Category: Microsoft
Category Archives: Microsoft
Macros in word have died
I am a newbie here; I generally never post anything on message boards. But I am at a complete loss. I don’t know anything about coding, and I absolutely hate being forced into learning VBA for anything but alphabet soup.
A couple of weeks ago, one of my macros that I had been using for about a year just stopped working. There was no explanation. It just stopped working. Then another one died, and another. I am finally down to none of the macros I recorded in Word working. I use these about 20 times a day to reformat other people’s copies, so it’s not like it is convenient to do without them. (remove all hyperlinks, extra returns, tabs, and add an indent). All individual macros using keyboard commands.
Unless someone has an answer, I am going to be forced to copy the original and paste into a new doc with no formatting. Which creates a whole new set of problems — I will have to compare. the two docs to see what the writer had formatted (italics, bullets, bold, etc) and redo their work.
I use Office 365 a Mac with Sonoma OS.
Like I said, I am no program and should not have to learn VBA because the macros were working until recently.
Thank you to anyone who can help!
I am a newbie here; I generally never post anything on message boards. But I am at a complete loss. I don’t know anything about coding, and I absolutely hate being forced into learning VBA for anything but alphabet soup.A couple of weeks ago, one of my macros that I had been using for about a year just stopped working. There was no explanation. It just stopped working. Then another one died, and another. I am finally down to none of the macros I recorded in Word working. I use these about 20 times a day to reformat other people’s copies, so it’s not like it is convenient to do without them. (remove all hyperlinks, extra returns, tabs, and add an indent). All individual macros using keyboard commands. Unless someone has an answer, I am going to be forced to copy the original and paste into a new doc with no formatting. Which creates a whole new set of problems — I will have to compare. the two docs to see what the writer had formatted (italics, bullets, bold, etc) and redo their work.I use Office 365 a Mac with Sonoma OS.Like I said, I am no program and should not have to learn VBA because the macros were working until recently.Thank you to anyone who can help! Read More
Print Button options in Word
New to this community and a newbie question.
Is it possible to add a print button to a word document that opens the print document dialog box?
I have figured out how to add an ActiveX Command button with [ActiveDocument.PrintOut Range:=wdPrintCurrentPage]. Unfortunately that prints directly to the default printer. I can see this causing some issues in a n office with multiple printers..
Additional context: I am working with a French and English document (more of a form). At some point I would like to have two print buttons, one for the french pages and the other for the english pages.
Maybe there is a better way than a print button? Maybe there is a way to click a button and have an alternate language come up or groups of fields turn on/off.
New to this community and a newbie question.Is it possible to add a print button to a word document that opens the print document dialog box?I have figured out how to add an ActiveX Command button with [ActiveDocument.PrintOut Range:=wdPrintCurrentPage]. Unfortunately that prints directly to the default printer. I can see this causing some issues in a n office with multiple printers.. Additional context: I am working with a French and English document (more of a form). At some point I would like to have two print buttons, one for the french pages and the other for the english pages. Maybe there is a better way than a print button? Maybe there is a way to click a button and have an alternate language come up or groups of fields turn on/off. Read More
Benefit to use lightroom along with Microsoft
Using Lightroom along with Microsoft offers several benefits, especially for photographers and creatives:
Seamless Integration: Lightroom integrates smoothly with Microsoft platforms, allowing for easy access to your photos and efficient workflow management.
Organization: Microsoft’s file management systems, like OneDrive or SharePoint, can be used to store your Lightroom catalog and photos. This ensures that your files are securely backed up and accessible from anywhere with an internet connection.
Collaboration: If you work in a team or with clients, Microsoft’s collaboration tools such as Teams or SharePoint enable easy sharing and collaboration on your Lightroom APK projects.
Efficient Editing: Lightroom’s powerful editing features combined with Microsoft’s multitasking capabilities allow you to edit photos seamlessly while managing other tasks, such as email or document editing.
Cross-Platform Access: Microsoft applications are available on various devices and platforms. This means you can access and work on your Lightroom projects from your desktop, laptop, tablet, or smartphone, regardless of the operating system.
Security: Microsoft offers robust security features, ensuring that your Lightroom catalog and photos are protected from unauthorized access or loss.
Automated Backups: By using Microsoft’s backup solutions, you can set up automated backups for your Lightroom catalog and photos, providing an extra layer of protection against data loss.
Overall, integrating Lightroom with Microsoft platforms enhances your productivity, collaboration, and security, making it easier to manage and edit your photos effectively.
Using Lightroom along with Microsoft offers several benefits, especially for photographers and creatives:Seamless Integration: Lightroom integrates smoothly with Microsoft platforms, allowing for easy access to your photos and efficient workflow management.Organization: Microsoft’s file management systems, like OneDrive or SharePoint, can be used to store your Lightroom catalog and photos. This ensures that your files are securely backed up and accessible from anywhere with an internet connection.Collaboration: If you work in a team or with clients, Microsoft’s collaboration tools such as Teams or SharePoint enable easy sharing and collaboration on your Lightroom APK projects.Efficient Editing: Lightroom’s powerful editing features combined with Microsoft’s multitasking capabilities allow you to edit photos seamlessly while managing other tasks, such as email or document editing.Cross-Platform Access: Microsoft applications are available on various devices and platforms. This means you can access and work on your Lightroom projects from your desktop, laptop, tablet, or smartphone, regardless of the operating system.Security: Microsoft offers robust security features, ensuring that your Lightroom catalog and photos are protected from unauthorized access or loss.Automated Backups: By using Microsoft’s backup solutions, you can set up automated backups for your Lightroom catalog and photos, providing an extra layer of protection against data loss.Overall, integrating Lightroom with Microsoft platforms enhances your productivity, collaboration, and security, making it easier to manage and edit your photos effectively. Read More
HOW QUICKLY WILL I GET MY GLUCOALERT REVIEWS AFTER THE ORDER HAS BEEN PLACED?
GlucoAlert is all-natural, all organic. You might want to check the ingredients list to know more about what goes into each bottle of GlucoAlert……
Trusted Seller, Fast Shipping, And Easy Returns. Learn More
GlucoAlert Reviews – We’ll ship your order directly to your home or office using a premium carrier such as FedEx or UPS. If you’re in the US or Canada you can expect your order to be shipped within 5 to 7 business days. International orders take 8 – 15 business days (plus customs clearance time).
GlucoAlert is all-natural, all organic. You might want to check the ingredients list to know more about what goes into each bottle of GlucoAlert……Trusted Seller, Fast Shipping, And Easy Returns. Learn MoreGlucoAlert Reviews – We’ll ship your order directly to your home or office using a premium carrier such as FedEx or UPS. If you’re in the US or Canada you can expect your order to be shipped within 5 to 7 business days. International orders take 8 – 15 business days (plus customs clearance time). Read More
I have several questions involving WSL and Docker Desktop
Today I discovered that the SQL Server Developer Edition database I created, is no longer available, because the machine it was on has died. Fortunately, I saved a full backup of the database to my OneDrive, so I should be able to restore it.
A couple months ago I thought I’d give Docker Desktop a try, however because I’ve been developing in Windows for a long time, I wanted to get a Windows container going in Docker Desktop. I ran into problems, then other priorities came long, etc. Bottom line, I’m only now getting back to it.
I’ve tried to determine what version of WSL I have installed, following instructions I found here, but that didn’t work. Instead, I got this error:
Windows Subsystem for Linux has no installed distributions.
Distributions can be installed by visiting the Microsoft Store:
https://aka.ms/wslstore
So, I went to the Microsoft Store and was shown two different WSL 2 versions. Which do I get?
But I’m wondering, do I need to install Ubuntu into a WSL 2 instance? I thought that was installed automatically when I installed Docker Desktop. But I don’t understand why I get the error I do.
Bottom line, I don’t understand how to use WSL 2, Docker Desktop, the Ubuntu distro, etc., because I’m performing searches and getting bits and pieces out of order. I’m lost and very confused. I’d appreciate some direction, please.
