This analytic rule is designed to detect the malicious practice of DLL side-loading specifically targeting `calc.exe`, the Windows calculator application. The detection relies on Sysmon Event Code 7, which logs DLL loading events. It identifies DLL files that are loaded by `calc.exe` but are not found within the standard system directories, such as `%systemroot%/system32` or `%systemroot%/sysWow64`. This detection method is significant because it is associated with Qakbot malware, which exploits trusted processes to load and execute malicious DLLs, thereby bypassing traditional security measures. This can lead to unauthorized code execution, persistence within the infected environment, and elevated privileges, representing a critical security threat. The rule aims to alert security teams about such malicious activities to mitigate risks and respond swiftly to potential intrusions.