credwiz.exe
- File Path:
C:\Windows\system32\credwiz.exe - Description: Credential Backup and Restore Wizard
Screenshot
Hashes
| Type | Hash |
|---|---|
| MD5 | 5944AD75821F321AFEFCB8C027A5F00F |
| SHA1 | 437AB418743820189763E649C210458DD512248F |
| SHA256 | 6DDA8D8158BF23069B64014EEDB2C2B2AC8334E4F13DBF88D555F67DFEBDBABA |
| SHA384 | 790C7A6FCDA90DFBFB8437E00B687EC21D3CC32EF4E7C96643B8ED5AD00DD959EA10C9451C2B5DAE520DDCB172F6D698 |
| SHA512 | BA753D425509E95B4CDD79938A67117C20EA6D411AD48E847AD5817998ED72E0F6167522E43C4C0DE8A43802C16FAD439CF2126D93130C76B558744574BB570D |
| SSDEEP | 768:3zqDzcebdDCWpCn+BVhKR/jBWLNk0tA3kVMPnqtA3I6/KZnpu:DqUGDdBGR7BWL+0tA3kVMPqtA3fKZnp |
| IMP | 1DD00699999764F96356FE23CCDE82BD |
| PESHA1 | 5E80C0C07709C51FCD3BB48944AC5F0A68479A1E |
| PE256 | B1028388F07C4DFDA4576E694C0856B60BA6F5A603BE9A3DE41134A0715987C0 |
Runtime Data
Window Title:
Stored User Names and Passwords
Open Handles:
| Path | Type |
|---|---|
| (R-D) C:\Windows\Fonts\StaticCache.dat | File |
| (R-D) C:\Windows\System32\en-US\credwiz.exe.mui | File |
| (R-D) C:\Windows\System32\en-US\imageres.dll.mui | File |
| (R-D) C:\Windows\System32\en-US\oleaccrc.dll.mui | File |
| (R-D) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_f47974b57ff45754\comctl32.dll.mui | File |
| (RW-) C:\Users\user | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_f47974b57ff45754 | File |
| (RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567 | File |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db | Section |
| \BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro | Section |
| \BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 | Section |
| \BaseNamedObjects\NLS_CodePage_437_3_2_0_0 | Section |
| \Sessions\2\Windows\Theme2131664586 | Section |
| \Windows\Theme966197582 | Section |
Loaded Modules:
| Path |
|---|
| C:\Windows\System32\ADVAPI32.dll |
| C:\Windows\SYSTEM32\atlthunk.dll |
| C:\Windows\System32\bcryptPrimitives.dll |
| C:\Windows\System32\cfgmgr32.dll |
| C:\Windows\System32\combase.dll |
| C:\Windows\System32\COMDLG32.dll |
| C:\Windows\system32\credwiz.exe |
| C:\Windows\System32\CRYPT32.dll |
| C:\Windows\System32\cryptsp.dll |
| C:\Windows\system32\DUser.dll |
| C:\Windows\system32\dwmapi.dll |
| C:\Windows\System32\GDI32.dll |
| C:\Windows\System32\gdi32full.dll |
| C:\Windows\System32\IMM32.dll |
| C:\Windows\System32\kernel.appcore.dll |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\System32\MSASN1.dll |
| C:\Windows\System32\MSCTF.dll |
| C:\Windows\system32\MsCtfMonitor.DLL |
| C:\Windows\system32\MSUTB.dll |
| C:\Windows\System32\msvcp_win.dll |
| C:\Windows\System32\msvcrt.dll |
| C:\Windows\system32\netutils.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\system32\OLEACC.dll |
| C:\Windows\System32\OLEAUT32.dll |
| C:\Windows\System32\powrprof.dll |
| C:\Windows\System32\profapi.dll |
| C:\Windows\System32\RPCRT4.dll |
| C:\Windows\system32\samcli.dll |
| C:\Windows\System32\sechost.dll |
| C:\Windows\System32\shcore.dll |
| C:\Windows\System32\SHELL32.dll |
| C:\Windows\System32\SHLWAPI.dll |
| C:\Windows\System32\ucrtbase.dll |
| C:\Windows\System32\USER32.dll |
| C:\Windows\system32\uxtheme.dll |
| C:\Windows\System32\win32u.dll |
| C:\Windows\System32\windows.storage.dll |
| C:\Windows\system32\WindowsCodecs.dll |
| C:\Windows\system32\WINSTA.dll |
| C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567\COMCTL32.dll |
Signature
- Status: Signature verified.
- Serial:
33000001C422B2F79B793DACB20000000001C4 - Thumbprint:
AE9C1AE54763822EEC42474983D8B635116C8452 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: credwiz.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/71
- VirusTotal Link: https://www.virustotal.com/gui/file/6dda8d8158bf23069b64014eedb2c2b2ac8334e4f13dbf88d555f67dfebdbaba/detection/
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\WINDOWS\system32\credwiz.exe | 58 |
Possible Misuse
The following table contains possible examples of credwiz.exe being misused. While credwiz.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| malware-ioc | badiis.yar | $s8 = "C:\\Windows\\System32\\credwiz.exe" ascii wide |
© ESET 2014-2018 |
MIT License. Copyright (c) 2020-2021 Strontic.