Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 21, 2021, 11 a.m.	Oct. 21, 2021, 11:02 a.m.

Size	7.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`27828516c38739491a3d20e733850aa5`
SHA256	`2e8b750d6a8b14cff802d89ba55447014d63ffd4c5c711f36e900d6a9aff66df`
CRC32	`A1C09214`
ssdeep	`196608:QL6ocnTV67JnbhUtuvbPORiE9Z1v8KMf4UUIHSMi:a6JnTE7Jn1UGW7v8HQsi`
PDB Path	C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb
Yara	Antivirus - Contains references to security software PE_Header_Zero - PE File Signature OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

Porcal4.exe "C:\Users\test22\AppData\Local\Temp\Porcal4.exe"
2420
- msiexec.exe "C:\Windows\system32\msiexec.exe" /i "C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\adv.msi" AI_SETUPEXEPATH=C:\Users\test22\AppData\Local\Temp\Porcal4.exe SETUPEXEDIR=C:\Users\test22\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1634781541 " AI_EUIMSI=""
  2724
explorer.exe C:\Windows\Explorer.EXE
1924

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.7.214.157	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.103:49424 185.7.214.157:666	None	None	None

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 21, 2021, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 21, 2021, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 21, 2021, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 21, 2021, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 21, 2021, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 21, 2021, 11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 21, 2021, 11 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 21, 2021, 11 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 21, 2021, 11 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	IMAGE_FILE
resource name	RTF_FILE

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 21, 2021, 11 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x762bf777 NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x74fc419a NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x7504011d WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x762bc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x761b98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x761bb641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x761bb5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x761bb172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x761ba66e CoRegisterMessageFilter+0x421e ObjectStublessClient5-0xe4b ole32+0x3a817 @ 0x761ba817 CoRegisterMessageFilter+0x4188 ObjectStublessClient5-0xee1 ole32+0x3a781 @ 0x761ba781 CoRegisterMessageFilter+0x44fa ObjectStublessClient5-0xb6f ole32+0x3aaf3 @ 0x761baaf3 WdtpInterfacePointer_UserUnmarshal+0x2109 DllDebugObjectRPCHook-0x22ef ole32+0x13d380 @ 0x762bd380 DllGetClassObject+0x5403 MsiCreateAndVerifyInstallerDirectory-0x464c msi+0x26c41 @ 0x74026c41 DllGetClassObject+0x54a2 MsiCreateAndVerifyInstallerDirectory-0x45ad msi+0x26ce0 @ 0x74026ce0 MsiInvalidateFeatureCache+0x30ae6 DllRegisterServer-0xa154 msi+0x9db21 @ 0x7409db21 MsiDeterminePatchSequenceA+0x53f MsiCloseHandle-0x20fd msi+0xcdd98 @ 0x740cdd98 MsiDeterminePatchSequenceA+0x24dd MsiCloseHandle-0x15f msi+0xcfd36 @ 0x740cfd36 MsiCloseHandle+0x51 MsiCloseAllHandles-0x5d msi+0xcfee6 @ 0x740cfee6 porcal4+0x107507 @ 0x3b7507 porcal4+0x3005e @ 0x2e005e RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800401f0 exception.offset: 46887 exception.address: 0x7677b727 registers.esp: 66515016 registers.edi: 1981610512 registers.eax: 66515016 registers.ebp: 66515096 registers.edx: 1981643784 registers.ebx: 49529148 registers.esi: 2147746288 registers.ecx: 1981608192	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 21, 2021, 11 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
DllDebugObjectRPCHook+0x108 HACCEL_UserFree-0x5 ole32+0x13f777 @ 0x762bf777
NdrPointerFree+0x1b9 IUnknown_Release_Proxy-0xb rpcrt4+0x3419a @ 0x74fc419a
NdrClientCall2+0x118 RpcAsyncInitializeHandle-0xf1 rpcrt4+0xb011d @ 0x7504011d
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x762bc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x761b98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x761bb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x761bb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x761bb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x761ba66e
CoRegisterMessageFilter+0x421e ObjectStublessClient5-0xe4b ole32+0x3a817 @ 0x761ba817
CoRegisterMessageFilter+0x4188 ObjectStublessClient5-0xee1 ole32+0x3a781 @ 0x761ba781
CoRegisterMessageFilter+0x44fa ObjectStublessClient5-0xb6f ole32+0x3aaf3 @ 0x761baaf3
WdtpInterfacePointer_UserUnmarshal+0x2109 DllDebugObjectRPCHook-0x22ef ole32+0x13d380 @ 0x762bd380
DllGetClassObject+0x5403 MsiCreateAndVerifyInstallerDirectory-0x464c msi+0x26c41 @ 0x74026c41
DllGetClassObject+0x54a2 MsiCreateAndVerifyInstallerDirectory-0x45ad msi+0x26ce0 @ 0x74026ce0
MsiInvalidateFeatureCache+0x30ae6 DllRegisterServer-0xa154 msi+0x9db21 @ 0x7409db21
MsiDeterminePatchSequenceA+0x53f MsiCloseHandle-0x20fd msi+0xcdd98 @ 0x740cdd98
MsiDeterminePatchSequenceA+0x24dd MsiCloseHandle-0x15f msi+0xcfd36 @ 0x740cfd36
MsiCloseHandle+0x51 MsiCloseAllHandles-0x5d msi+0xcfee6 @ 0x740cfee6
porcal4+0x107507 @ 0x3b7507
porcal4+0x3005e @ 0x2e005e
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800401f0
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 66515016
registers.edi: 1981610512
registers.eax: 66515016
registers.ebp: 66515096
registers.edx: 1981643784
registers.ebx: 49529148
registers.esi: 2147746288
registers.ecx: 1981608192

