pcalua.exe

  • File Path: C:\Windows\system32\pcalua.exe
  • Description: Program Compatibility Assistant

Hashes

Type Hash
MD5 FDA12B6075B344B04FBD1B35B8D8B1E1
SHA1 F6FE1855DA595291593E2C68ECD889E68F2CE309
SHA256 E7049E16DBA743600F33A8DC5255507C7E212B119569DF5354605FE14A75E61B
SHA384 2AC32541C8BBD821FE3A18BD55D8C7713876DEB705F4F173C0D39EC3C26E0C10E5B442E1D26A977A04FF92FE777A9D09
SHA512 1E64057DE5B6328A366C8213F6619957E897A27E3E07C833EBF7397F2DF0D8985574730E13A71293F50BFB1265227C79C03E104BC5EF4F8239481773D46BA37B
SSDEEP 768:DGCafzyeq4PnN621EKlFMRU5LfMdcGap1k1acETfpkW9/2MWgKDogJ/5YTWZVjoJ:Oq416mbyo0CfnlTLKDR/5pV0J
IMP 5AD5C9412DDBD3C076272C60FA1FDD4C
PESHA1 FC1306978F6B3155A4C2B5E267AA326A07201A7E
PE256 5FB6608DF5D4B0BD2D3C8FA3929481E152A85B6818E97A45138FBBCE0D86CF8A

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\system32\apphelp.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\pcalua.exe
C:\Windows\system32\pcaui.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\SHLWAPI.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename:
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/e7049e16dba743600f33a8dc5255507c7e212b119569df5354605fe14a75e61b/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\pcalua.exe 90
C:\Windows\system32\pcalua.exe 40

Possible Misuse

The following table contains possible examples of pcalua.exe being misused. While pcalua.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_indirect_cmd.yml description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe). DRL 1.0
sigma proc_creation_win_indirect_cmd.yml - '\pcalua.exe' DRL 1.0
LOLBAS Pcalua.yml Name: Pcalua.exe  
LOLBAS Pcalua.yml - Command: pcalua.exe -a calc.exe  
LOLBAS Pcalua.yml - Command: pcalua.exe -a \\server\payload.dll  
LOLBAS Pcalua.yml - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java  
LOLBAS Pcalua.yml - Path: C:\Windows\System32\pcalua.exe  
malware-ioc misp_invisimole.json "description": "Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\n\nAdversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.", © ESET 2014-2018
atomic-red-team index.md - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1202.md <blockquote>Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017) MIT License. © 2018 Red Canary
atomic-red-team T1202.md - Atomic Test #1 - Indirect Command Execution - pcalua.exe MIT License. © 2018 Red Canary
atomic-red-team T1202.md ## Atomic Test #1 - Indirect Command Execution - pcalua.exe MIT License. © 2018 Red Canary
atomic-red-team T1202.md The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface. MIT License. © 2018 Red Canary
atomic-red-team T1202.md pcalua.exe -a #{process} MIT License. © 2018 Red Canary
atomic-red-team T1202.md pcalua.exe -a #{payload_path} MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.