Today I discovered that the SQL Server Developer Edition database I created, is no longer available, because the machine it was on has died. Fortunately, I saved a full backup of the database to my OneDrive, so I should be able to restore it. A couple months ago I thought I’d give Docker Desktop a try, however because I’ve been developing in Windows for a long time, I wanted to get a Windows container going in Docker Desktop. I ran into problems, then other priorities came long, etc. Bottom line, I’m only now getting back to it. I’ve tried to determine what version of WSL I have installed, following instructions I found here, but that didn’t work. Instead, I got this error: Windows Subsystem for Linux has no installed distributions.Distributions can be installed by visiting the Microsoft Store:https://aka.ms/wslstore So, I went to the Microsoft Store and was shown two different WSL 2 versions. Which do I get? But I’m wondering, do I need to install Ubuntu into a WSL 2 instance? I thought that was installed automatically when I installed Docker Desktop. But I don’t understand why I get the error I do. Bottom line, I don’t understand how to use WSL 2, Docker Desktop, the Ubuntu distro, etc., because I’m performing searches and getting bits and pieces out of order. I’m lost and very confused. I’d appreciate some direction, please. Read More
Outlook and .heic
I have Outlook with an Outlook.com account on my iPhone as my default email client. When I send pictures in an e-mail, these pictures may be in .heic format.
Please install a viewer for .heic on all Windows versions. Apple devices are now so widespread that it no longer makes sense to ignore the proprietary Apple formats.
Thank you very much.
I have Outlook with an Outlook.com account on my iPhone as my default email client. When I send pictures in an e-mail, these pictures may be in .heic format. Please install a viewer for .heic on all Windows versions. Apple devices are now so widespread that it no longer makes sense to ignore the proprietary Apple formats. Thank you very much. Read More
SSIS from SQL Server to Snowflake not working from sql server agent or DTEXEC
Hi,
We are setting up SSIS package to move data from SQL Server 2022 standard edition to Snowflake (64 bit odbc driver) and it works fine from Visual Studio but getting following error when running from agent or command line:
The component metadata for “ODBC Destination, clsid {C1463F00-2FAF-4AD4-A212-C9D9CCB54575}” could not be upgraded to the newer version of the component. The PerformUpgrade method failed.
Can we use snowflake ODBC destination in the standard edition or what possibly could be the issue.
Regards
–Harvinder
Hi, We are setting up SSIS package to move data from SQL Server 2022 standard edition to Snowflake (64 bit odbc driver) and it works fine from Visual Studio but getting following error when running from agent or command line: The component metadata for “ODBC Destination, clsid {C1463F00-2FAF-4AD4-A212-C9D9CCB54575}” could not be upgraded to the newer version of the component. The PerformUpgrade method failed. Can we use snowflake ODBC destination in the standard edition or what possibly could be the issue. Regards–Harvinder Read More
Preventing copying Copilot responses in protected meetings
With DLP, Purview and Teams Premium it’s possible to prevent meeting chat being copied,but I can’t see anyway to do this with responses generated by Copilot… Anyone got an ideas or solutions for this?
With DLP, Purview and Teams Premium it’s possible to prevent meeting chat being copied,but I can’t see anyway to do this with responses generated by Copilot… Anyone got an ideas or solutions for this? Read More
Unauthorized Sandbox use detected. Your sandbox has been terminated
Hello Community.
I started some modules to get official certifications from MS and I got this lock. I really do not know what the reason was. (Usually I use 3 different IP addresses: from work (direct and VPN) and from home.
The module where I’ve got the lock is the following: Describe Azure Storage Services. Link
As you can see, I already sent the appeal but I still have not received any response. I would greatly appreciate all the help you can give me.
Hello Community.I started some modules to get official certifications from MS and I got this lock. I really do not know what the reason was. (Usually I use 3 different IP addresses: from work (direct and VPN) and from home.The module where I’ve got the lock is the following: Describe Azure Storage Services. Link As you can see, I already sent the appeal but I still have not received any response. I would greatly appreciate all the help you can give me. Read More
Sharing Applied Skills credentials
I am having trouble to share validated details of my Microsoft credentials.
I am having trouble to share validated details of my Microsoft credentials. Read More
Can´t install Microsoft 365 in my computer
Hi everybody. I bought this product but only shows my documents in the cloud. When I try to install the apps in my computer, I have several error messages “you need administrator permissions” and others. I unistalled previous versions of Office. In my receipt I don´t have a key. I spent two hours trying to solve it. But really, I can´t install Office apps from the cloud to my computer. I can only see the documents in the cloud. I appreciate your help, Sylvia
Hi everybody. I bought this product but only shows my documents in the cloud. When I try to install the apps in my computer, I have several error messages “you need administrator permissions” and others. I unistalled previous versions of Office. In my receipt I don´t have a key. I spent two hours trying to solve it. But really, I can´t install Office apps from the cloud to my computer. I can only see the documents in the cloud. I appreciate your help, Sylvia Read More
abnormal Behavior in Users Devices
hi security guys
I am facing strange behaviors on Microsoft EDR that show in timeline Windows Defender Advanced Threat ProtectionSenseIR.exe is using fake accounts which are not exist in Microsoft Active directory and Azure Active Directory
Is considering a normal behavior, hacked or Windows Defender Advanced Threat Protection zero day vulnerable.
the below sample from timeline that related with fake account.
Event TimeMachine IdComputer NameAction TypeFile NameFolder PathSha1Sha256MD5Process Command LineAccount DomainAccount NameAccount SidLogo IdProcess IdProcess Creation TimeProcess Token ElevationRegistry KeyRegistry Value NameRegistry Value DataRemote UrlRemote Computer NameRemote IPRemote PortLocal IPLocal PortFile Origin UrlFile Origin IPInitiating Process SHA1Initiating Process SHA256Initiating Process File NameInitiating Process Folder PathInitiating Process IdInitiating Process Command LineInitiating Process Creation TimeInitiating Process Integrity LevelInitiating Process Token ElevationInitiating Process Parent IdInitiating Process Parent File NameInitiating Process Parent Creation TimeInitiating Process MD5Initiating Process Account DomainInitiating Process Account NameInitiating Process Account SidInitiating Process Logon IdReport IdAdditional FieldsApp Guard Container IdProtocolLogon TypeProcess Integrity LevelRegistry Value TypePrevious Registry Value NamePrevious Registry Value DataPrevious Registry KeyFile Origin Referrer UrlSensitivity LabelSensitivity Sub LabelIs Endpoint Dlp AppliedIs Azure Info Protection AppliedAlert IdsCategoriesSeveritiesIs MarkedData Type2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InboundRdpConnection LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 1.65E+09 T1021.001 (bolster) Techniques2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 9.09E+08 T1078.002 (bolster) Techniques2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemStandard7192DeviceHarddiskVolume3Program FilesWindows Defender Advanced Threat ProtectionSenseIR.exe2024-04-19T12:21:11.307nt authoritysystemS-1-5-18 28953{“IsLocalLogon”:false} CachedRemoteInteractive Events2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 8.59E+08 T1078.002 (bolster) Techniques2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InboundRdpConnection LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 8.45E+08 T1021.001 (bolster) Techniques2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemStandard7192DeviceHarddiskVolume3Program FilesWindows Defender Advanced Threat ProtectionSenseIR.exe2024-04-19T12:21:11.307nt authoritysystemS-1-5-18 28952{“IsLocalLogon”:false} CachedRemoteInteractive Events2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonAttempted LITCfake account 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 28951 Events2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InteractiveRemoteComponentInvocation LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 1.71E+09 T1078 (Friends)/T1021.001 (Friends)Techniques2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 D398B9D68B555K9K6K041K8Pia8849D1A6B1AC463A75A4F57158Ba4D796A2414790FCD3694D8Ab9ED3A8942A9CBCD0B71691Alsass.exeC:WindowsSystem32824lsass.exe2024-04-18T08:04:00.305SystemDefault928wininit.exe2024-04-18T08:04:00.107NT AUTHORITYsystemS-1-5-18 9.6E+08 T1078.002 (bolster) Techniques2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 D398B9D68B555K9K6K041K8Pia8849D1A6B1AC463A75A4F57158Ba4D796A2414790FCD3694D8Ab9ED3A8942A9CBCD0B71691Alsass.exeC:WindowsSystem32lsass.exe824lsass.exe2024-04-18T08:04:00.305SystemStandard928wininit.exe2024-04-18T08:04:00.107nt authoritysystemS-1-5-18 28934{“IsLocalLogon”:false} RemoteInteractive Events
thanks in advance
hi security guys I am facing strange behaviors on Microsoft EDR that show in timeline Windows Defender Advanced Threat ProtectionSenseIR.exe is using fake accounts which are not exist in Microsoft Active directory and Azure Active Directory Is considering a normal behavior, hacked or Windows Defender Advanced Threat Protection zero day vulnerable.the below sample from timeline that related with fake account.Event TimeMachine IdComputer NameAction TypeFile NameFolder PathSha1Sha256MD5Process Command LineAccount DomainAccount NameAccount SidLogo IdProcess IdProcess Creation TimeProcess Token ElevationRegistry KeyRegistry Value NameRegistry Value DataRemote UrlRemote Computer NameRemote IPRemote PortLocal IPLocal PortFile Origin UrlFile Origin IPInitiating Process SHA1Initiating Process SHA256Initiating Process File NameInitiating Process Folder PathInitiating Process IdInitiating Process Command LineInitiating Process Creation TimeInitiating Process Integrity LevelInitiating Process Token ElevationInitiating Process Parent IdInitiating Process Parent File NameInitiating Process Parent Creation TimeInitiating Process MD5Initiating Process Account DomainInitiating Process Account NameInitiating Process Account SidInitiating Process Logon IdReport IdAdditional FieldsApp Guard Container IdProtocolLogon TypeProcess Integrity LevelRegistry Value TypePrevious Registry Value NamePrevious Registry Value DataPrevious Registry KeyFile Origin Referrer UrlSensitivity LabelSensitivity Sub LabelIs Endpoint Dlp AppliedIs Azure Info Protection AppliedAlert IdsCategoriesSeveritiesIs MarkedData Type2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InboundRdpConnection LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 1.65E+09 T1021.001 (bolster) Techniques2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 9.09E+08 T1078.002 (bolster) Techniques2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemStandard7192DeviceHarddiskVolume3Program FilesWindows Defender Advanced Threat ProtectionSenseIR.exe2024-04-19T12:21:11.307nt authoritysystemS-1-5-18 28953{“IsLocalLogon”:false} CachedRemoteInteractive Events2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 8.59E+08 T1078.002 (bolster) Techniques2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InboundRdpConnection LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 8.45E+08 T1021.001 (bolster) Techniques2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemStandard7192DeviceHarddiskVolume3Program FilesWindows Defender Advanced Threat ProtectionSenseIR.exe2024-04-19T12:21:11.307nt authoritysystemS-1-5-18 28952{“IsLocalLogon”:false} CachedRemoteInteractive Events2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonAttempted LITCfake account 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 28951 Events2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InteractiveRemoteComponentInvocation LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 1.71E+09 T1078 (Friends)/T1021.001 (Friends)Techniques2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 D398B9D68B555K9K6K041K8Pia8849D1A6B1AC463A75A4F57158Ba4D796A2414790FCD3694D8Ab9ED3A8942A9CBCD0B71691Alsass.exeC:WindowsSystem32824lsass.exe2024-04-18T08:04:00.305SystemDefault928wininit.exe2024-04-18T08:04:00.107NT AUTHORITYsystemS-1-5-18 9.6E+08 T1078.002 (bolster) Techniques2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 D398B9D68B555K9K6K041K8Pia8849D1A6B1AC463A75A4F57158Ba4D796A2414790FCD3694D8Ab9ED3A8942A9CBCD0B71691Alsass.exeC:WindowsSystem32lsass.exe824lsass.exe2024-04-18T08:04:00.305SystemStandard928wininit.exe2024-04-18T08:04:00.107nt authoritysystemS-1-5-18 28934{“IsLocalLogon”:false} RemoteInteractive Eventsthanks in advance Read More
AVD RemoteApp not showing in web client taskbar
We have setup a new AVD RemoteApp environment for one of our customers (about 50 users). They will primarily use the AVD webclient (Connect to Azure Virtual Desktop with the Remote Desktop Web client – Azure | Microsoft Learn).
Upon testing we have noticed that some of our apps aren’t displaying in the top taskbar of the webclient (see screenshot). The app opens fine, but just isn’t displaying the in the taskbar.
This is annoying because upon minimizing the app there is no way to open the app again…
Has anyone seen this before? Any workarounds?
Help appreciated,
Hi,We have setup a new AVD RemoteApp environment for one of our customers (about 50 users). They will primarily use the AVD webclient (Connect to Azure Virtual Desktop with the Remote Desktop Web client – Azure | Microsoft Learn).Upon testing we have noticed that some of our apps aren’t displaying in the top taskbar of the webclient (see screenshot). The app opens fine, but just isn’t displaying the in the taskbar.This is annoying because upon minimizing the app there is no way to open the app again…Has anyone seen this before? Any workarounds? Help appreciated, Read More
Microsoft form lost data after removing questions
Hi all,
I removed questions from a form after we received enough registrations. I didn’t notice it would delete all the data as well.. Is it possible to recover the data somehow? I did not sync it in time unfortunately.
I hope someone can help me, thanks!
Hi all, I removed questions from a form after we received enough registrations. I didn’t notice it would delete all the data as well.. Is it possible to recover the data somehow? I did not sync it in time unfortunately.I hope someone can help me, thanks! Read More
Word Add-in
Wie kann ich in Word die Funktion Add-in verfügbar machen?
Wie kann ich in Word die Funktion Add-in verfügbar machen? Read More
Outlook mail
My outlook mail keeps freezing or crashing on Chrome. I have cleared cache, uninstalled chrome and reinstalled and problem still keeps happening. I don’t have the problem with other internet browsing crashing.
My outlook mail keeps freezing or crashing on Chrome. I have cleared cache, uninstalled chrome and reinstalled and problem still keeps happening. I don’t have the problem with other internet browsing crashing. Read More
Unassigned Tasks Disappeared
Yesterday I entered many unassigned tasks in To Do on my iPad as a brain dump. The first thing I noticed was they did not sync across devices. So I thought I would wait and see if they did. Now today I find those tasks are nowhere to be found, not even on my iPad. Any thoughts on what happened and how to resolve this issue?
Yesterday I entered many unassigned tasks in To Do on my iPad as a brain dump. The first thing I noticed was they did not sync across devices. So I thought I would wait and see if they did. Now today I find those tasks are nowhere to be found, not even on my iPad. Any thoughts on what happened and how to resolve this issue? Read More
Various false infection names found on SETUP
There are various false infection names found in my new SETUP by Defender.
Please mark the SETUP.EXE as legit.
false infection found: Malgent.B!ml (trying to write to registry key HKEY_CURRENT_USERSoftwareVB and VBA Program SettingsEazRENAMER ..)
