Architecture |
IMAGE_FILE_MACHINE_AMD64
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2012-Feb-11 05:26:22 |
Detected languages |
English - United States
|
Debug artifacts |
splwow64.pdb
|
CompanyName | Microsoft Corporation |
FileDescription | Print driver host for 32bit applications |
FileVersion | 6.1.7601.17777 (win7sp1_gdr.120210-1503) |
InternalName | splwow64.exe |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | splwow64.exe |
ProductName | Microsoft® Windows® Operating System |
ProductVersion | 6.1.7601.17777 |
Malicious | The PE contains functions mostly used by malware. |
[!] The program may be hiding some of its imports:
|
Info | No VirusTotal score. | A scan of the file is currently queued. |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xe0 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_AMD64
|
NumberofSections | 5 |
TimeDateStamp | 2012-Feb-11 05:26:22 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xf0 |
Characteristics |
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
|
Magic | PE32+ |
---|---|
LinkerVersion | 9.1 |
SizeOfCode | 0xe600 |
SizeOfInitializedData | 0x2200 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x000000000000D1E4 (Section: .text) |
BaseOfCode | 0x1000 |
ImageBase | 0x100000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 6.1 |
ImageVersion | 6.1 |
SubsystemVersion | 6.1 |
Win32VersionValue | 0 |
SizeOfImage | 0x14000 |
SizeOfHeaders | 0x400 |
Checksum | 0x1aff0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
DllCharacteristics |
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
|
SizeofStackReserve | 0x80000 |
SizeofStackCommit | 0x2000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
ADVAPI32.dll |
TraceMessage
GetTokenInformation OpenThreadToken RegCloseKey RegQueryValueExW RegOpenKeyW GetTraceEnableFlags GetTraceEnableLevel GetTraceLoggerHandle RegisterTraceGuidsW UnregisterTraceGuids ConvertStringSecurityDescriptorToSecurityDescriptorW RevertToSelf GetSidSubAuthorityCount ConvertSidToStringSidW OpenProcessToken GetSidSubAuthority |
---|---|
KERNEL32.dll |
GetCurrentThread
CreateThread FreeLibrary GetProcAddress LoadLibraryW ReleaseActCtx DeactivateActCtx TlsAlloc TlsFree ProcessIdToSessionId InitializeCriticalSection GetCurrentProcessId LocalFree SystemTimeToFileTime Sleep GetFileAttributesW GetSystemDirectoryW GetLastError WaitForSingleObject SetLastError ActivateActCtx CreateActCtxW SetEvent CreateEventW GetModuleHandleW HeapSetInformation TlsSetValue DuplicateHandle GetCurrentProcess OpenProcess LoadLibraryExW DeleteCriticalSection EnterCriticalSection GetProcessHeap HeapFree SetThreadpoolTimer InitializeCriticalSectionAndSpinCount UnhandledExceptionFilter TerminateProcess GetSystemTimeAsFileTime GetCurrentThreadId GetTickCount QueryPerformanceCounter SetUnhandledExceptionFilter CloseHandle GetSystemTime LeaveCriticalSection GetFullPathNameW |
USER32.dll |
PostMessageW
|
msvcrt.dll |
_onexit
__CxxFrameHandler3 ?terminate@@YAXXZ _purecall _lock __dllonexit _unlock __set_app_type _fmode _commode __setusermatherr _amsg_exit _initterm exit _cexit _exit _XcptFilter __wgetmainargs memcpy _wtol __C_specific_handler _wcsicmp ??3@YAXPEAX@Z memset ??2@YAPEAX_K@Z _vsnwprintf sqrt |
WINSPOOL.DRV |
OpenPrinterW
ClosePrinter GetPrinterDriverW GetPrinterDataW |
RPCRT4.dll |
RpcImpersonateClient
RpcRevertToSelf RpcMgmtStopServerListening RpcServerUseProtseqEpW RpcServerRegisterIf2 RpcServerInqBindings RpcBindingVectorFree RpcServerRegisterAuthInfoW NdrServerCallAll NdrServerCall2 RpcServerListen |
ntdll.dll |
RtlCaptureContext
RtlLookupFunctionEntry RtlVirtualUnwind NtAcceptConnectPort NtCompleteConnectPort NtReplyPort NtClose NtAlpcOpenSenderThread RtlInitUnicodeString NtCreatePort NtReplyWaitReceivePort TpAllocAlpcCompletion TpWaitForWork TpAllocWait TpStartAsyncIoOperation TpWaitForWait TpReleasePool TpWaitForAlpcCompletion TpSetTimer TpPostWork TpWaitForTimer TpReleaseWait RtlNtStatusToDosError TpCallbackMayRunLong TpReleaseWork TpReleaseAlpcCompletion TpSimpleTryPost TpWaitForIoCompletion TpSetWait TpReleaseTimer TpAllocWork TpAllocIoCompletion TpReleaseIoCompletion TpAllocTimer EtwTraceMessage EtwEventWrite EtwEventEnabled |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 6.1.7601.17777 |
ProductVersion | 6.1.7601.17777 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | English - United States |
CompanyName | Microsoft Corporation |
FileDescription | Print driver host for 32bit applications |
FileVersion (#2) | 6.1.7601.17777 (win7sp1_gdr.120210-1503) |
InternalName | splwow64.exe |
LegalCopyright | © Microsoft Corporation. All rights reserved. |
OriginalFilename | splwow64.exe |
ProductName | Microsoft® Windows® Operating System |
ProductVersion (#2) | 6.1.7601.17777 |
Resource LangID | English - United States |
---|
Characteristics |
0
|
---|---|
TimeDateStamp | 2012-Feb-11 05:26:22 |
Version | 0.0 |
SizeofData | 37 |
AddressOfRawData | 0x3ca8 |
PointerToRawData | 0x30a8 |
Referenced File | splwow64.pdb |
XOR Key | 0x6d452bba |
---|---|
Unmarked objects | 0 |
138 (VS2008 SP1 build 30729) | 13 |
ASM objects (VS2008 SP1 build 30729) | 1 |
Imports (VS2008 SP1 build 30729) | 17 |
Total imports | 169 |
C objects (VS2008 SP1 build 30729) | 19 |
C++ objects (VS2008 SP1 build 30729) | 18 |
Linker (VS2008 SP1 build 30729) | 1 |
Resource objects (VS2008 SP1 build 30729) | 1 |