diff --git a/LOLBins.md b/LOLBins.md
index 6b323f4..83409bf 100644
--- a/LOLBins.md
+++ b/LOLBins.md
@@ -37,6 +37,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
 [Netsh.exe](OSBinaries/Netsh.md)    
 [Nltest.exe](OSBinaries/Nltest.md)    
 [Odbcconf.exe](OSBinaries/Odbcconf.md)     
+[Openwith.exe](OSBinaries/Openwith.md)     
 [Pcalua.exe](OSBinaries/Pcalua.md)    
 [Pcwrun.exe](OSBinaries/Pcwrun.md)    
 [Powershell.exe](OSBinaries/Powershell.md)     
diff --git a/OSBinaries/Msdt.md b/OSBinaries/Msdt.md
index b1ae961..7bb030b 100644
--- a/OSBinaries/Msdt.md
+++ b/OSBinaries/Msdt.md
@@ -3,18 +3,21 @@
 * Functions: Execute
 
 ```
-Open .diagcab package
+Open .diagcab package   
+
+msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\PCW8E57.xml /skip TRUE    
 ```
 
 Acknowledgements:
-* ?
+*Matt harr0ey - @harr0ey
 
 Code sample:
-*
+* https://gist.github.com/homjxi0e/3f35212db81b9375b7906031a40c6d87    
 
 Resources:
 * https://cybersyndicates.com/2015/10/a-no-bull-guide-to-malicious-windows-trouble-shooting-packs-and-application-whitelist-bypass/    
 * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/  
+* https://twitter.com/harr0ey/status/991338229952598016   
  
 
 Full path:
diff --git a/OSBinaries/Openwith.md b/OSBinaries/Openwith.md
new file mode 100644
index 0000000..9800d69
--- /dev/null
+++ b/OSBinaries/Openwith.md
@@ -0,0 +1,31 @@
+## Openwith.exe
+
+* Functions: Execute
+
+```
+OpenWith.exe /c C:\test.hta   
+
+OpenWith.exe /c C:\testing.msi    
+```
+
+Acknowledgements:
+* Matt harr0ey - @harr0ey
+
+Code sample:
+* 
+
+Resources:
+* https://twitter.com/harr0ey/status/991670870384021504
+
+Full path:
+```
+c:\windows\system32\Openwith.exe
+c:\windows\sysWOW64\Openwith.exe
+```
+
+Notes:
+
+
+Detection:
+
+ 
diff --git a/OSBinaries/Xwizard.md b/OSBinaries/Xwizard.md
index 1d9090a..467bf54 100644
--- a/OSBinaries/Xwizard.md
+++ b/OSBinaries/Xwizard.md
@@ -1,19 +1,24 @@
 ## Xwizard.exe
 
-* Functions: DLL hijack
+* Functions: DLL hijack, Execute
 
 ```
-xwizard.exe
+xwizard.exe     
+
+xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}    
 ```
 
 Acknowledgements:
 * Adam - @Hexacorn
+* Nick Tyrer - @nicktyrer
 
 Code sample:
-* 
+* https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
 
 Resources:
 * http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
+* https://www.youtube.com/watch?v=LwDHX7DVHWU
+* https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5
 
 Full path:
 ```
@@ -22,9 +27,13 @@ c:\windows\sysWOW32\xwizard.exe
 ```
 
 Notes:
-Need to copy out xwizard.exe to a user controlled folder. 
+DLL hijack/Sideloading needs to copy out xwizard.exe to a user controlled folder. 
 If you add your own version of xwizard.dll it will execute when you start xwizard.exe.
 
+Xwizard RunWizard requires you to import registry keys that points to external SCT file.
+
+
+