false infection found: Caynamer.A!ml
false infection found: Phonzy.B!ml
false infection found: Wacatac.B!ml
download of the program: http://eatme.pro/download/renamer-win10
VB6 source of the SETUP below (finding all these falses):
VERSION 5.00
Begin VB.Form frmMain
BorderStyle = 1 ‘Fixed Single
Caption = “Renamer by EatMe Setup”
ClientHeight = 3585
ClientLeft = 45
ClientTop = 330
ClientWidth = 4785
Icon = “frmMain.frx”:0000
LinkTopic = “Form1”
MaxButton = 0 ‘False
MinButton = 0 ‘False
Picture = “frmMain.frx”:030A
ScaleHeight = 3585
ScaleWidth = 4785
StartUpPosition = 2 ‘CenterScreen
Begin VB.CommandButton cmdNext
Caption = “&Uninstall”
Height = 300
Index = 2
Left = 120
TabIndex = 14
ToolTipText = “Uninstall Renamer by EatMe”
Top = 2760
Visible = 0 ‘False
Width = 1335
End
Begin VB.CommandButton cmdNext
Caption = “&Uninstall”
Height = 300
Index = 1
Left = 120
TabIndex = 6
ToolTipText = “Uninstall Renamer by EatMe”
Top = 2760
Width = 1335
End
Begin VB.CommandButton cmdNext
Caption = “&Next”
Height = 300
Index = 0
Left = 120
TabIndex = 5
ToolTipText = “Install Renamer by EatMe”
Top = 3120
Width = 1335
End
Begin VB.CommandButton Command1
Cancel = -1 ‘True
Caption = “&Cancel”
Height = 300
Left = 3360
TabIndex = 4
ToolTipText = “Exit setup”
Top = 3120
Width = 1335
End
Begin VB.CommandButton cmdBrowse
Caption = “&Browse…”
Height = 300
Left = 3360
TabIndex = 3
ToolTipText = “Browse for the installation path”
Top = 2160
Width = 1335
End
Begin VB.TextBox Text1
BeginProperty Font
Name = “Tahoma”
Size = 8.25
Charset = 0
Weight = 400
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
Height = 285
Left = 120
TabIndex = 2
Text = “C:WinUtilRenamer”
ToolTipText = “The path where Renamer by EatMe will be installed”
Top = 1800
Width = 4575
End
Begin VB.Label lblProgHundred
BackStyle = 0 ‘Transparent
Caption = “100%”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 255
Left = 3840
TabIndex = 13
Top = 2520
Visible = 0 ‘False
Width = 735
End
Begin VB.Label lblProgZero
BackStyle = 0 ‘Transparent
Caption = “0%”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 255
Left = 240
TabIndex = 12
Top = 2520
Visible = 0 ‘False
Width = 495
End
Begin VB.Label lblProgFore
BackStyle = 0 ‘Transparent
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 375
Left = 360
TabIndex = 11
Top = 2520
Visible = 0 ‘False
Width = 4335
End
Begin VB.Label lblProgBack
BackStyle = 0 ‘Transparent
Caption = “__________________________”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFC0C0&
Height = 375
Left = 360
TabIndex = 10
Top = 2520
Visible = 0 ‘False
Width = 4335
End
Begin VB.Label lblDiskFree
BackStyle = 0 ‘Transparent
Caption = “Free:”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 400
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 255
Left = 360
TabIndex = 9
Top = 2640
Width = 4335
End
Begin VB.Label lblDiskReq
BackStyle = 0 ‘Transparent
Caption = “Required: < 1 Mb”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 400
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 255
Left = 360
TabIndex = 8
Top = 2400
Width = 2895
End
Begin VB.Label lblDisk
BackStyle = 0 ‘Transparent
Caption = “Disk space”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 400
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 255
Left = 240
TabIndex = 7
Top = 2160
Width = 3015
End
Begin VB.Label Label2
BackStyle = 0 ‘Transparent
Caption = “Target Directory:”
BeginProperty Font
Name = “Tahoma”
Size = 14.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 375
Left = 120
TabIndex = 1
Top = 1440
Width = 4575
End
Begin VB.Label Label1
Alignment = 2 ‘Center
BackStyle = 0 ‘Transparent
Caption = “#”
BeginProperty Font
Name = “Tahoma”
Size = 14.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 1455
Left = 120
TabIndex = 0
Top = 120
Width = 4575
End
End
Attribute VB_Name = “frmMain”
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Private Declare Function fCreateShellLink Lib “setup.dll” (ByVal _
lpstrFolderName As String, ByVal lpstrLinkName As String, ByVal _
lpstrLinkPath As String, ByVal lpstrLinkArgs As String) As Long
Private Declare Function DiskSpaceFree Lib “setup.dll” Alias “DISKSPACEFREE” () As Long
Private Declare Function fRemoveShellLink Lib “setup.dll” (ByVal lpstrFolderName As String, ByVal lpstrLinkName As String) As Long
Private Declare Function DLLSelfRegister Lib “setup.dll” (ByVal lpDllName As String) As Integer
Private Sub cmdBrowse_Click()
frmFolder.Show vbModal, frmMain
GetFreeDiskSpace
End Sub
Private Sub cmdNext_Click(Index As Integer)
Dim lReturn As Long
Dim w$, i$, P$, prfx$, prf$
Select Case Index
Case 2 ‘ Uninstall
If MsgBox(“Are you sure you want to uninstall?”, vbYesNo + vbExclamation, App.Title) = vbYes Then
cmdNext(2).Visible = False
Label1.Caption = “Uninstalling…”
Label2.Visible = False
Text1.Visible = False
Command1.Visible = False
Me.Refresh
DoEvents
a$ = Text1.Text & IIf(Right(Text1.Text, 1) = “”, “”, “”)
On Error Resume Next
Kill a$ & “renamer.exe”
Kill a$ & “about.htm”
Kill a$ & “screenshot.jpg”
Kill a$ & “HelpFileList.htm”
Kill a$ & “HelpFileList.htm”
Kill a$ & “HelpAddFile.bmp”
Kill a$ & “HelpAddPath.bmp”
Kill a$ & “TestThis*.tst”
RmDir a$ & “Help”
RmDir a$ & “TestThis”
Kill a$ & “setup.exe”
Kill a$ & “setup.dll”
‘Remmove from to Desktop
fRemoveShellLink “….Desktop”, “Renamer”
‘Remove from Program Menu Group
fRemoveShellLink “”, “Renamer”
SaveSetting “EazRENAMER”, “Installer”, “InstallDir”, “UNINSTALLED”
Err.Clear
On Error Resume Next
RegDelete HKEY_LOCAL_MACHINE, “SoftwareMicrosoftWindowsCurrentVersionUninstallEazRENAMER”
If Err Then
MsgBox “Could not delete Renamer Setup from HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentversionUninstallEazRENAMER”, vbCritical + vbOKOnly, App.Title
Err.Clear
End If
If Not CompleteInstallKit() Then
Label1.Caption = “Uninstallation completed.”
cmdNext(0).Visible = False
Else
Label1.Caption = “Uninstallation completed. You can now re-install.”
Text1.Text = “C:WINUTILRENAMER”
Text1.Visible = True
Text1.Enabled = True
Text1.Locked = False
cmdNext(0).Visible = True
cmdBrowse.Visible = True
lblDisk.Visible = True
lblDiskReq.Visible = True
GetFreeDiskSpace
lblDiskFree.Visible = True
End If
End If
Case 0 ‘ install
prf$ = Environ$(“ProgramW6432”)
prfx$ = Environ$(“ProgramFiles(x86)”)
If (UCase(Left(Text1.Text, Len(prf$))) = UCase(prf$)) Or (UCase(Left(Text1.Text, Len(prfx$))) = UCase(prfx$)) Then
MsgBox “Renamer can not be installed in Program Files due to permission for writing Undo files. Choose another folder.”, vbInformation + vbOKOnly, App.Title
Exit Sub
ElseIf Len(Text1.Text) < 3 Then MsgBox “Enter target directory for installation first.”, vbCritical + vbOKOnly, App.Title: Exit Sub
End If
cmdNext(0).Visible = False
cmdNext(1).Visible = False
Label1.Caption = “Installing…”
Label2.Visible = False
Text1.Visible = False
Command1.Visible = False
cmdBrowse.Visible = False
lblDisk.Visible = False
lblDiskReq.Visible = False
lblDiskFree.Visible = False
lblProgBack.Visible = True
lblProgFore.Visible = True
lblProgZero.Visible = True
lblProgHundred.Visible = True
SetProgress
Me.Refresh
DoEvents
Screen.MousePointer = vbHourglass
