xwizard.exe

  • File Path: C:\Windows\SysWOW64\xwizard.exe
  • Description: Extensible Wizards Host Process

Hashes

Type Hash
MD5 8581F29C5F84B72C053DBCC5372C5DB6
SHA1 64F9D0C258B0FD6CA49EDB722EF4270815DFB8E9
SHA256 03B63FD1AB52129733F576554DE9540D3F5E224405837A3D1ADF5C0A68B1D21B
SHA384 1B99DBC384329776F2427C706C092B1C103DBDB8DF164517237A755D2A681E757639AE830DFE474FF591B51F1569B69E
SHA512 774B6BD85E12AA3369A6830D806359D9CE8E9E1AC990144C57D1A9C6EF9D67B8A9640831A44185CFAF6915E82FAA29F1ED70354657C592C4234B86ACA58417F1
SSDEEP 1536:B//0VR2zUoK4VD2WTVcURDoq4OZZZLlCIib4:R/0VR2fVD2GV9RD68wb
IMP 878B18532266618387DC445E265148DD
PESHA1 380E347103DBD0406DED2C25BA90004F41BC6AB1
PE256 381A68D61EC4E48CEB7DE8B2F714B08398EE0209F25182241B09CD3A6B0C6C4A

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(R-D) C:\Windows\SysWOW64\en-US\xwizard.exe.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme1175649999 Section
\Windows\Theme601709542 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\xwizard.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: xwizard.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/03b63fd1ab52129733f576554de9540d3f5e224405837a3d1adf5c0a68b1d21b/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ComputerDefaults.exe 50
C:\WINDOWS\system32\ComputerDefaults.exe 46
C:\WINDOWS\system32\ComputerDefaults.exe 49
C:\Windows\system32\ComputerDefaults.exe 50
C:\windows\system32\ComputerDefaults.exe 61
C:\Windows\system32\ComputerDefaults.exe 46
C:\Windows\system32\xwizard.exe 47
C:\windows\system32\xwizard.exe 54
C:\Windows\system32\xwizard.exe 47
C:\WINDOWS\system32\xwizard.exe 47
C:\WINDOWS\system32\xwizard.exe 52
C:\Windows\system32\xwizard.exe 50
C:\windows\SysWOW64\ComputerDefaults.exe 60
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 49
C:\Windows\SysWOW64\ComputerDefaults.exe 61
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 43
C:\Windows\SysWOW64\ComputerDefaults.exe 50
C:\Windows\SysWOW64\ComputerDefaults.exe 46
C:\WINDOWS\SysWOW64\xwizard.exe 60
C:\Windows\SysWOW64\xwizard.exe 61
C:\Windows\SysWOW64\xwizard.exe 58
C:\windows\SysWOW64\xwizard.exe 57
C:\WINDOWS\SysWOW64\xwizard.exe 57

Possible Misuse

The following table contains possible examples of xwizard.exe being misused. While xwizard.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_class_exec_xwizard.yml title: Custom Class Execution via Xwizard DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml description: Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties. DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml Image\|endswith: '\xwizard.exe' DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml title: Xwizard DLL Sideloading DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml description: Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml Image\|endswith: '\xwizard.exe' DRL 1.0
LOLBAS Xwizard.yml Name: Xwizard.exe  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM  
LOLBAS Xwizard.yml Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.  
LOLBAS Xwizard.yml - Path: C:\Windows\System32\xwizard.exe  
LOLBAS Xwizard.yml - Path: C:\Windows\SysWOW64\xwizard.exe  

MIT License. Copyright (c) 2020-2021 Strontic.