PkgMgr.exe

  • File Path: C:\WINDOWS\SysWOW64\PkgMgr.exe
  • Description: Windows Package Manager

Screenshot

PkgMgr.exe PkgMgr.exe

Hashes

Type Hash
MD5 DF567ACC6355100C57611510A701335F
SHA1 A8519A322631FBE6B06BDE94AC467C16CC59FB85
SHA256 B3BD72E57AEA758B0E1780D5CF9455CA9737FFA8BFCF8A93532C196BCDEA46AB
SHA384 EFB7FD23CB3A848A495EEE3F6FB1C285906860C0A559261958E1DA0DB42989151BAA06D395EDB4DD479F980A437D6CF1
SHA512 BAE596711706CADC1FC362A5B83214F635BA82BB9ECD8B3BDF46ECDBB88D3ED4BF30643B14A828A60629AB999712D4D35D6829D76D9DCC113EA8229055720EC7
SSDEEP 3072:tRS0ENnKKphw6s4RTQcWl4K9rpW6Hr76s5TuiAyD4Ugqo4iHMK:fS08nRccMx9r1HFunY4U39K

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: PkgMgr.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\ocsetapi.dll 47
C:\windows\SysWOW64\PkgMgr.exe 43
C:\Windows\SysWOW64\PkgMgr.exe 47
C:\Windows\SysWOW64\PkgMgr.exe 47
C:\Windows\SysWOW64\PkgMgr.exe 54
C:\WINDOWS\SysWOW64\PkgMgr.exe 49
C:\Windows\SysWOW64\wusa.exe 46

Possible Misuse

The following table contains possible examples of PkgMgr.exe being misused. While PkgMgr.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_msconfig_gui.yml TargetFilename\|endswith: '\AppData\Local\Temp\pkgmgr.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_msconfig_gui.yml ParentImage\|endswith: '\AppData\Local\Temp\pkgmgr.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_pkgmgr_dism.yml title: UAC Bypass Using PkgMgr and DISM DRL 1.0
sigma proc_creation_win_uac_bypass_pkgmgr_dism.yml description: Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23) DRL 1.0
sigma proc_creation_win_uac_bypass_pkgmgr_dism.yml ParentImage\|endswith: '\pkgmgr.exe' DRL 1.0
atomic-red-team T1548.002.md Target: \system32\pkgmgr.exe MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.