P$ = UCase(App.Path & IIf(Right(App.Path, 1) = “”, “”, “”))
i$ = UCase(Text1.Text & IIf(Right(Text1.Text, 1) = “”, “”, “”))
w$ = Environ(“WinDir”)
w$ = w$ & IIf(Right(w$, 1) = “”, “”, “”)
On Error Resume Next
‘Create Dir(s)
j$ = i$ & “FileList”
mk$ = j$
mf$ = “”
Do
sp% = InStr(mk$, “”)
If sp% <= 0 Then Exit Do
Mid(mk$, sp%, 1) = “/”
mf$ = Left(j$, sp%)
MkDir mf$
Loop
j$ = i$ & “Help”
mk$ = j$
mf$ = “”
Do
sp% = InStr(mk$, “”)
If sp% <= 0 Then Exit Do
Mid(mk$, sp%, 1) = “/”
mf$ = Left(j$, sp%)
MkDir mf$
Loop
j$ = i$ & “TestThis”
mk$ = j$
mf$ = “”
Do
sp% = InStr(mk$, “”)
If sp% <= 0 Then Exit Do
Mid(mk$, sp%, 1) = “/”
mf$ = Left(j$, sp%)
MkDir mf$
Loop
j$ = i$ & “Undo”
mk$ = j$
mf$ = “”
Do
sp% = InStr(mk$, “”)
If sp% <= 0 Then Exit Do
Mid(mk$, sp%, 1) = “/”
mf$ = Left(j$, sp%)
MkDir mf$
Loop
‘If Dir(w$ & “SYSTEMCOMDLG32.OCX”) = “” Then
‘ Readfile$ = “MP3RND.4”
‘ WriteFile$ = “COMDLG32.OCX”
‘ On Error GoTo ReadErr
‘ Open P$ & “mp3rnd.4” For Binary As #1
‘ On Error GoTo WriteErr
‘ Open w$ & “systemcomdlg32.ocx” For Output As #2
‘ Close #2
‘ Open w$ & “systemcomdlg32.ocx” For Binary As #2
‘ Do While Not EOF(1)
‘ z$ = ” “
‘ On Error GoTo ReadErr
‘ Get #1, , z$
‘ On Error GoTo WriteErr
‘ Put #2, , z$
‘ Loop
‘ Close
‘End If
‘DLLSelfRegister w$ & “systemcomdlg32.ocx”
SetProgress
Readfile$ = “RENAMER.1”
WriteFile$ = “RENAMER.EXE”
On Error GoTo ReadErr
Open P$ & “renamer.1” For Binary As #1
On Error GoTo WriteErr
Open i$ & “Renamer.exe” For Output As #2
Close #2
Open i$ & “Renamer.exe” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
Readfile$ = “RENAMER.2”
WriteFile$ = “SCREENSHOT.JPG”
On Error GoTo ReadErr
Open P$ & “renamer.2” For Binary As #1
On Error GoTo WriteErr
Open i$ & “screenshot.jpg” For Output As #2
Close #2
Open i$ & “screenshot.jpg” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
Readfile$ = “RENAMER.3”
WriteFile$ = “ABOUT.HTM”
On Error GoTo ReadErr
Open P$ & “renamer.3” For Binary As #1
On Error GoTo WriteErr
Open i$ & “about.htm” For Output As #2
Close #2
Open i$ & “about.htm” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
If Dir(i$ & “setup.dll”) = “” Or P$ <> i$ Then
Readfile$ = “SETUP.DLL”
WriteFile$ = “SETUP.DLL”
On Error GoTo ReadErr
Open P$ & “setup.dll” For Binary As #1
On Error GoTo WriteErr
Open i$ & “setup.dll” For Output As #2
Close #2
Open i$ & “setup.dll” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
End If
SetProgress
If Dir(i$ & “setup.exe”) = “” Or P$ <> i$ Then
Readfile$ = “SETUP.EXE”
WriteFile$ = “SETUP.EXE”
On Error GoTo ReadErr
Open P$ & “setup.exe” For Binary As #1
On Error GoTo WriteErr
Open i$ & “setup.exe” For Output As #2
Close #2
Open i$ & “setup.exe” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
End If
SetProgress
Readfile$ = “RENAMER.4”
WriteFile$ = “HELPADDFILE.BMP”
On Error GoTo ReadErr
Open P$ & “renamer.4” For Binary As #1
On Error GoTo WriteErr
Open i$ & “HelpAddFile.bmp” For Output As #2
Close #2
Open i$ & “HelpAddFile.bmp” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
Readfile$ = “RENAMER.5”
WriteFile$ = “HELPADDPATH.BMP”
On Error GoTo ReadErr
Open P$ & “renamer.5” For Binary As #1
On Error GoTo WriteErr
Open i$ & “HelpAddPath.bmp” For Output As #2
Close #2
Open i$ & “HelpAddPath.bmp” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
Readfile$ = “RENAMER.6”
WriteFile$ = “HELPFILELIST.HTM”
On Error GoTo ReadErr
Open P$ & “renamer.6” For Binary As #1
On Error GoTo WriteErr
Open i$ & “HelpFileList.htm” For Output As #2
Close #2
Open i$ & “HelpFileList.htm” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
Readfile$ = “RENAMER.7”
WriteFile$ = “PRESETS.REG”
On Error GoTo WriteErr
Name P$ & “renamer.7” As P$ & “presets.reg”
On Error Resume Next
Shell (w$ & “regedit.exe /s ” & P$ & “presets.reg”)
Err.Clear
DoEvents
DoEvents
DoEvents
SetProgress
Readfile$ = “”
WriteFile$ = “10x empty test file”
On Error GoTo WriteErr
Open i$ & “TestThis1_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis2_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis3_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis4_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis5_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis6_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis7_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis8_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis9_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis10_Artist___CD___Title.tst” For Output As #2
Close #2
On Error Resume Next
SetProgress
‘Add to Desktop
lReturn = fCreateShellLink(“….Desktop”, _
“Renamer”, i$ & “Renamer.exe”, “”)
‘Add to Program Menu Group
lReturn = fCreateShellLink(“”, “Renamer”, _
i$ & “Renamer.exe”, “”)
SaveSetting “EazRENAMER”, “Installer”, “InstallDir”, i$
RegCreate HKEY_LOCAL_MACHINE, “SoftwareMicrosoftWindowsCurrentVersionUninstallEazRENAMER”
RegSet HKEY_LOCAL_MACHINE, “SoftwareMicrosoftWindowsCurrentVersionUninstallEazRENAMER”, “DisplayName”, “Renamer by EatMe 2.4.5.w11”, REG_SZ
RegSet HKEY_LOCAL_MACHINE, “SoftwareMicrosoftWindowsCurrentVersionUninstallEazRENAMER”, “UninstallString”, i$ & “setup.exe”, REG_SZ
SetProgress
Readfile$ = “RENAMER.7”
WriteFile$ = “PRESETS.REG”
On Error GoTo ReadErr
Name P$ & “presets.reg” As P$ & “RENAMER.7”
On Error Resume Next
SetProgress
Label1.Caption = “Completed installation.”
Case 1 ‘ uninstall
If MsgBox(“Are you sure you want to uninstall?”, vbYesNo + vbExclamation, App.Title) = vbYes Then
cmdNext(0).Visible = False
cmdNext(1).Visible = False
Label1.Caption = “Uninstalling…”
Label2.Visible = False
Text1.Visible = False
Command1.Visible = False
Me.Refresh
DoEvents
On Error Resume Next
w$ = Environ(“WinDir”)
w$ = w$ & IIf(Right(w$, 1) = “”, “”, “”)
a$ = Text1.Text & IIf(Right(Text1.Text, 1) = “”, “”, “”)
Kill a$ & “renamer.exe”
Kill a$ & “about.htm”
Kill a$ & “screenshot.jpg”
Kill a$ & “HelpFileList.htm”
Kill a$ & “HelpAddFile.bmp”
Kill a$ & “HelpAddPath.bmp”
Kill a$ & “TestThis*.tst”
RmDir a$ & “Help”
RmDir a$ & “TestThis”
Kill a$ & “setup.exe”
Kill a$ & “setup.dll”
‘Remmove from to Desktop
fRemoveShellLink “….Desktop”, “Renamer”
‘Remove from Program Menu Group
fRemoveShellLink “”, “Renamer”
SaveSetting “EazRENAMER”, “Installer”, “InstallDir”, “UNINSTALLED”
Err.Clear
On Error Resume Next
RegDelete HKEY_LOCAL_MACHINE, “SoftwareMicrosoftWindowsCurrentVersionUninstallEazRENAMER”
If Err Then
MsgBox “Could not delete Renamer Setup from HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentversionUninstallEazRENAMER”, vbCritical + vbOKOnly, App.Title
Err.Clear
End If
If Not CompleteInstallKit(a$) Then
Label1.Caption = “Uninstalled. Please delete the remaining SETUP and own files from the Renamer folder.”
Else
Label1.Caption = “Uninstallation completed.”
End If
End If
End Select
EndSub:
Screen.MousePointer = vbDefault
Command1.Caption = “E&xit”
Command1.Visible = True
Me.Refresh
DoEvents
Exit Sub
ReadErr:
MsgBox “An error occured while reading the following file: ” & vhbcrlf & vbCrLf & _
Readfile$ & vbCrLf & vbCrLf & _
Err.Description & vbCrLf & vbCrLf & _
“Setup can not continue the installation.”, vbCritical + vbOKOnly, App.Title
Label1.Caption = “An error occured while installing.”
