SndVol.exe

  • File Path: C:\Windows\SysWOW64\SndVol.exe
  • Description: Volume Mixer

Screenshot

SndVol.exe

Hashes

Type Hash
MD5 5AC83D3D18F9B6E1C5B78BD712661524
SHA1 9EE22C8038E47A4935AEAC113D3F2EE6F03A22C4
SHA256 D68DDC4BE84705357288BA972939AA9AA5F95537EBC059C3FF3CCAAE11638FCA
SHA384 E2E2C2F1D430A57C11AAD6E919BE227651330C83AF0882E8320C0E449E4E6C7B7EAB76A75A09268EE602B454394812CC
SHA512 2FC37B27836A4F0A4C61A5CD976E7452120585B86A615CCE25108737337A9A02B73CC68C92B26FBB89A5CADBF3033AD0B6355CC5B7094F18318E3DBEA1B84082
SSDEEP 3072:OG+DApDba4ZyOS+rab0xnrMgYZjuLmsJIOO98ElJ/0hkaqjbEyB7HbIk2A:O4alzbyrPYZjuL+/uTy10Y
IMP 5F3F3778A963E0C44DCFB0F587F80B8A
PESHA1 9E9CA20D176AC1B5657DAF5F9A060F9A36884FB6
PE256 3082368AB8DED1542053814BDCC69A84D1964AD72BD707B4A73BCD994B6FCAD2

Runtime Data

Window Title:

Volume Mixer - Remote Audio

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\wdmaud.drv.mui File
(R-D) C:\Windows\SysWOW64\en-US\sndvol.exe.mui File
(R-D) C:\Windows\SysWOW64\en-US\user32.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984 File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.1320_none_d94e4effe1070d4b File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme449731986 Section
\Windows\Theme1396518710 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\SndVol.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: SndVol.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/d68ddc4be84705357288ba972939aa9aa5f95537ebc059c3ff3ccaae11638fca/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\SndVol.exe 32
C:\WINDOWS\system32\SndVol.exe 33
C:\windows\system32\SndVol.exe 36
C:\WINDOWS\SysWOW64\SndVol.exe 29
C:\Windows\SysWOW64\SndVol.exe 30
C:\WINDOWS\SysWOW64\SndVol.exe 27
C:\Windows\SysWOW64\SndVol.exe 41
C:\windows\SysWOW64\SndVol.exe 30
C:\Windows\SysWOW64\SndVol.exe 29

Possible Misuse

The following table contains possible examples of SndVol.exe being misused. While SndVol.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file SndVol.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “sndvol.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.