcceptConnectPort` `NtCompleteConnectPort` `NtReplyPort` `NtClose` `NtAlpcOpenSenderThread` `RtlInitUnicodeString` `NtCreatePort` `NtReplyWaitReceivePort` `TpAllocAlpcCompletion` `TpWaitForWork` `TpAllocWait` `TpStartAsyncIoOperation` `TpWaitForWait` `TpReleasePool` `TpWaitForAlpcCompletion` `TpSetTimer` `TpPostWork` `TpWaitForTimer` `TpReleaseWait` `RtlNtStatusToDosError` `TpCallbackMayRunLong` `TpReleaseWork` `TpReleaseAlpcCompletion` `TpSimpleTryPost` `TpWaitForIoCompletion` `TpSetWait` `TpReleaseTimer` `TpAllocWork` `TpAllocIoCompletion` `TpReleaseIoCompletion` `TpAllocTimer` `EtwTraceMessage` `EtwEventWrite` `EtwEventEnabled`

Delayed Imports

1

Type	`RT_VERSION`
Language	English - United States
Codepage	UNKNOWN
Size	`0x3c8`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.5415`
MD5	`3c88e6a8a457e52dc908ccdc127330cc`
SHA1	`2be294f11948fb989d970576c67188ccf6a94a36`
SHA256	`6837aa6fa6be6f60d49fdc56ee5424e4b5903918107b117e2b759df417d95401`
SHA3	`5d1557670e8a2330c81f02a49bd0407e26eaa4ff4c8c985b4bd001025b0b482c`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	6.1.7601.17777
ProductVersion	6.1.7601.17777
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
CompanyName	Microsoft Corporation
FileDescription	Print driver host for 32bit applications
FileVersion (#2)	6.1.7601.17777 (win7sp1_gdr.120210-1503)
InternalName	splwow64.exe
LegalCopyright	© Microsoft Corporation. All rights reserved.
OriginalFilename	splwow64.exe
ProductName	Microsoft® Windows® Operating System
ProductVersion (#2)	6.1.7601.17777

Resource LangID	English - United States

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2012-Feb-11 05:26:22
Version	`0.0`
SizeofData	`37`
AddressOfRawData	`0x3ca8`
PointerToRawData	`0x30a8`
Referenced File	splwow64.pdb

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x6d452bba`
Unmarked objects	`0`
138 (VS2008 SP1 build 30729)	`13`
ASM objects (VS2008 SP1 build 30729)	`1`
Imports (VS2008 SP1 build 30729)	`17`
Total imports	`169`
C objects (VS2008 SP1 build 30729)	`19`
C++ objects (VS2008 SP1 build 30729)	`18`
Linker (VS2008 SP1 build 30729)	`1`
Resource objects (VS2008 SP1 build 30729)	`1`

127aa81343a7c6f665c22cb1293b0a90

Summary

Plugin Output

Hashes

DOS Header

PE Header

Image Optional Header

.text

.data

.pdata

.rsrc

.reloc

Imports

Delayed Imports

1

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

TLS Callbacks

Load Configuration

RICH Header

Errors