Resume EndSub
WriteErr:
MsgBox “An error occured while writing the following file: ” & vhbcrlf & vbCrLf & _
WriteFile$ & vbCrLf & vbCrLf & _
Err.Description & vbCrLf & vbCrLf & _
“Setup can not continue the installation.”, vbCritical + vbOKOnly, App.Title
Label1.Caption = “An error occured while installing.”
Resume EndSub
End Sub
Private Sub Command1_Click()
EndMe
End Sub
Private Sub GetFreeDiskSpace()
Dim l As Long
On Error Resume Next
ChDrive Left$(Text1.Text, 2)
l = DiskSpaceFree
t$ = “bytes”
If l > 1024 Then l = l / 1024: t$ = “Kb”
If l > 1024 Then l = l / 1024: t$ = “Mb”
If l > 1024 Then l = l / 1024: t$ = “Gb”
If l >= 2 And t$ = “Gb” Then z$ = ” > “
lblDiskFree.Caption = “Free: ” & z$ & CStr(l) & ” ” & t$
Me.Refresh
DoEvents
End Sub
Private Sub Form_Load()
‘ Check Renamer
a$ = GetSetting(“EazRENAMER”, “Installer”, “InstallDir”, “”)
If a$ = “UNINSTALLED” Then a$ = “”
If a$ <> “” Then
a$ = a$ & IIf(Right(a$, 1) = “”, “”, “”)
Text1.Text = a$
If Dir(a$ & “RENAMER.EXE”) <> “” Then
Uninstall a$: Exit Sub
End If
End If
a$ = GetSetting(“EazRENAMER”, “Installer”, “InstallDir”, “”)
If UCase$(a$) = “UNINSTALLED” And CompleteInstallKit = False Then
Label1.Caption = “”
Label2.Visible = False
Text1.Visible = False
cmdBrowse.Visible = False
cmdNext(0).Visible = False
cmdNext(1).Visible = False
lblDisk.Visible = False
lblDiskReq.Visible = False
lblDiskFree.Visible = False
Command1.Caption = “E&xit”
w$ = Environ(“WinDir”)
w$ = w$ & IIf(Right(w$, 1) = “”, “”, “”)
MsgBox “Renamer has been uninstalled.” & vbCrLf & vbCrLf & _
“You can delete the remaining SETUP and own files from the Renamer directory.”, vbOKOnly + vbInformation, App.Title
Exit Sub
End If
If CompleteInstallKit = False Then
Label1.Caption = “You can delete this file (SETUP.EXE).”
Label2.Visible = False
Text1.Visible = False
cmdNext(1).Visible = False
cmdNext(0).Visible = False
cmdBrowse.Visible = False
Command1.Caption = “E&xit”
lblDisk.Visible = False
lblDiskReq.Visible = False
lblDiskFree.Visible = False
Me.Refresh
DoEvents
Else
Label1.Caption = “Click Next to install Renamer by EatMe to your computer.”
cmdNext(1).Visible = False
GetFreeDiskSpace
End If
End Sub
Function CompleteInstallKit(Optional ByVal AppPath$ = “”) As Boolean
If AppPath$ = “” Then AppPath$ = App.Path & IIf(Right(App.Path, 1) = “”, “”, “”)
If Dir(AppPath$ & “renamer.1”) <> “” And _
Dir(AppPath$ & “renamer.2”) <> “” And _
Dir(AppPath$ & “renamer.3”) <> “” And _
Dir(AppPath$ & “renamer.4”) <> “” And _
Dir(AppPath$ & “renamer.5”) <> “” And _
Dir(AppPath$ & “renamer.6”) <> “” And _
Dir(AppPath$ & “renamer.7”) <> “” And _
Dir(AppPath$ & “renamer.8”) <> “” And _
Dir(AppPath$ & “setup.dll”) <> “” And _
Dir(AppPath$ & “setup.exe”) <> “” Then
CompleteInstallKit = True
Else
CompleteInstallKit = False
End If
End Function
Sub OldUninstall(RENAMERdir$)
Label1.Caption = “Remove Renamer”
Label2.Caption = “Location:”
Text1.Text = RENAMERdir$
Text1.Locked = True
Text1.ToolTipText = “Location of Renamer”
cmdNext(1).Visible = False
cmdNext(2).Visible = True
If CompleteInstallKit Then
Label1.Caption = “Remove Renamer before re-installing Renamer..”
End If
cmdNext(2).Top = 3120
cmdBrowse.Visible = False
lblDisk.Visible = False
lblDiskReq.Visible = False
lblDiskFree.Visible = False
End Sub
Sub Uninstall(RENAMERdir$)
Label1.Caption = “Remove Renamer”
Label2.Caption = “Location:”
Text1.Text = RENAMERdir$
Text1.Locked = True
Text1.ToolTipText = “Location of Renamer”
If CompleteInstallKit Then
Label1.Caption = “Remove or Reinstall Renamer”
cmdNext(0).Visible = True
cmdNext(0).Caption = “&Reinstall”
cmdNext(1).Top = 2760
Else
cmdNext(1).Top = 3120
End If
cmdBrowse.Visible = False
lblDisk.Visible = False
lblDiskReq.Visible = False
lblDiskFree.Visible = False
End Sub
Private Sub Form_QueryUnload(Cancel As Integer, UnloadMode As Integer)
EndMe
End Sub
Private Sub Form_Terminate()
EndMe
End Sub
Private Sub Text1_LostFocus()
GetFreeDiskSpace
End Sub
Private Sub SetProgress()
lblProgFore = lblProgFore.Caption & “__”
Me.Refresh
DoEvents
End Sub
There are various false infection names found in my new SETUP by Defender.Please mark the SETUP.EXE as legit. false infection found: Malgent.B!ml (trying to write to registry key HKEY_CURRENT_USERSoftwareVB and VBA Program SettingsEazRENAMER ..)false infection found: Caynamer.A!ml false infection found: Phonzy.B!mlfalse infection found: Wacatac.B!ml download of the program: http://eatme.pro/download/renamer-win10 VB6 source of the SETUP below (finding all these falses):VERSION 5.00
Begin VB.Form frmMain
BorderStyle = 1 ‘Fixed Single
Caption = “Renamer by EatMe Setup”
ClientHeight = 3585
ClientLeft = 45
ClientTop = 330
ClientWidth = 4785
Icon = “frmMain.frx”:0000
LinkTopic = “Form1”
MaxButton = 0 ‘False
MinButton = 0 ‘False
Picture = “frmMain.frx”:030A
ScaleHeight = 3585
ScaleWidth = 4785
StartUpPosition = 2 ‘CenterScreen
Begin VB.CommandButton cmdNext
Caption = “&Uninstall”
Height = 300
Index = 2
Left = 120
TabIndex = 14
ToolTipText = “Uninstall Renamer by EatMe”
Top = 2760
Visible = 0 ‘False
Width = 1335
End
Begin VB.CommandButton cmdNext
Caption = “&Uninstall”
Height = 300
Index = 1
Left = 120
TabIndex = 6
ToolTipText = “Uninstall Renamer by EatMe”
Top = 2760
Width = 1335
End
Begin VB.CommandButton cmdNext
Caption = “&Next”
Height = 300
Index = 0
Left = 120
TabIndex = 5
ToolTipText = “Install Renamer by EatMe”
Top = 3120
Width = 1335
End
Begin VB.CommandButton Command1
Cancel = -1 ‘True
Caption = “&Cancel”
Height = 300
Left = 3360
TabIndex = 4
ToolTipText = “Exit setup”
Top = 3120
Width = 1335
End
Begin VB.CommandButton cmdBrowse
Caption = “&Browse…”
Height = 300
Left = 3360
TabIndex = 3
ToolTipText = “Browse for the installation path”
Top = 2160
Width = 1335
End
Begin VB.TextBox Text1
BeginProperty Font
Name = “Tahoma”
Size = 8.25
Charset = 0
Weight = 400
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
Height = 285
Left = 120
TabIndex = 2
Text = “C:WinUtilRenamer”
ToolTipText = “The path where Renamer by EatMe will be installed”
Top = 1800
Width = 4575
End
Begin VB.Label lblProgHundred
BackStyle = 0 ‘Transparent
Caption = “100%”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 255
Left = 3840
TabIndex = 13
Top = 2520
Visible = 0 ‘False
Width = 735
End
Begin VB.Label lblProgZero
BackStyle = 0 ‘Transparent
