PkgMgr.exe

  • File Path: C:\Windows\SysWOW64\PkgMgr.exe
  • Description: Windows Package Manager

Screenshot

PkgMgr.exe PkgMgr.exe

Hashes

Type Hash
MD5 24DFD1EFE2837C760511CE773DF3E9CA
SHA1 9337185001101F37BC9D9B9EDADD3E34A6C11DFB
SHA256 8AFD78CB0BEFD7BADAF66BBDEF884FBCE6B9BFCB41291B78DF1939227103766D
SHA384 D70716CFE14F9F29FD570BDF2C28B31BF7FA0B58B992F8A89C9E78B1B09909039552DAFC8016E682881F62CF7F872F03
SHA512 9246AA908E49E44C716A71A1DBD5F49A2D20189326232316DC8A02B988B591AD8404CA230AB104E78901D763F207116B3C0FCE9F3DC91AB22BA65A8BAB0F9D57
SSDEEP 3072:fF8r7ENnKKphw6s4RTQcWl4gECKue9Pa4iuUblDwAMQUlW1Vm:fqr78nRccMxECze9+hblDw/

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: PkgMgr.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.2457 (rs1_release_inmarket.180822-1743)
  • Product Version: 10.0.14393.2457
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\ocsetapi.dll 49
C:\windows\SysWOW64\PkgMgr.exe 47
C:\Windows\SysWOW64\PkgMgr.exe 52
C:\Windows\SysWOW64\PkgMgr.exe 49
C:\WINDOWS\SysWOW64\PkgMgr.exe 43
C:\WINDOWS\SysWOW64\PkgMgr.exe 47
C:\Windows\SysWOW64\wusa.exe 43

Possible Misuse

The following table contains possible examples of PkgMgr.exe being misused. While PkgMgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_msconfig_gui.yml TargetFilename\|endswith: '\AppData\Local\Temp\pkgmgr.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_msconfig_gui.yml ParentImage\|endswith: '\AppData\Local\Temp\pkgmgr.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_pkgmgr_dism.yml title: UAC Bypass Using PkgMgr and DISM DRL 1.0
sigma proc_creation_win_uac_bypass_pkgmgr_dism.yml description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23) DRL 1.0
sigma proc_creation_win_uac_bypass_pkgmgr_dism.yml ParentImage\|endswith: '\pkgmgr.exe' DRL 1.0
atomic-red-team T1548.002.md Target: \system32\pkgmgr.exe MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.