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (24 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2420 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2420 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2420 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73b11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73891000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a21000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x738f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75131000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x768e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73081000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73041000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74601000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f81000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2724 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03f20000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f72000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2724 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03b50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 21, 2021, 11 a.m.	process_identifier: 2724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (50 out of 261 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 0 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\ total_number_of_bytes: 0		0
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10232340480 free_bytes_available: 10232340480 root_path: \\?\C:\Users\test22\AppData\Roaming\ total_number_of_bytes: 10232340480	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10232131584 free_bytes_available: 10232131584 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\ total_number_of_bytes: 10232131584	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10218471424 free_bytes_available: 10218471424 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10218471424	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10216218624 free_bytes_available: 10216218624 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceW Oct. 21, 2021, 11 a.m.	number_of_free_clusters: 2494194 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10227036160 free_bytes_available: 10227036160 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10227036160	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225545216 free_bytes_available: 10225545216 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225545216	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225541120 free_bytes_available: 10225541120 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225541120	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225537024 free_bytes_available: 10225537024 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225537024	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225528832 free_bytes_available: 10225528832 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225528832	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225524736 free_bytes_available: 10225524736 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225524736	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225520640 free_bytes_available: 10225520640 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225520640	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225516544 free_bytes_available: 10225516544 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225516544	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225512448 free_bytes_available: 10225512448 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225512448	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225508352 free_bytes_available: 10225508352 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225508352	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225504256 free_bytes_available: 10225504256 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225504256	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225500160 free_bytes_available: 10225500160 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225500160	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225496064 free_bytes_available: 10225496064 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225496064	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225496064 free_bytes_available: 10225496064 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225496064	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225491968 free_bytes_available: 10225491968 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225491968	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225487872 free_bytes_available: 10225487872 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225487872	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225479680 free_bytes_available: 10225479680 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225479680	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225475584 free_bytes_available: 10225475584 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225475584	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225471488 free_bytes_available: 10225471488 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225471488	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225463296 free_bytes_available: 10225463296 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225463296	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225459200 free_bytes_available: 10225459200 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225459200	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225455104 free_bytes_available: 10225455104 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225455104	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225451008 free_bytes_available: 10225451008 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225451008	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225446912 free_bytes_available: 10225446912 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225446912	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225442816 free_bytes_available: 10225442816 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225442816	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225438720 free_bytes_available: 10225438720 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225438720	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225434624 free_bytes_available: 10225434624 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225434624	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225430528 free_bytes_available: 10225430528 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225430528	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225422336 free_bytes_available: 10225422336 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225422336	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225418240 free_bytes_available: 10225418240 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225418240	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225414144 free_bytes_available: 10225414144 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225414144	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225410048 free_bytes_available: 10225410048 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225410048	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225405952 free_bytes_available: 10225405952 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225405952	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225401856 free_bytes_available: 10225401856 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225401856	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225397760 free_bytes_available: 10225397760 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225397760	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225393664 free_bytes_available: 10225393664 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225393664	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225385472 free_bytes_available: 10225385472 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225385472	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225381376 free_bytes_available: 10225381376 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225381376	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225377280 free_bytes_available: 10225377280 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225377280	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225373184 free_bytes_available: 10225373184 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225373184	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225364992 free_bytes_available: 10225364992 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225364992	1	1
GetDiskFreeSpaceExW Oct. 21, 2021, 11 a.m.	total_number_of_free_bytes: 10225356800 free_bytes_available: 10225356800 root_path: \\?\C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ total_number_of_bytes: 10225356800	1	1