Caption = “0%”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 255
Left = 240
TabIndex = 12
Top = 2520
Visible = 0 ‘False
Width = 495
End
Begin VB.Label lblProgFore
BackStyle = 0 ‘Transparent
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 375
Left = 360
TabIndex = 11
Top = 2520
Visible = 0 ‘False
Width = 4335
End
Begin VB.Label lblProgBack
BackStyle = 0 ‘Transparent
Caption = “__________________________”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFC0C0&
Height = 375
Left = 360
TabIndex = 10
Top = 2520
Visible = 0 ‘False
Width = 4335
End
Begin VB.Label lblDiskFree
BackStyle = 0 ‘Transparent
Caption = “Free:”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 400
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 255
Left = 360
TabIndex = 9
Top = 2640
Width = 4335
End
Begin VB.Label lblDiskReq
BackStyle = 0 ‘Transparent
Caption = “Required: < 1 Mb”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 400
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 255
Left = 360
TabIndex = 8
Top = 2400
Width = 2895
End
Begin VB.Label lblDisk
BackStyle = 0 ‘Transparent
Caption = “Disk space”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 400
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 255
Left = 240
TabIndex = 7
Top = 2160
Width = 3015
End
Begin VB.Label Label2
BackStyle = 0 ‘Transparent
Caption = “Target Directory:”
BeginProperty Font
Name = “Tahoma”
Size = 14.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 375
Left = 120
TabIndex = 1
Top = 1440
Width = 4575
End
Begin VB.Label Label1
Alignment = 2 ‘Center
BackStyle = 0 ‘Transparent
Caption = “#”
BeginProperty Font
Name = “Tahoma”
Size = 14.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 1455
Left = 120
TabIndex = 0
Top = 120
Width = 4575
End
End
Attribute VB_Name = “frmMain”
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Private Declare Function fCreateShellLink Lib “setup.dll” (ByVal _
lpstrFolderName As String, ByVal lpstrLinkName As String, ByVal _
lpstrLinkPath As String, ByVal lpstrLinkArgs As String) As Long
Private Declare Function DiskSpaceFree Lib “setup.dll” Alias “DISKSPACEFREE” () As Long
Private Declare Function fRemoveShellLink Lib “setup.dll” (ByVal lpstrFolderName As String, ByVal lpstrLinkName As String) As Long
Private Declare Function DLLSelfRegister Lib “setup.dll” (ByVal lpDllName As String) As Integer
Private Sub cmdBrowse_Click()
frmFolder.Show vbModal, frmMain
GetFreeDiskSpace
End Sub
Private Sub cmdNext_Click(Index As Integer)
Dim lReturn As Long
Dim w$, i$, P$, prfx$, prf$
Select Case Index
Case 2 ‘ Uninstall
If MsgBox(“Are you sure you want to uninstall?”, vbYesNo + vbExclamation, App.Title) = vbYes Then
cmdNext(2).Visible = False
Label1.Caption = “Uninstalling…”
Label2.Visible = False
Text1.Visible = False
Command1.Visible = False
Me.Refresh
DoEvents
a$ = Text1.Text & IIf(Right(Text1.Text, 1) = “”, “”, “”)
On Error Resume Next
Kill a$ & “renamer.exe”
Kill a$ & “about.htm”
Kill a$ & “screenshot.jpg”
Kill a$ & “HelpFileList.htm”
Kill a$ & “HelpFileList.htm”
Kill a$ & “HelpAddFile.bmp”
Kill a$ & “HelpAddPath.bmp”
Kill a$ & “TestThis*.tst”
RmDir a$ & “Help”
RmDir a$ & “TestThis”
Kill a$ & “setup.exe”
Kill a$ & “setup.dll”
‘Remmove from to Desktop
fRemoveShellLink “….Desktop”, “Renamer”
‘Remove from Program Menu Group
fRemoveShellLink “”, “Renamer”
SaveSetting “EazRENAMER”, “Installer”, “InstallDir”, “UNINSTALLED”
Err.Clear
On Error Resume Next
RegDelete HKEY_LOCAL_MACHINE, “SoftwareMicrosoftWindowsCurrentVersionUninstallEazRENAMER”
If Err Then
MsgBox “Could not delete Renamer Setup from HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentversionUninstallEazRENAMER”, vbCritical + vbOKOnly, App.Title
Err.Clear
End If
If Not CompleteInstallKit() Then
Label1.Caption = “Uninstallation completed.”
cmdNext(0).Visible = False
Else
Label1.Caption = “Uninstallation completed. You can now re-install.”
Text1.Text = “C:WINUTILRENAMER”
Text1.Visible = True
Text1.Enabled = True
Text1.Locked = False
cmdNext(0).Visible = True
cmdBrowse.Visible = True
lblDisk.Visible = True
lblDiskReq.Visible = True
GetFreeDiskSpace
lblDiskFree.Visible = True
End If
End If
Case 0 ‘ install
prf$ = Environ$(“ProgramW6432”)
prfx$ = Environ$(“ProgramFiles(x86)”)
If (UCase(Left(Text1.Text, Len(prf$))) = UCase(prf$)) Or (UCase(Left(Text1.Text, Len(prfx$))) = UCase(prfx$)) Then
MsgBox “Renamer can not be installed in Program Files due to permission for writing Undo files. Choose another folder.”, vbInformation + vbOKOnly, App.Title
Exit Sub
ElseIf Len(Text1.Text) < 3 Then MsgBox “Enter target directory for installation first.”, vbCritical + vbOKOnly, App.Title: Exit Sub
End If
cmdNext(0).Visible = False
cmdNext(1).Visible = False
Label1.Caption = “Installing…”
Label2.Visible = False
Text1.Visible = False
Command1.Visible = False
cmdBrowse.Visible = False
lblDisk.Visible = False
lblDiskReq.Visible = False
lblDiskFree.Visible = False
lblProgBack.Visible = True
lblProgFore.Visible = True
lblProgZero.Visible = True
lblProgHundred.Visible = True
SetProgress
Me.Refresh
DoEvents
Screen.MousePointer = vbHourglass
P$ = UCase(App.Path & IIf(Right(App.Path, 1) = “”, “”, “”))
i$ = UCase(Text1.Text & IIf(Right(Text1.Text, 1) = “”, “”, “”))
w$ = Environ(“WinDir”)
w$ = w$ & IIf(Right(w$, 1) = “”, “”, “”)
On Error Resume Next
‘Create Dir(s)
j$ = i$ & “FileList”
mk$ = j$
mf$ = “”
Do
sp% = InStr(mk$, “”)
If sp% <= 0 Then Exit Do
Mid(mk$, sp%, 1) = “/”
mf$ = Left(j$, sp%)
MkDir mf$
Loop
j$ = i$ & “Help”
mk$ = j$
mf$ = “”
Do
sp% = InStr(mk$, “”)
If sp% <= 0 Then Exit Do
Mid(mk$, sp%, 1) = “/”
mf$ = Left(j$, sp%)
MkDir mf$
Loop
j$ = i$ & “TestThis”
mk$ = j$
mf$ = “”
Do
sp% = InStr(mk$, “”)
If sp% <= 0 Then Exit Do
Mid(mk$, sp%, 1) = “/”
mf$ = Left(j$, sp%)
MkDir mf$
Loop
j$ = i$ & “Undo”
mk$ = j$
mf$ = “”
Do
sp% = InStr(mk$, “”)
If sp% <= 0 Then Exit Do
Mid(mk$, sp%, 1) = “/”
mf$ = Left(j$, sp%)
MkDir mf$
Loop
‘If Dir(w$ & “SYSTEMCOMDLG32.OCX”) = “” Then
‘ Readfile$ = “MP3RND.4”
‘ WriteFile$ = “COMDLG32.OCX”
‘ On Error GoTo ReadErr
‘ Open P$ & “mp3rnd.4” For Binary As #1
‘ On Error GoTo WriteErr
‘ Open w$ & “systemcomdlg32.ocx” For Output As #2
‘ Close #2
‘ Open w$ & “systemcomdlg32.ocx” For Binary As #2
‘ Do While Not EOF(1)
‘ z$ = ” “
‘ On Error GoTo ReadErr
‘ Get #1, , z$
‘ On Error GoTo WriteErr
‘ Put #2, , z$
