changepk.exe

  • File Path: C:\Windows\system32\changepk.exe
  • Description: Windows Activation

Screenshot

changepk.exe

Hashes

Type Hash
MD5 E158157A57E322D9BB683FE2378724BA
SHA1 A863F6C4299446AA6DFBDADCA98AE40FA044EB5E
SHA256 64708A3E27EE5ACBEB14140A956AAF8F6472CF60D592C05BC564851BE5CD42D5
SHA384 D86A41EA963DC9B3970EE8B909AA03E6FD79ECA23384145FCF3FF02C74EB09FC31989F87BDCFF901A3323508F89A8A62
SHA512 2767FB90151E7A2BFB41516854D8893BCEC9E9458369ED481ED6A97EE06E7107832FB1215FF61973C17645F2511DCED990B6C3A04664EC94302DEB5AD673154E
SSDEEP 1536:/nceOoyWlp5h15wTGjvzj07j5UfTTfPLr0:EoyqHXzK5UfTTfzr0

Signature

  • Status: Signature verified.
  • Serial: 33000001733031072665B8B9B3000000000173
  • Thumbprint: 14590DC5C3AAF238FCFD7785B4B93F4071402C34
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: changepk.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\changepk.exe 40
C:\WINDOWS\system32\changepk.exe 44
C:\Windows\system32\changepk.exe 49
C:\Windows\system32\changepk.exe 36

Possible Misuse

The following table contains possible examples of changepk.exe being misused. While changepk.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_uac_bypass_changepk_slui.yml title: UAC Bypass Using ChangePK and SLUI DRL 1.0
sigma proc_creation_win_uac_bypass_changepk_slui.yml description: Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61) DRL 1.0
sigma proc_creation_win_uac_bypass_changepk_slui.yml - https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b DRL 1.0
sigma proc_creation_win_uac_bypass_changepk_slui.yml Image\|endswith: '\changepk.exe' DRL 1.0
atomic-red-team T1548.002.md Target: \system32\slui.exe, \system32\changepk.exe MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.