Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 20, 2021, 5:34 p.m.	Oct. 20, 2021, 5:47 p.m.

Size	7.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`27828516c38739491a3d20e733850aa5`
SHA256	`2e8b750d6a8b14cff802d89ba55447014d63ffd4c5c711f36e900d6a9aff66df`
CRC32	`A1C09214`
ssdeep	`196608:QL6ocnTV67JnbhUtuvbPORiE9Z1v8KMf4UUIHSMi:a6JnTE7Jn1UGW7v8HQsi`
PDB Path	C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb
Yara	Antivirus - Contains references to security software PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

Porcal4.exe "C:\Users\test22\AppData\Local\Temp\Porcal4.exe"
2424
- msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\adv.msi" AI_SETUPEXEPATH=C:\Users\test22\AppData\Local\Temp\Porcal4.exe SETUPEXEDIR=C:\Users\test22\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634718825 " AI_EUIMSI=""
  2772
explorer.exe C:\Windows\Explorer.EXE
1924

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.7.214.157	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49424 185.7.214.157:666	None	None	None

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 20, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 20, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 20, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 20, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 20, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 20, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 20, 2021, 5:34 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 20, 2021, 5:34 p.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 20, 2021, 5:34 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	IMAGE_FILE
resource name	RTF_FILE

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 20, 2021, 5:34 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x762bf777 NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x74fc419a NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x7504011d WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x762bc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x761b98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x761bb641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x761bb5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x761bb172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x761ba66e StgOpenStorage+0x14f2 CoSetProxyBlanket-0x1a5 ole32+0x15d00 @ 0x76195d00 StgOpenStorage+0x14d3 CoSetProxyBlanket-0x1c4 ole32+0x15ce1 @ 0x76195ce1 StgOpenStorage+0x1531 CoSetProxyBlanket-0x166 ole32+0x15d3f @ 0x76195d3f SetErrorInfo+0x70f CoRevokeInitializeSpy-0x802 ole32+0x48f82 @ 0x761c8f82 SetErrorInfo+0x650 CoRevokeInitializeSpy-0x8c1 ole32+0x48ec3 @ 0x761c8ec3 PropVariantCopy+0xfe CoFreeAllLibraries-0x2406 ole32+0x3bac3 @ 0x761bbac3 SetErrorInfo+0x75 CoRevokeInitializeSpy-0xe9c ole32+0x488e8 @ 0x761c88e8 New_ole32_CoUninitialize@0+0x55 New_ole32_OleConvertOLESTREAMToIStorage@12-0x58 @ 0x74395180 MsiSetOfflineContextW+0x898a6 msi+0x161bab @ 0x74171bab BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80070005 exception.offset: 46887 exception.address: 0x7677b727 registers.esp: 72806072 registers.edi: 1981610512 registers.eax: 72806072 registers.ebp: 72806152 registers.edx: 0 registers.ebx: 47143956 registers.esi: 2147942405 registers.ecx: 0	1	0	0
__exception__ Oct. 20, 2021, 5:34 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x762bf777 NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x74fc419a NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x7504011d WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x762bc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x761b98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x761bb641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x761bb5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x761bb172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x761ba66e CoRegisterMessageFilter+0x421e ObjectStublessClient5-0xe4b ole32+0x3a817 @ 0x761ba817 CoRegisterMessageFilter+0x4188 ObjectStublessClient5-0xee1 ole32+0x3a781 @ 0x761ba781 CoRegisterMessageFilter+0x44fa ObjectStublessClient5-0xb6f ole32+0x3aaf3 @ 0x761baaf3 WdtpInterfacePointer_UserUnmarshal+0x2109 DllDebugObjectRPCHook-0x22ef ole32+0x13d380 @ 0x762bd380 