PkgMgr.exe

  • File Path: C:\WINDOWS\SysWOW64\PkgMgr.exe
  • Description: Windows Package Manager

Screenshot

PkgMgr.exe PkgMgr.exe

Hashes

Type Hash
MD5 694A2798122C9BE0043DD732C33BC4CE
SHA1 0ABCB90DEAC6C3D404D55B48CC3A4D08FFDBEAB5
SHA256 3B8849EEFDA6EDD84F962AAABC790B0E45FD55542429EF54860279659440ED12
SHA384 E54A4323F38E31214F1B5A21DAF25ADC66BDF3BCBEAC6B972ED2612DCCA3C8152BDF7744E892E1D663BDFA04BCF5F782
SHA512 822CE0079AFA1321FFCEC854BAD44822E1EFFFC9ABB3FF2D35A8213F144D5787F03DBA8654CA883B4840AEDE7CBAF1E88FB0AFF013B4DC96A28A8A768D570ABA
SSDEEP 3072:ATRS5ENnKKpzw6s4RTQcWl4GOMPnOzK5ErMoswvuXMIzg5hUQuCu:IS52nRccMCMPnErHGXMIzg7UD
IMP 19A9E14E90430AB59C9E7A707143A5C2
PESHA1 C9DE881E235047627BFF8E5B8858C796C979D395
PE256 351745F209CEBF3296BC11DDDF8B727D3E529411358DBE6276892E8BF3886344

Runtime Data

Window Title:

Windows Package Manager

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(RW-) C:\Windows File
(RW-) C:\Windows\SysWOW64 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme1077709572 Section
\Windows\Theme3461253685 Section

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\PkgMgr.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: PkgMgr.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.120 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.120
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/3b8849eefda6edd84f962aaabc790b0e45fd55542429ef54860279659440ed12/detection

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\ocsetapi.dll 49
C:\windows\SysWOW64\PkgMgr.exe 46
C:\Windows\SysWOW64\PkgMgr.exe 43
C:\Windows\SysWOW64\PkgMgr.exe 50
C:\Windows\SysWOW64\PkgMgr.exe 50
C:\WINDOWS\SysWOW64\PkgMgr.exe 49
C:\Windows\SysWOW64\wusa.exe 38

Possible Misuse

The following table contains possible examples of PkgMgr.exe being misused. While PkgMgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_msconfig_gui.yml TargetFilename\|endswith: '\AppData\Local\Temp\pkgmgr.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_msconfig_gui.yml ParentImage\|endswith: '\AppData\Local\Temp\pkgmgr.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_pkgmgr_dism.yml title: UAC Bypass Using PkgMgr and DISM DRL 1.0
sigma proc_creation_win_uac_bypass_pkgmgr_dism.yml description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23) DRL 1.0
sigma proc_creation_win_uac_bypass_pkgmgr_dism.yml ParentImage\|endswith: '\pkgmgr.exe' DRL 1.0
atomic-red-team T1548.002.md Target: \system32\pkgmgr.exe MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.