credwiz.exe

  • File Path: C:\Windows\SysWOW64\credwiz.exe
  • Description: Credential Backup and Restore Wizard

Screenshot

credwiz.exe

Hashes

Type Hash
MD5 411DF674BB6196FE4E704F4B180627E8
SHA1 50D94C8BFD13DCD42EE7B220221E9896DB8540BB
SHA256 C3BF35B99F90D420B879F5F7BBEA8B39AD265865EE7538A72FD147F8A900F1C7
SHA384 94AD32AC643661295E33849AEC80216406450B2FF51C062C988C9C85E50FCA12CFAEA22EC1B8A543FBF77405ADDC181F
SHA512 4CA7F7F7A31993309DFA73C1CD437AEF1D8D33BE71820E21EFD72CAF05192FA32388A4D6B01EBD222A23D7E2572CB84138D0EF7272BC2D5E6183EF1CE7156A9B
SSDEEP 384:iuFGSBYIHFxYE6ZU6b76jbIq4Fol2i0o9ekmtbekrKfUopOyERZ8GzWC5WUNuTly:/1YIGLujbIDFj1NFJ0D8ZHJuTlHE1
IMP 7811C1109D45B9069E28DFEE0C0F979D
PESHA1 AEF80F08613261ED43DEA14934A66620725C24EC
PE256 8D345A7E8F0A772506C159894253B67A3B6AA412CB846E3A16DF0B6F226EB72D

Runtime Data

Window Title:

Stored User Names and Passwords

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\credwiz.exe.mui File
(R-D) C:\Windows\System32\en-US\imageres.dll.mui File
(R-D) C:\Windows\SysWOW64\en-US\oleaccrc.dll.mui File
(R-D) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_3c26ab8c9470805a\comctl32.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_3c26ab8c9470805a File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_261b62a767ca4e6d File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme2131664586 Section
\Windows\Theme966197582 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\credwiz.exe

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: credwiz.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/c3bf35b99f90d420b879f5f7bbea8b39ad265865ee7538a72fd147f8a900f1c7/detection/

Possible Misuse

The following table contains possible examples of credwiz.exe being misused. While credwiz.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
malware-ioc badiis.yar $s8 = "C:\\Windows\\System32\\credwiz.exe" ascii wide © ESET 2014-2018

MIT License. Copyright (c) 2020-2021 Strontic.