pcalua.exe

  • File Path: C:\Windows\system32\pcalua.exe
  • Description: Program Compatibility Assistant

Hashes

Type Hash
MD5 B642F83E300A90639403B919158FA11D
SHA1 AE6DFE43F6AF391E4CE17AF3C264C7FBC0CD1258
SHA256 6FFC6399F7AA42EE25E9593E3A10AE83AD484CF563C08CE7A33E63008E9D3511
SHA384 7AA0F0910C5B33B78344BE3815EDA69A187796236D27DF77BFBFA5C7C2AB62792BC5ADD1AA3D2F953A0CEA2F91578FA0
SHA512 275980F580F75C62AF04EA51967DB68B50FA8D1A22FFB87E28AB090B2619A0A7CF80969540C010BFCC164EBF2A291E2792F32E94D253290F6BB1C68DB5CE09DD
SSDEEP 768:F+Cqfqyeq4PnNKmVUWEVMRU5sfMtsWap1XVq9EDrppWYfZpLmGKDeOUZbPdpfiYB:FRq41K6ebouyrmmDxKDHUzpfiYvZ
IMP 5AD5C9412DDBD3C076272C60FA1FDD4C
PESHA1 C2D4617630CFDD34528B30F014ABB3D3814CBCBD
PE256 071B0A4D3C60974BD5311CAE47F29365C486406F01D6C31E01B30B1425E63AAC

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\pcalua.exe
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename:
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/6ffc6399f7aa42ee25e9593e3a10ae83ad484cf563c08ce7a33e63008e9d3511/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\pcalua.exe 40
C:\Windows\system32\pcalua.exe 40

Possible Misuse

The following table contains possible examples of pcalua.exe being misused. While pcalua.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_indirect_cmd.yml description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe). DRL 1.0
sigma proc_creation_win_indirect_cmd.yml - '\pcalua.exe' DRL 1.0
LOLBAS Pcalua.yml Name: Pcalua.exe  
LOLBAS Pcalua.yml - Command: pcalua.exe -a calc.exe  
LOLBAS Pcalua.yml - Command: pcalua.exe -a \\server\payload.dll  
LOLBAS Pcalua.yml - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java  
LOLBAS Pcalua.yml - Path: C:\Windows\System32\pcalua.exe  
malware-ioc misp_invisimole.json "description": "Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\n\nAdversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.", © ESET 2014-2018
atomic-red-team index.md - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1202.md <blockquote>Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017) MIT License. © 2018 Red Canary
atomic-red-team T1202.md - Atomic Test #1 - Indirect Command Execution - pcalua.exe MIT License. © 2018 Red Canary
atomic-red-team T1202.md ## Atomic Test #1 - Indirect Command Execution - pcalua.exe MIT License. © 2018 Red Canary
atomic-red-team T1202.md The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface. MIT License. © 2018 Red Canary
atomic-red-team T1202.md pcalua.exe -a #{process} MIT License. © 2018 Red Canary
atomic-red-team T1202.md pcalua.exe -a #{payload_path} MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.