SndVol.exe

  • File Path: C:\WINDOWS\SysWOW64\SndVol.exe
  • Description: Volume Mixer

Screenshot

SndVol.exe

Hashes

Type Hash
MD5 04930647DF45D1DBF56331644A17D1BC
SHA1 7D8D3DC6025C777454D9291D95AE206150B883A1
SHA256 9ED12DD2BF49002B916DFBE71A234F6D5A8F186113911DD70DC1BCE0BCBA12A3
SHA384 5AAA393735AE690D057D6B6EEDF658AC9B8C2E0F169B74CE817F9BF78CCFBA5709AABFC68781A875F093F37543873B05
SHA512 A9F50E4F51104F834FAB5F2F901B842D604260C6933EC2347DE1CF6592BA695989842CBE613C3768AA2D60252FA225E0AB074CEA5763D2672111781630CEE41E
SSDEEP 3072:Bu+P0Arpjr7UiBX5c5BK8GUwDFjSyOq1Bn5+FtQ1N2FjbEyB7HbIE0lM:sexr5F5BdFjSG1Tyt85y10E
IMP F99B3498D676616CFBF719544F1336A0
PESHA1 8F2316D75C449E26A820D0BC57B6DEFB120E5823
PE256 0FB1EEE80F45E14C6998C36F21D2D069EEAA0ECBA893E22DCDF3D4ED3318FD81

Runtime Data

Window Title:

Volume Mixer - Remote Audio

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\wdmaud.drv.mui File
(R-D) C:\Windows\SysWOW64\en-US\sndvol.exe.mui File
(R-D) C:\Windows\SysWOW64\en-US\user32.dll.mui File
(RW-) C:\Windows File
(RW-) C:\Windows\SysWOW64 File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_e541a94fcce8ed6d File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.22000.282_none_162e9dd7277998f6 File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme1077709572 Section
\Windows\Theme3461253685 Section

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\SndVol.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: SndVol.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/9ed12dd2bf49002b916dfbe71a234f6d5a8f186113911dd70dc1bce0bcba12a3/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\SndVol.exe 29
C:\WINDOWS\system32\SndVol.exe 27
C:\windows\system32\SndVol.exe 36
C:\Windows\SysWOW64\SndVol.exe 32
C:\Windows\SysWOW64\SndVol.exe 29
C:\WINDOWS\SysWOW64\SndVol.exe 30
C:\Windows\SysWOW64\SndVol.exe 27
C:\windows\SysWOW64\SndVol.exe 35
C:\Windows\SysWOW64\SndVol.exe 30

Possible Misuse

The following table contains possible examples of SndVol.exe being misused. While SndVol.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file SndVol.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “sndvol.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.