PkgMgr.exe

  • File Path: C:\Windows\SysWOW64\PkgMgr.exe
  • Description: Windows Package Manager

Screenshot

PkgMgr.exe PkgMgr.exe

Hashes

Type Hash
MD5 299F9CBA823CFB6F7AD965877154902B
SHA1 6917CD5FAF32809CA8EA46F2FA97D75ED33119AA
SHA256 A1F495FB35CC72823BF0C556C59C0A1E7589F7109A3B287ABAA5F803C652009E
SHA384 A5C549CE421FE3003D54AB16043566FBE290EB57D2A3608B2935C6C37B50B6453B6E400677DFB81DF70576415446E0E8
SHA512 5B36639EC28DC09D875BE5E837551B246F067F920FBA520F6BDCF064A33F1FC00A7260474483570D78BEA53CDD2F94E46D8EEBEEB68558D8710A983BA6A73C7C
SSDEEP 3072:m/r5ENnKKphw6s4RTQcWl4xEGS2PQo9tW+R/MYg+S:er58nRccMUEGS2PbxR/T
IMP 59565FB94D24BF5F6F2207C5CBF343B0
PESHA1 6DA67B1A3E596DFBF5BFDA6B50B1D420EB446C2D
PE256 9C57490182F6793E2FA862398AEDA5710A013035608504B3B587E60C780938A5

Runtime Data

Window Title:

Windows Package Manager

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme2131664586 Section
\Windows\Theme966197582 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\PkgMgr.exe

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: PkgMgr.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/68
  • VirusTotal Link: https://www.virustotal.com/gui/file/a1f495fb35cc72823bf0c556c59c0a1e7589f7109a3b287abaa5f803c652009e/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\ocsetapi.dll 54
C:\windows\SysWOW64\PkgMgr.exe 49
C:\Windows\SysWOW64\PkgMgr.exe 52
C:\Windows\SysWOW64\PkgMgr.exe 46
C:\WINDOWS\SysWOW64\PkgMgr.exe 50
C:\WINDOWS\SysWOW64\PkgMgr.exe 47
C:\Windows\SysWOW64\wusa.exe 40

Possible Misuse

The following table contains possible examples of PkgMgr.exe being misused. While PkgMgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_msconfig_gui.yml TargetFilename\|endswith: '\AppData\Local\Temp\pkgmgr.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_msconfig_gui.yml ParentImage\|endswith: '\AppData\Local\Temp\pkgmgr.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_pkgmgr_dism.yml title: UAC Bypass Using PkgMgr and DISM DRL 1.0
sigma proc_creation_win_uac_bypass_pkgmgr_dism.yml description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23) DRL 1.0
sigma proc_creation_win_uac_bypass_pkgmgr_dism.yml ParentImage\|endswith: '\pkgmgr.exe' DRL 1.0
atomic-red-team T1548.002.md Target: \system32\pkgmgr.exe MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.