The 64-bit Windows operating system can run a 32-bit executable; to do that, Windows developed a subsystem called WOW64 (Windows 32-bit on Windows 64-bit). WOW64 subsystem allows for the execution of 32-bit binaries on 64-bit Windows. When you run an executable, it needs to load the DLLs to call the API functions to interact with the system. The 32-bit executable cannot load 64-bit DLLs (and a 64-bit process cannot load 32-bit DLLs), so Microsoft separated the DLLs for both 32-bit and 64-bit. The 64-bit binaries are stored in the Windowssystem32 directory, and the 32-bit binaries are stored in the WindowsSyswow64 directory.

The 32-bit applications, when running under 64-bit Windows (Wow64), can behave differently, as compared to how they behave on the native 32-bit Windows. When you are analyzing a 32-bit malware on 64-bit Windows, if you find malware accessing the system32 directory, it is really accessing the syswow64 directory (the operating system automatically redirects it to the Syswow64 directory). If a 32-bit malware (when executed on 64-bit Windows) is writing a file in the Windowssystem32 directory, then you need to check the file in the WindowsSyswow64 directory. Similarly, access to %windir% egedit.exe is redirected to %windir%SysWOW64 egedit.exe. The difference in behavior can create confusion during analysis, so it is essential to understand this difference, and to avoid confusion during analysis, it is better to analyze a 32-bit binary in a 32-bit Windows environment.