changepk.exe

File Path: C:\windows\system32\changepk.exe
Description: Change Product Key

Screenshot

changepk.exe

Hashes

Type	Hash
MD5	`410263744BBC5538EAB0B3A065F97F3A`
SHA1	`ACFA549940045F5DD4056C5973F55254BEB24C95`
SHA256	`70FF5A0B20FCA4226451174C3C079BEF1CF9F35BDD776E20E846C08519D5671E`
SHA384	`5BCDA0765C0DF1108E6BB1B9AD77D19B785973E04707CFA2A60B266C211771EFA6956CD06EC4ECE685A1B39092BCB2E7`
SHA512	`7B1F60BBA9162F972274AC107445425311564F83D071D58CDCB9B52231C6AF38E4668B91FA794848C7CFF19AD237B6709A8ED55295E9FE5A3EAB8AC8D8C5A547`
SSDEEP	`1536:Na8cHHHHHHHHHHHHHHHANOHHCHHH0sav0pb5vTYjMS2nksl7Rz2MPxT5QR:qZv0nM+ksl7VJT5C`

Signature

Status: Signature verified.
Serial: 330000002418FC0B689E7399D0000000000024
Thumbprint: 812705D0EDDCE07C8A1DCCD9DC6E50C5E3D19219
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: changepkey.exe.mui
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
Product Version: 6.3.9600.16384
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of changepk.exe being misused. While changepk.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_uac_bypass_changepk_slui.yml	`title: UAC Bypass Using ChangePK and SLUI`	DRL 1.0
sigma	proc_creation_win_uac_bypass_changepk_slui.yml	`description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)`	DRL 1.0
sigma	proc_creation_win_uac_bypass_changepk_slui.yml	`- https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b`	DRL 1.0
sigma	proc_creation_win_uac_bypass_changepk_slui.yml	`Image\\|endswith: '\changepk.exe'`	DRL 1.0
atomic-red-team	T1548.002.md	Target: \system32\slui.exe, \system32\changepk.exe	MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.