pcwrun.exe

  • File Path: C:\WINDOWS\system32\pcwrun.exe
  • Description: Program Compatibility Troubleshooter Invoker

Hashes

Type Hash
MD5 F403498CD4CCAD1D23B19639E9AE39C3
SHA1 9285D28787CD0C3767EBDC2D2BC15C3598C490AA
SHA256 3087F9AA4EA61FB0AC46E23721BDA1F688919684F88B32CA6A37E5115094E5DC
SHA384 0C3F5AB4FC7065987B85169A6B64EA5A87D326905FFF79113BDF963CBB8504C508B310AA541C05A6264D1AD264BEC634
SHA512 F02FEDD8EB176312A812BD509420442AE3A53A6DCC905AA9DFD5F42648396E3A274CC57D40EAF22C8E98E13CB278615E91C3DE566DDEF45FAF78C988C6337164
SSDEEP 192:oI2fS2y9cq15HvBomH2bAqy+ChtqeAhEx3yZKoOg8OmcWzgW:oI26z9/1rNWb35vExcODLcWzgW
IMP F377D135D63E07ADC800E6F236499A9F
PESHA1 CCFF489103A148D7D4A550BBAC0B7A88705A42B5
PE256 05D54964AAA22F088E6A21C2C0E22EF57F289CBEE9D284C09F37514001B41588

Runtime Data

Child Processes:

msdt.exe

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\pcwrun.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: pcwrun.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/3087f9aa4ea61fb0ac46e23721bda1f688919684f88b32ca6a37e5115094e5dc/detection

Possible Misuse

The following table contains possible examples of pcwrun.exe being misused. While pcwrun.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_indirect_cmd_compatibility_assistant.yml description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe DRL 1.0
sigma proc_creation_win_indirect_cmd_compatibility_assistant.yml - https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/ DRL 1.0
sigma proc_creation_win_indirect_cmd_compatibility_assistant.yml ParentImage\|endswith: '\pcwrun.exe' DRL 1.0
LOLBAS Pcwrun.yml Name: Pcwrun.exe  
LOLBAS Pcwrun.yml - Command: Pcwrun.exe c:\temp\beacon.exe  
LOLBAS Pcwrun.yml - Path: C:\Windows\System32\pcwrun.exe  

MIT License. Copyright (c) 2020-2021 Strontic.