DllGetClassObject+0x5403 MsiCreateAndVerifyInstallerDirectory-0x464c msi+0x26c41 @ 0x74036c41 DllGetClassObject+0x54a2 MsiCreateAndVerifyInstallerDirectory-0x45ad msi+0x26ce0 @ 0x74036ce0 MsiInvalidateFeatureCache+0x30ae6 DllRegisterServer-0xa154 msi+0x9db21 @ 0x740adb21 MsiDeterminePatchSequenceA+0x53f MsiCloseHandle-0x20fd msi+0xcdd98 @ 0x740ddd98 MsiDeterminePatchSequenceA+0x24dd MsiCloseHandle-0x15f msi+0xcfd36 @ 0x740dfd36 MsiCloseHandle+0x51 MsiCloseAllHandles-0x5d msi+0xcfee6 @ 0x740dfee6 porcal4+0x107507 @ 0xef7507 porcal4+0x3005e @ 0xe2005e RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800401f0 exception.offset: 46887 exception.address: 0x7677b727 registers.esp: 82309500 registers.edi: 1981610512 registers.eax: 82309500 registers.ebp: 82309580 registers.edx: 1981643784 registers.ebx: 5656116 registers.esi: 2147746288 registers.ecx: 1981608192	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 20, 2021, 5:34 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x762bf777
NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x74fc419a
NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x7504011d
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x762bc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x761b98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x761bb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x761bb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x761bb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x761ba66e
StgOpenStorage+0x14f2 CoSetProxyBlanket-0x1a5 ole32+0x15d00 @ 0x76195d00
StgOpenStorage+0x14d3 CoSetProxyBlanket-0x1c4 ole32+0x15ce1 @ 0x76195ce1
StgOpenStorage+0x1531 CoSetProxyBlanket-0x166 ole32+0x15d3f @ 0x76195d3f
SetErrorInfo+0x70f CoRevokeInitializeSpy-0x802 ole32+0x48f82 @ 0x761c8f82
SetErrorInfo+0x650 CoRevokeInitializeSpy-0x8c1 ole32+0x48ec3 @ 0x761c8ec3
PropVariantCopy+0xfe CoFreeAllLibraries-0x2406 ole32+0x3bac3 @ 0x761bbac3
SetErrorInfo+0x75 CoRevokeInitializeSpy-0xe9c ole32+0x488e8 @ 0x761c88e8
New_ole32_CoUninitialize@0+0x55 New_ole32_OleConvertOLESTREAMToIStorage@12-0x58 @ 0x74395180
MsiSetOfflineContextW+0x898a6 msi+0x161bab @ 0x74171bab
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80070005
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 72806072
registers.edi: 1981610512
registers.eax: 72806072
registers.ebp: 72806152
registers.edx: 0
registers.ebx: 47143956
registers.esi: 2147942405
registers.ecx: 0

__exception__

Oct. 20, 2021, 5:34 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x762bf777
NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x74fc419a
NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x7504011d
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x762bc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x761b98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x761bb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x761bb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x761bb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x761ba66e
CoRegisterMessageFilter+0x421e ObjectStublessClient5-0xe4b ole32+0x3a817 @ 0x761ba817
CoRegisterMessageFilter+0x4188 ObjectStublessClient5-0xee1 ole32+0x3a781 @ 0x761ba781
CoRegisterMessageFilter+0x44fa ObjectStublessClient5-0xb6f ole32+0x3aaf3 @ 0x761baaf3
WdtpInterfacePointer_UserUnmarshal+0x2109 DllDebugObjectRPCHook-0x22ef ole32+0x13d380 @ 0x762bd380
DllGetClassObject+0x5403 MsiCreateAndVerifyInstallerDirectory-0x464c msi+0x26c41 @ 0x74036c41
DllGetClassObject+0x54a2 MsiCreateAndVerifyInstallerDirectory-0x45ad msi+0x26ce0 @ 0x74036ce0
MsiInvalidateFeatureCache+0x30ae6 DllRegisterServer-0xa154 msi+0x9db21 @ 0x740adb21
MsiDeterminePatchSequenceA+0x53f MsiCloseHandle-0x20fd msi+0xcdd98 @ 0x740ddd98
MsiDeterminePatchSequenceA+0x24dd MsiCloseHandle-0x15f msi+0xcfd36 @ 0x740dfd36
MsiCloseHandle+0x51 MsiCloseAllHandles-0x5d msi+0xcfee6 @ 0x740dfee6
porcal4+0x107507 @ 0xef7507
porcal4+0x3005e @ 0xe2005e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800401f0
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 82309500
registers.edi: 1981610512
registers.eax: 82309500
registers.ebp: 82309580
registers.edx: 1981643784
registers.ebx: 5656116
registers.esi: 2147746288
registers.ecx: 1981608192

