credwiz.exe

  • File Path: C:\Windows\SysWOW64\credwiz.exe
  • Description: Credential Backup and Restore Wizard

Screenshot

credwiz.exe

Hashes

Type Hash
MD5 9B726550E4C82BBEB045150E75FEE720
SHA1 E42D4D119E7ED4104F89E9242439003328320540
SHA256 2156279EAC34CC622F755766DE61090290FF8B0960EBB46B03038AE321B3566D
SHA384 C741910F4F9D932244AA155C0B596B59218100B2DDEFFF772EAFDA72FE8D873C186022B3F3565805CBC5A8A29E94D283
SHA512 BC919B76D0DC34AF5156D170BCDC80D46218810D144FCCEBA7ACDF0AA6069C9B66569750CDD2DEDC4B503A0A823C57CEB169F0441E552161900E6E7601EFB3C9
SSDEEP 384:yuFGSBYpI5xk2SJUkU3ij/PofixfO/gJ+N+4sV6Vey6Yr9jKmZzPzWN5WrNuimn:v1YbKyj/P4InJBjk6A9j1Zbe5/n
IMP 7811C1109D45B9069E28DFEE0C0F979D
PESHA1 36778A1FD289AB857D4C9C85FF0C1C10D2AC5609
PE256 C367306613F22705BD7CE15809FC5716829AE1451DAAFC4DE869145329D043DC

Runtime Data

Window Title:

Stored User Names and Passwords

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\credwiz.exe.mui File
(R-D) C:\Windows\System32\en-US\oleaccrc.dll.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(R-D) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_130e63d987a738df\comctl32.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_130e63d987a738df File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme1175649999 Section
\Windows\Theme601709542 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\credwiz.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: credwiz.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/2156279eac34cc622f755766de61090290ff8b0960ebb46b03038ae321b3566d/detection

Possible Misuse

The following table contains possible examples of credwiz.exe being misused. While credwiz.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
malware-ioc badiis.yar $s8 = "C:\\Windows\\System32\\credwiz.exe" ascii wide © ESET 2014-2018

MIT License. Copyright (c) 2020-2021 Strontic.