SndVol.exe

  • File Path: C:\Windows\SysWOW64\SndVol.exe
  • Description: Volume Mixer

Screenshot

SndVol.exe

Hashes

Type Hash
MD5 7D7D5466FCDCD28976A004B5B08864E3
SHA1 FD4BB675F7DE68865596BA61759FFB1BED8716F5
SHA256 F9555FD7F2A7CE9EE6B5CE664762D1292908AC4C04C0D28C8ECC25EDC26435FA
SHA384 67D17FB8BEA7BA50256C5749C670E7A154AD6B69D3A12A4F7959083EF2C6DD8C56EEF288F88303020D5E566DDBAF5C7A
SHA512 5446CDCB45C4F088A994626CE32198B8328AF9D574FBD707ED37E27E403AEF94C085878E085639D2FE269103E9FB69E93C4922A0A878D86A15BAAF7A6BD69840
SSDEEP 3072:isaDAe8badZ1CILnv2xx9Nuxe+juLmf5Y5eP0RflQ/e0vkgjbEyB7HbITGF:ima0U2dNke+juLYD/dWy10S
IMP 5F3F3778A963E0C44DCFB0F587F80B8A
PESHA1 BAA36452A6EEFCE52BA444C0996711CB5E68E1BE
PE256 A921F7472C784C96BDE0AAF6B422300398416C73D764C64CCA4CCB25142EC208

Runtime Data

Window Title:

Volume Mixer - Remote Audio

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\wdmaud.drv.mui File
(R-D) C:\Windows\SysWOW64\en-US\sndvol.exe.mui File
(R-D) C:\Windows\SysWOW64\en-US\user32.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.685_none_4299dbb28a92ae3e File
\BaseNamedObjects__ComCatalogCache__ Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme1175649999 Section
\Windows\Theme601709542 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\SndVol.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: SndVol.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/f9555fd7f2a7ce9ee6b5ce664762d1292908ac4c04c0d28c8ecc25edc26435fa/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\SndVol.exe 33
C:\WINDOWS\system32\SndVol.exe 30
C:\windows\system32\SndVol.exe 30
C:\WINDOWS\SysWOW64\SndVol.exe 27
C:\Windows\SysWOW64\SndVol.exe 30
C:\Windows\SysWOW64\SndVol.exe 41
C:\WINDOWS\SysWOW64\SndVol.exe 30
C:\windows\SysWOW64\SndVol.exe 30
C:\Windows\SysWOW64\SndVol.exe 24

Possible Misuse

The following table contains possible examples of SndVol.exe being misused. While SndVol.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file SndVol.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “sndvol.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.