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (24 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2424 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04270000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04420000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2424 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04460000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2424 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75131000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x768e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73091000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73041000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74251000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f81000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2772 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03c00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2772 region_size: 1310720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03f60000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 20, 2021, 5:34 p.m.	process_identifier: 2772 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04060000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (50 out of 261 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10233708544 free_bytes_available: 10233708544 root_path: \\?\C:\Users\test22\AppData\Roaming\ total_number_of_bytes: 10233708544	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10233499648 free_bytes_available: 10233499648 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\ total_number_of_bytes: 10233499648	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10219839488 free_bytes_available: 10219839488 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10219839488	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10217586688 free_bytes_available: 10217586688 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW Oct. 20, 2021, 5:34 p.m.	number_of_free_clusters: 2494528 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10228404224 free_bytes_available: 10228404224 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10228404224	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226913280 free_bytes_available: 10226913280 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226913280	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226909184 free_bytes_available: 10226909184 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226909184	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226905088 free_bytes_available: 10226905088 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226905088	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226896896 free_bytes_available: 10226896896 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226896896	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226892800 free_bytes_available: 10226892800 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226892800	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226888704 free_bytes_available: 10226888704 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226888704	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226884608 free_bytes_available: 10226884608 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226884608	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226880512 free_bytes_available: 10226880512 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226880512	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226876416 free_bytes_available: 10226876416 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226876416	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226872320 free_bytes_available: 10226872320 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226872320	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226868224 free_bytes_available: 10226868224 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226868224	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226864128 free_bytes_available: 10226864128 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226864128	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226864128 free_bytes_available: 10226864128 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226864128	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226860032 free_bytes_available: 10226860032 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226860032	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226855936 free_bytes_available: 10226855936 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226855936	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226847744 free_bytes_available: 10226847744 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226847744	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226843648 free_bytes_available: 10226843648 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226843648	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226839552 free_bytes_available: 10226839552 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226839552	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226831360 free_bytes_available: 10226831360 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226831360	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226827264 free_bytes_available: 10226827264 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226827264	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226823168 free_bytes_available: 10226823168 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226823168	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226819072 free_bytes_available: 10226819072 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226819072	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226814976 free_bytes_available: 10226814976 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226814976	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226810880 free_bytes_available: 10226810880 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226810880	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226806784 free_bytes_available: 10226806784 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226806784	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226802688 free_bytes_available: 10226802688 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226802688	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226798592 free_bytes_available: 10226798592 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226798592	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226790400 free_bytes_available: 10226790400 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226790400	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226786304 free_bytes_available: 10226786304 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226786304	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226782208 free_bytes_available: 10226782208 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226782208	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226778112 free_bytes_available: 10226778112 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226778112	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226774016 free_bytes_available: 10226774016 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226774016	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226769920 free_bytes_available: 10226769920 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226769920	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226765824 free_bytes_available: 10226765824 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226765824	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226761728 free_bytes_available: 10226761728 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226761728	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226753536 free_bytes_available: 10226753536 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226753536	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226749440 free_bytes_available: 10226749440 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226749440	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226745344 free_bytes_available: 10226745344 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226745344	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226741248 free_bytes_available: 10226741248 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226741248	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226733056 free_bytes_available: 10226733056 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226733056	1	1
GetDiskFreeSpaceExW Oct. 20, 2021, 5:34 p.m.	total_number_of_free_bytes: 10226724864 free_bytes_available: 10226724864 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10226724864	1	1

