PkgMgr.exe

  • File Path: C:\Windows\system32\PkgMgr.exe
  • Description: Windows Package Manager

Screenshot

PkgMgr.exe PkgMgr.exe

Hashes

Type Hash
MD5 DC51BE58FEAF1A400DA1BBFC16219C10
SHA1 3B5E0FFCF76D1AAECD9344774BB05E6E79EF124C
SHA256 C48CD3943AC941E88C089CF3245F4C7903030EA5B7DBAF59B8D6E69CF454A06D
SHA384 8F5F9B7ADFF6663D4C346EB9D43153BAC4406BF3B5048EC075097B5289A515A929E1E7F0826CC7A29DB51A63B6FBD037
SHA512 2CD75CFF603EF3CDBD0E7733FE0627E8A415AF239BC4D17ECC901307A2195F9DAED36B809480FE41B546959993378065102ECEC451D3DA9852354B161BE5FCC3
SSDEEP 3072:SvyBycg/kAZlJETmbDS7oBl4OpbhENXK6JRAqs4xjw8m1IzS5bwuAQkx:OTcgcAZ5Xfl4MbhMHxM8cyS5bwuLk

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: PkgMgr.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.2457 (rs1_release_inmarket.180822-1743)
  • Product Version: 10.0.14393.2457
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ocsetapi.dll 46
C:\WINDOWS\system32\PkgMgr.exe 49
C:\windows\system32\PkgMgr.exe 40
C:\WINDOWS\system32\PkgMgr.exe 40
C:\Windows\system32\PkgMgr.exe 46
C:\Windows\system32\wusa.exe 43

Possible Misuse

The following table contains possible examples of PkgMgr.exe being misused. While PkgMgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_msconfig_gui.yml TargetFilename\|endswith: '\AppData\Local\Temp\pkgmgr.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_msconfig_gui.yml ParentImage\|endswith: '\AppData\Local\Temp\pkgmgr.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_pkgmgr_dism.yml title: UAC Bypass Using PkgMgr and DISM DRL 1.0
sigma proc_creation_win_uac_bypass_pkgmgr_dism.yml description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23) DRL 1.0
sigma proc_creation_win_uac_bypass_pkgmgr_dism.yml ParentImage\|endswith: '\pkgmgr.exe' DRL 1.0
atomic-red-team T1548.002.md Target: \system32\pkgmgr.exe MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.