changepk.exe

  • File Path: C:\WINDOWS\system32\changepk.exe
  • Description: Windows Activation

Screenshot

changepk.exe

Hashes

Type Hash
MD5 4917CA1A1A28315E3E7711D4B3174128
SHA1 1760176B668FFCFB325919ABA63AE06A1150B6B9
SHA256 D2BFC0DCE8C97309FE5D8B95E25A419A001422424E48CD8578C6ABCBCF99608C
SHA384 42C27E25A7CE5FD6B7907A0DF5FC7BFDBD98E00A3F9F3AB23C2F0F44FB24954571FFC15A6077BBFB6081B74ED426A030
SHA512 DFA5B78F896B1BCC9DAA6AB00DC604576F9588C852A4C6D38DB7EF5C4BCA99FC01CA3B681F31BC3DA15D74D59235C794029DDDB57431CBE43AE5C2F2E1338D71
SSDEEP 1536:VDep0Ef77YAmocVoyg1e1qpTBPvzj07j5Ufcc1PiL:WH7YAdQoyR1cBXK5Ufcc16L

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: changepk.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\changepk.exe 35
C:\Windows\system32\changepk.exe 44
C:\Windows\system32\changepk.exe 44
C:\Windows\system32\changepk.exe 38

Possible Misuse

The following table contains possible examples of changepk.exe being misused. While changepk.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_uac_bypass_changepk_slui.yml title: UAC Bypass Using ChangePK and SLUI DRL 1.0
sigma proc_creation_win_uac_bypass_changepk_slui.yml description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61) DRL 1.0
sigma proc_creation_win_uac_bypass_changepk_slui.yml - https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b DRL 1.0
sigma proc_creation_win_uac_bypass_changepk_slui.yml Image\|endswith: '\changepk.exe' DRL 1.0
atomic-red-team T1548.002.md Target: \system32\slui.exe, \system32\changepk.exe MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.