pcalua.exe

  • File Path: C:\Windows\system32\pcalua.exe
  • Description: Program Compatibility Assistant

Hashes

Type Hash
MD5 5F7CDE105E9679FF88B3B6A3DCD129DB
SHA1 B9193C196201B9411BB917122F93E19238CAA1BB
SHA256 1D528A686A583162794349114F945A8BD2B17321F6FA62288CD1CE3EC48D2447
SHA384 6F5E8FFD9B385E101E00DB6C1E6B17D484F199F118043CD4FC3753DF586A4982A7CEE5CCB6C44D4FD9524F52AC6CCDA6
SHA512 66A606A5D2CE3E19F06C0FE5B842D9C51AC1E9B02C49655C3CB5280DC27E192CD256F4F40BA4FC5DEAD026524626F1242ACF79C434E74A2F54E5770FFD0B9FFE
SSDEEP 768:PGCafzyeq4PnN621EKlFMRU5LfMdcGap1k1acETfpkW9/2MWgKDoA3v5YTgmVjo6:aq416mbyo0CfnlTLKD7v50V06
IMP 5AD5C9412DDBD3C076272C60FA1FDD4C
PESHA1 DF5492262D88E1ADC53BBA5AB66579A70527CFD6
PE256 D7250C7593776E6B692BDF23BA838932CDB492BC5A95235F61E1A1EE7FAE1EBF

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\pcalua.exe
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename:
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/1d528a686a583162794349114f945a8bd2b17321f6fa62288cd1ce3ec48d2447/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\pcalua.exe 40
C:\Windows\system32\pcalua.exe 90

Possible Misuse

The following table contains possible examples of pcalua.exe being misused. While pcalua.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_indirect_cmd.yml description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe). DRL 1.0
sigma proc_creation_win_indirect_cmd.yml - '\pcalua.exe' DRL 1.0
LOLBAS Pcalua.yml Name: Pcalua.exe  
LOLBAS Pcalua.yml - Command: pcalua.exe -a calc.exe  
LOLBAS Pcalua.yml - Command: pcalua.exe -a \\server\payload.dll  
LOLBAS Pcalua.yml - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java  
LOLBAS Pcalua.yml - Path: C:\Windows\System32\pcalua.exe  
malware-ioc misp_invisimole.json "description": "Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\n\nAdversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.", © ESET 2014-2018
atomic-red-team index.md - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1202.md <blockquote>Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017) MIT License. © 2018 Red Canary
atomic-red-team T1202.md - Atomic Test #1 - Indirect Command Execution - pcalua.exe MIT License. © 2018 Red Canary
atomic-red-team T1202.md ## Atomic Test #1 - Indirect Command Execution - pcalua.exe MIT License. © 2018 Red Canary
atomic-red-team T1202.md The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface. MIT License. © 2018 Red Canary
atomic-red-team T1202.md pcalua.exe -a #{process} MIT License. © 2018 Red Canary
atomic-red-team T1202.md pcalua.exe -a #{payload_path} MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.