Creates executable files on the filesystem (50 out of 63 events)

file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-console-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\vcruntime140_clr0400.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\VistaBridgeLibrary.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\msvcp140_atomic_wait.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\lua5.1.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\msvcp140.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\adv.msi
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\msvcp140_2.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\vccorlib140.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\msvcp140_1.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ucrtbase.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\API-MS-Win-core-xstate-l2-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\msvcp_win.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\msvcp140_codecvt_ids.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\vcruntime140.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\powersnmp.exe
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\zlibwapi.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\SdCrashReporter.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-util-l1-1-0.dll

Drops an executable to the user AppData folder (50 out of 64 events)

file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\vccorlib140.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icuin51.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\MixPanel.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\SdCrashReporter.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\lua5.1.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\msvcp_win.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\msvcp140_codecvt_ids.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\ucrtbase_clr0400.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-console-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\msvcp140_2.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\msvcp140.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\API-MS-Win-core-xstate-l2-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\libftw2.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\zlibwapi.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-datetime-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\decoder.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\vcruntime140.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\vcruntime140_clr0400.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-debug-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-file-l1-2-0.dll

File has been identified by 8 AntiVirus engines on VirusTotal as malicious (8 events)

Lionic	Trojan.Win32.Chapak.4!c
ALYac	Backdoor.Remcos.A
Sangfor	Trojan.Win32.Chapak.gen
Kaspersky	HEUR:Trojan.Win32.Chapak.gen
Ikarus	Backdoor.Win32.Remcos
GData	Win32.Backdoor.Remcos.7YHCVI
McAfee	Artemis!27828516C387
Fortinet	PossibleThreat.MU

Checks for the Locally Unique Identifier on the system for a suspicious privilege (31 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Oct. 21, 2021, 11 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

One or more of the buffers contains an embedded PE file (4 events)

buffer	Buffer with sha1: 22cb186e44dc498259107ddfef590759a79331e9
buffer	Buffer with sha1: ffd8714268003a452f8c411916b6ec43bb138b13
buffer	Buffer with sha1: fe8179ed5cdad666f787b662a376d16b1e303188
buffer	Buffer with sha1: e10c5e975a5af9a6dc6172b62347e002a9f9888d

Communicates with host for which no DNS query was performed (1 event)

host

185.7.214.157

Deletes executed files from disk (2 events)

file
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\adv.msi

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 259 events)

file
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\Classic\d12.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\NavigateUpIcon@225.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\Classic\d4a.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\CloseIcon@175.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\Classic\d18.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\DropdownIcon@250.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\lua5.1.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\Classic\next.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\New Blue\d10.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\MenuIcon@350.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\CreateFence@200.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\CloseIcon@150.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Layouts\Inital0.fencelayout
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\Classic\d17.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-debug-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\MenuIcon@325.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\New Blue\d18a.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\CreateFence@100.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\NavigateUpIcon@275.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\Classic\d13a.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\holder0.aiph
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\MenuIcon@275.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\FolderIcon@250.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\API-MS-Win-core-xstate-l2-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\Classic\d8.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\FILES.7z
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\PagerBulletS@100.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\CreateFolderFence@125.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\New Blue\d3a.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\FolderIcon@100.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\New Blue\d19.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\CreateFolderFence@200.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\Classic\d9a.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\PagerBackC.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\FolderIcon@300.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\NavigateUpIcon@250.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\eula.txt
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\PagerBullet.png
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\DropdownIcon@275.png
file	C:\Users\test22\AppData\Local\Temp\MSID68.tmp
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\icons\New Blue\d4a.ico
file	C:\Users\test22\AppData\Roaming\Dart Communications\Power iCalconfigurator 15.3.6.2\install\E817FBF\Images\DropdownIcon@175.png

Porcal4.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All