Creates executable files on the filesystem (50 out of 63 events)

file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-console-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\vcruntime140_clr0400.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\VistaBridgeLibrary.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\msvcp140_atomic_wait.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\lua5.1.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\msvcp140.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\adv.msi
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\msvcp140_2.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\vccorlib140.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\msvcp140_1.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ucrtbase.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\API-MS-Win-core-xstate-l2-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\msvcp_win.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\msvcp140_codecvt_ids.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\vcruntime140.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\powersnmp.exe
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\zlibwapi.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\SdCrashReporter.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-util-l1-1-0.dll

Drops an executable to the user AppData folder (50 out of 64 events)

file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\vccorlib140.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icuin51.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\MixPanel.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\SdCrashReporter.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\lua5.1.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\msvcp_win.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\MSIC50.tmp
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\msvcp140_codecvt_ids.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ucrtbase_clr0400.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-console-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\msvcp140_2.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\msvcp140.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\API-MS-Win-core-xstate-l2-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\libftw2.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\zlibwapi.dll
file	C:\Users\test22\AppData\Local\Temp\MSIBC2.tmp
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-datetime-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\decoder.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\vcruntime140.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\vcruntime140_clr0400.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-debug-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-sysinfo-l1-1-0.dll

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Lionic	Trojan.Win32.Chapak.4!c
ALYac	Trojan.Keylogger.Agent
Kaspersky	HEUR:Trojan.Win32.Chapak.gen
ZoneAlarm	HEUR:Trojan.Win32.Chapak.gen
GData	Win32.Backdoor.Remcos.7YHCVI

Checks for the Locally Unique Identifier on the system for a suspicious privilege (31 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Oct. 20, 2021, 5:34 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

One or more of the buffers contains an embedded PE file (4 events)

buffer	Buffer with sha1: 22cb186e44dc498259107ddfef590759a79331e9
buffer	Buffer with sha1: ffd8714268003a452f8c411916b6ec43bb138b13
buffer	Buffer with sha1: fe8179ed5cdad666f787b662a376d16b1e303188
buffer	Buffer with sha1: e10c5e975a5af9a6dc6172b62347e002a9f9888d

Communicates with host for which no DNS query was performed (1 event)

host

185.7.214.157

Deletes executed files from disk (2 events)

file
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\adv.msi

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 259 events)

file
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\Classic\d12.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\NavigateUpIcon@225.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\Classic\d4a.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\CloseIcon@175.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\Classic\d18.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\DropdownIcon@250.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\lua5.1.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\Classic\next.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\New Blue\d10.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\MenuIcon@350.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\CreateFence@200.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\CloseIcon@150.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Layouts\Inital0.fencelayout
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\Classic\d17.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-debug-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\MenuIcon@325.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\New Blue\d18a.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\CreateFence@100.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\NavigateUpIcon@275.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\Classic\d13a.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\holder0.aiph
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\MenuIcon@275.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\FolderIcon@250.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\API-MS-Win-core-xstate-l2-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\Classic\d8.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\FILES.7z
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\PagerBulletS@100.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\CreateFolderFence@125.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\New Blue\d3a.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\FolderIcon@100.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\New Blue\d19.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\CreateFolderFence@200.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\Classic\d9a.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\PagerBackC.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\FolderIcon@300.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\NavigateUpIcon@250.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\eula.txt
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\PagerBullet.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\DropdownIcon@275.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Layouts\TopBottom.fencelayout
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\New Blue\d4a.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\DropdownIcon@175.png

Porcal4.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All