ComputerDefaults.exe

  • File Path: C:\Windows\system32\ComputerDefaults.exe
  • Description: Set Program Access and Computer Defaults Control Panel

Screenshot

ComputerDefaults.exe

Hashes

Type Hash
MD5 D25A9E160E3B74EF2242023726F15416
SHA1 27A9BB9D7628D442F9B5CF47711C906E3315755B
SHA256 7B0334C329E40A542681BCAFF610AE58ADA8B1F77FF6477734C1B8B9A951EF4C
SHA384 3C7A69579ECD5A4953FEE1EBEC0C9C752D268153093A0008BDA114225B93A9F1C6651D8997E8D84CD38F895525D14C87
SHA512 BAFAEE786C90C96A2F76D4BBCDDBBF397A1AFD82D55999081727900F3C2DE8D2EBA6B77D25C622DE0C1E91C54259116BC37BC9F29471D1B387F78AAA4D276910
SSDEEP 1536:DayE7ffgaxRF71ry9vmt486MypQKURDoq4OZZZLlCIibz:Y3ganFp4NpqRD68wbz
IMP 00B74CCF8A4820BD574431AE64ECF0C5
PESHA1 9028D08B690C437B26F6124EE97FBA31C01FF907
PE256 11D8AC4CD8675361BE1C8A17A15F345C62C98C1C173D13EDC2396A6B3696BB57

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\system32\ComputerDefaults.exe
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ComputerDefaults.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/7b0334c329e40a542681bcaff610ae58ada8b1f77ff6477734c1b8b9a951ef4c/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ComputerDefaults.exe 50
C:\WINDOWS\system32\ComputerDefaults.exe 49
C:\WINDOWS\system32\ComputerDefaults.exe 49
C:\Windows\system32\ComputerDefaults.exe 49
C:\windows\system32\ComputerDefaults.exe 54
C:\Windows\system32\xwizard.exe 44
C:\windows\system32\xwizard.exe 50
C:\Windows\system32\xwizard.exe 46
C:\WINDOWS\system32\xwizard.exe 43
C:\WINDOWS\system32\xwizard.exe 43
C:\Windows\system32\xwizard.exe 46
C:\windows\SysWOW64\ComputerDefaults.exe 55
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 46
C:\Windows\SysWOW64\ComputerDefaults.exe 50
C:\WINDOWS\SysWOW64\ComputerDefaults.exe 40
C:\Windows\SysWOW64\ComputerDefaults.exe 50
C:\Windows\SysWOW64\ComputerDefaults.exe 46
C:\WINDOWS\SysWOW64\xwizard.exe 49
C:\Windows\SysWOW64\xwizard.exe 52
C:\Windows\SysWOW64\xwizard.exe 49
C:\windows\SysWOW64\xwizard.exe 47
C:\Windows\SysWOW64\xwizard.exe 46
C:\WINDOWS\SysWOW64\xwizard.exe 47

Possible Misuse

The following table contains possible examples of ComputerDefaults.exe being misused. While ComputerDefaults.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_uac_bypass_computerdefaults.yml title: UAC Bypass Using ComputerDefaults DRL 1.0
sigma proc_creation_win_uac_bypass_computerdefaults.yml description: Detects the pattern of UAC Bypass using computerdefaults.exe (UACMe 59) DRL 1.0
sigma proc_creation_win_uac_bypass_computerdefaults.yml Image: 'C:\Windows\System32\ComputerDefaults.exe' DRL 1.0
sigma registry_event_shell_open_keys_manipulation.yml description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) DRL 1.0
atomic-red-team index.md - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md - Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md ## Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell) MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10 MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Start-Process “C:\Windows\System32\ComputerDefaults.exe” MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.