credwiz.exe
- File Path:
C:\WINDOWS\system32\credwiz.exe - Description: Credential Backup and Restore Wizard
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | 17EE62A136D2EAAF0B09D05B9F2E3259 |
| SHA1 | 0C317D0D099898478E3ED61C8D9064F8C1412C0D |
| SHA256 | 191E5C8244E8B46C8A3394C05AA8D3F58596A62438F6481208B0FDBFDC0DF9C6 |
| SHA384 | 544D40942697AFC4FAE7977D05F3709C2BD56B586A2051D5BCE422B6ACDF8F76D425DEAC2392B2A95B1FD3F640D35313 |
| SHA512 | B5753002E41357FBFECF4A66A91BDC5CDAD22E3731A5B5F294B808C69EEA73504F7C38358A015FA8692C67C722F691E4E1D0CF2DA8BD39CF41F022EA432933C9 |
| SSDEEP | 768:A5thaDZCWEZ32Vno+T+JgxtbRtB5JIFDgEVbW7UzUmZjta:A5thaDZCWEF4GeT4gEVbW0UmZjt |
| IMP | 5C1347E346D7307E39B1CE7105402C7B |
| PESHA1 | 8877FE87A173AB0695724D9BFD0E0AC6411FE96B |
| PE256 | 2ECD5CB01E069733C292B0FF9A04661CB96FDCD873ACDA1DCA8F347A4138568B |
Runtime Data
Window Title:
Stored User Names and Passwords
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (R-D) C:\Windows\System32\en-US\credwiz.exe.mui | File |
| (R-D) C:\Windows\System32\en-US\oleaccrc.dll.mui | File |
| (R-D) C:\Windows\SystemResources\imageres.dll.mun | File |
| (R-D) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_en-us_6b887e04d8b70b4e\comctl32.dll.mui | File |
| (RW-) C:\Windows\System32 | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_en-us_6b887e04d8b70b4e | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467 | File |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
| \Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \Sessions\2\Windows\Theme1077709572 | Section |
| \Windows\Theme3461253685 | Section |
Loaded Modules:
| Path |
|---|
| C:\WINDOWS\System32\ADVAPI32.dll |
| C:\WINDOWS\system32\credwiz.exe |
| C:\WINDOWS\System32\KERNEL32.DLL |
| C:\WINDOWS\System32\KERNELBASE.dll |
| C:\WINDOWS\System32\msvcrt.dll |
| C:\WINDOWS\SYSTEM32\ntdll.dll |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED - Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: credwiz.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.1 (WinBuild.160101.0800)
- Product Version: 10.0.22000.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/74
- VirusTotal Link: https://www.virustotal.com/gui/file/191e5c8244e8b46c8a3394c05aa8d3f58596a62438f6481208b0fdbfdc0df9c6/detection
Possible Misuse
The following table contains possible examples of credwiz.exe being misused. While credwiz.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| malware-ioc | badiis.yar | $s8 = "C:\\Windows\\System32\\credwiz.exe" ascii wide |
© ESET 2014-2018 |
MIT License. Copyright (c) 2020-2021 Strontic.