credwiz.exe
- File Path:
C:\Windows\SysWOW64\credwiz.exe - Description: Credential Backup and Restore Wizard
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | 411DF674BB6196FE4E704F4B180627E8 |
| SHA1 | 50D94C8BFD13DCD42EE7B220221E9896DB8540BB |
| SHA256 | C3BF35B99F90D420B879F5F7BBEA8B39AD265865EE7538A72FD147F8A900F1C7 |
| SHA384 | 94AD32AC643661295E33849AEC80216406450B2FF51C062C988C9C85E50FCA12CFAEA22EC1B8A543FBF77405ADDC181F |
| SHA512 | 4CA7F7F7A31993309DFA73C1CD437AEF1D8D33BE71820E21EFD72CAF05192FA32388A4D6B01EBD222A23D7E2572CB84138D0EF7272BC2D5E6183EF1CE7156A9B |
| SSDEEP | 384:iuFGSBYIHFxYE6ZU6b76jbIq4Fol2i0o9ekmtbekrKfUopOyERZ8GzWC5WUNuTly:/1YIGLujbIDFj1NFJ0D8ZHJuTlHE1 |
| IMP | 7811C1109D45B9069E28DFEE0C0F979D |
| PESHA1 | AEF80F08613261ED43DEA14934A66620725C24EC |
| PE256 | 8D345A7E8F0A772506C159894253B67A3B6AA412CB846E3A16DF0B6F226EB72D |
Runtime Data
Window Title:
Stored User Names and Passwords
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (R-D) C:\Windows\System32\en-US\credwiz.exe.mui | File |
| (R-D) C:\Windows\System32\en-US\imageres.dll.mui | File |
| (R-D) C:\Windows\SysWOW64\en-US\oleaccrc.dll.mui | File |
| (R-D) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_3c26ab8c9470805a\comctl32.dll.mui | File |
| (RW-) C:\Users\user | File |
| (RW-) C:\Windows | File |
| (RW-) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_3c26ab8c9470805a | File |
| (RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_261b62a767ca4e6d | File |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \Sessions\2\Windows\Theme2131664586 | Section |
| \Windows\Theme966197582 | Section |
Loaded Modules:
| Path |
|---|
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
| C:\Windows\SysWOW64\credwiz.exe |
Signature
- Status: Signature verified.
- Serial:
33000001C422B2F79B793DACB20000000001C4 - Thumbprint:
AE9C1AE54763822EEC42474983D8B635116C8452 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: credwiz.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/70
- VirusTotal Link: https://www.virustotal.com/gui/file/c3bf35b99f90d420b879f5f7bbea8b39ad265865ee7538a72fd147f8a900f1c7/detection/
Possible Misuse
The following table contains possible examples of credwiz.exe being misused. While credwiz.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| malware-ioc | badiis.yar | $s8 = "C:\\Windows\\System32\\credwiz.exe" ascii wide |
© ESET 2014-2018 |
MIT License. Copyright (c) 2020-2021 Strontic.