PkgMgr.exe

  • File Path: C:\Windows\SysWOW64\PkgMgr.exe
  • Description: Windows Package Manager

Screenshot

PkgMgr.exe PkgMgr.exe

Hashes

Type Hash
MD5 2F98A0859C8F75D8EEE78E0C8DB2F59F
SHA1 9EA846D34523EDE2F4126C87895F3AE9983633DC
SHA256 CBF7C8A6F52735CA8C1118D65C1FE96A5345987F3B81726E2F8356E22AC5E088
SHA384 3804463005E52CAD36C4BA3409F303E030449032CE00219310BF15FECFA34924B1D7094625B0817B7BE6B4ECC37C9712
SHA512 9FC9EBC4F7E4E4C5CB100D1F82ADC4712FBD2EEF4F912D9BF84CCFF182F7DC625EE0938BE14D1F0BF1C04A45EAA39C8F58253AE8C1C267D5C1DF6FA49918331A
SSDEEP 3072:aC6RSlENnKKphw6s4RTQcWl444TKJ6eWIC5ou6IQN8QimaBo:aPSl8nRccMT41eWIyobIQN8
IMP 5DA81DD73892247EA00FA07D46307D16
PESHA1 5B69323E55431E7CDE63E62E112D505AD760DBB4
PE256 E25B3F13635823EBD8BD4969A9B6446C9FB1CED314142EC42CE150860C9FBDCC

Runtime Data

Window Title:

Windows Package Manager

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme1175649999 Section
\Windows\Theme601709542 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\PkgMgr.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: PkgMgr.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/cbf7c8a6f52735ca8c1118d65c1fe96a5345987f3b81726e2f8356e22ac5e088/detection

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\ocsetapi.dll 47
C:\windows\SysWOW64\PkgMgr.exe 46
C:\Windows\SysWOW64\PkgMgr.exe 49
C:\Windows\SysWOW64\PkgMgr.exe 46
C:\WINDOWS\SysWOW64\PkgMgr.exe 50
C:\WINDOWS\SysWOW64\PkgMgr.exe 54
C:\Windows\SysWOW64\wusa.exe 41

Possible Misuse

The following table contains possible examples of PkgMgr.exe being misused. While PkgMgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_msconfig_gui.yml TargetFilename\|endswith: '\AppData\Local\Temp\pkgmgr.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_msconfig_gui.yml ParentImage\|endswith: '\AppData\Local\Temp\pkgmgr.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_pkgmgr_dism.yml title: UAC Bypass Using PkgMgr and DISM DRL 1.0
sigma proc_creation_win_uac_bypass_pkgmgr_dism.yml description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23) DRL 1.0
sigma proc_creation_win_uac_bypass_pkgmgr_dism.yml ParentImage\|endswith: '\pkgmgr.exe' DRL 1.0
atomic-red-team T1548.002.md Target: \system32\pkgmgr.exe MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.