‘ Loop
‘ Close
‘End If
‘DLLSelfRegister w$ & “systemcomdlg32.ocx”
SetProgress
Readfile$ = “RENAMER.1”
WriteFile$ = “RENAMER.EXE”
On Error GoTo ReadErr
Open P$ & “renamer.1” For Binary As #1
On Error GoTo WriteErr
Open i$ & “Renamer.exe” For Output As #2
Close #2
Open i$ & “Renamer.exe” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
Readfile$ = “RENAMER.2”
WriteFile$ = “SCREENSHOT.JPG”
On Error GoTo ReadErr
Open P$ & “renamer.2” For Binary As #1
On Error GoTo WriteErr
Open i$ & “screenshot.jpg” For Output As #2
Close #2
Open i$ & “screenshot.jpg” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
Readfile$ = “RENAMER.3”
WriteFile$ = “ABOUT.HTM”
On Error GoTo ReadErr
Open P$ & “renamer.3” For Binary As #1
On Error GoTo WriteErr
Open i$ & “about.htm” For Output As #2
Close #2
Open i$ & “about.htm” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
If Dir(i$ & “setup.dll”) = “” Or P$ <> i$ Then
Readfile$ = “SETUP.DLL”
WriteFile$ = “SETUP.DLL”
On Error GoTo ReadErr
Open P$ & “setup.dll” For Binary As #1
On Error GoTo WriteErr
Open i$ & “setup.dll” For Output As #2
Close #2
Open i$ & “setup.dll” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
End If
SetProgress
If Dir(i$ & “setup.exe”) = “” Or P$ <> i$ Then
Readfile$ = “SETUP.EXE”
WriteFile$ = “SETUP.EXE”
On Error GoTo ReadErr
Open P$ & “setup.exe” For Binary As #1
On Error GoTo WriteErr
Open i$ & “setup.exe” For Output As #2
Close #2
Open i$ & “setup.exe” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
End If
SetProgress
Readfile$ = “RENAMER.4”
WriteFile$ = “HELPADDFILE.BMP”
On Error GoTo ReadErr
Open P$ & “renamer.4” For Binary As #1
On Error GoTo WriteErr
Open i$ & “HelpAddFile.bmp” For Output As #2
Close #2
Open i$ & “HelpAddFile.bmp” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
Readfile$ = “RENAMER.5”
WriteFile$ = “HELPADDPATH.BMP”
On Error GoTo ReadErr
Open P$ & “renamer.5” For Binary As #1
On Error GoTo WriteErr
Open i$ & “HelpAddPath.bmp” For Output As #2
Close #2
Open i$ & “HelpAddPath.bmp” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
Readfile$ = “RENAMER.6”
WriteFile$ = “HELPFILELIST.HTM”
On Error GoTo ReadErr
Open P$ & “renamer.6” For Binary As #1
On Error GoTo WriteErr
Open i$ & “HelpFileList.htm” For Output As #2
Close #2
Open i$ & “HelpFileList.htm” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
Readfile$ = “RENAMER.7”
WriteFile$ = “PRESETS.REG”
On Error GoTo WriteErr
Name P$ & “renamer.7” As P$ & “presets.reg”
On Error Resume Next
Shell (w$ & “regedit.exe /s ” & P$ & “presets.reg”)
Err.Clear
DoEvents
DoEvents
DoEvents
SetProgress
Readfile$ = “”
WriteFile$ = “10x empty test file”
On Error GoTo WriteErr
Open i$ & “TestThis1_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis2_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis3_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis4_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis5_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis6_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis7_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis8_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis9_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis10_Artist___CD___Title.tst” For Output As #2
Close #2
On Error Resume Next
SetProgress
‘Add to Desktop
lReturn = fCreateShellLink(“….Desktop”, _
“Renamer”, i$ & “Renamer.exe”, “”)
‘Add to Program Menu Group
lReturn = fCreateShellLink(“”, “Renamer”, _
i$ & “Renamer.exe”, “”)
SaveSetting “EazRENAMER”, “Installer”, “InstallDir”, i$
RegCreate HKEY_LOCAL_MACHINE, “SoftwareMicrosoftWindowsCurrentVersionUninstallEazRENAMER”
RegSet HKEY_LOCAL_MACHINE, “SoftwareMicrosoftWindowsCurrentVersionUninstallEazRENAMER”, “DisplayName”, “Renamer by EatMe 2.4.5.w11”, REG_SZ
RegSet HKEY_LOCAL_MACHINE, “SoftwareMicrosoftWindowsCurrentVersionUninstallEazRENAMER”, “UninstallString”, i$ & “setup.exe”, REG_SZ
SetProgress
Readfile$ = “RENAMER.7”
WriteFile$ = “PRESETS.REG”
On Error GoTo ReadErr
Name P$ & “presets.reg” As P$ & “RENAMER.7”
On Error Resume Next
SetProgress
Label1.Caption = “Completed installation.”
Case 1 ‘ uninstall
If MsgBox(“Are you sure you want to uninstall?”, vbYesNo + vbExclamation, App.Title) = vbYes Then
cmdNext(0).Visible = False
cmdNext(1).Visible = False
Label1.Caption = “Uninstalling…”
Label2.Visible = False
Text1.Visible = False
Command1.Visible = False
Me.Refresh
DoEvents
On Error Resume Next
w$ = Environ(“WinDir”)
w$ = w$ & IIf(Right(w$, 1) = “”, “”, “”)
a$ = Text1.Text & IIf(Right(Text1.Text, 1) = “”, “”, “”)
Kill a$ & “renamer.exe”
Kill a$ & “about.htm”
Kill a$ & “screenshot.jpg”
Kill a$ & “HelpFileList.htm”
Kill a$ & “HelpAddFile.bmp”
Kill a$ & “HelpAddPath.bmp”
Kill a$ & “TestThis*.tst”
RmDir a$ & “Help”
RmDir a$ & “TestThis”
Kill a$ & “setup.exe”
Kill a$ & “setup.dll”
‘Remmove from to Desktop
fRemoveShellLink “….Desktop”, “Renamer”
‘Remove from Program Menu Group
fRemoveShellLink “”, “Renamer”
SaveSetting “EazRENAMER”, “Installer”, “InstallDir”, “UNINSTALLED”
Err.Clear
On Error Resume Next
RegDelete HKEY_LOCAL_MACHINE, “SoftwareMicrosoftWindowsCurrentVersionUninstallEazRENAMER”
If Err Then
MsgBox “Could not delete Renamer Setup from HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentversionUninstallEazRENAMER”, vbCritical + vbOKOnly, App.Title
Err.Clear
End If
If Not CompleteInstallKit(a$) Then
Label1.Caption = “Uninstalled. Please delete the remaining SETUP and own files from the Renamer folder.”
Else
Label1.Caption = “Uninstallation completed.”
End If
End If
End Select
EndSub:
Screen.MousePointer = vbDefault
Command1.Caption = “E&xit”
Command1.Visible = True
Me.Refresh
DoEvents
Exit Sub
ReadErr:
MsgBox “An error occured while reading the following file: ” & vhbcrlf & vbCrLf & _
Readfile$ & vbCrLf & vbCrLf & _
Err.Description & vbCrLf & vbCrLf & _
“Setup can not continue the installation.”, vbCritical + vbOKOnly, App.Title
Label1.Caption = “An error occured while installing.”
Resume EndSub
WriteErr:
MsgBox “An error occured while writing the following file: ” & vhbcrlf & vbCrLf & _
WriteFile$ & vbCrLf & vbCrLf & _
Err.Description & vbCrLf & vbCrLf & _
“Setup can not continue the installation.”, vbCritical + vbOKOnly, App.Title
Label1.Caption = “An error occured while installing.”
Resume EndSub
End Sub
Private Sub Command1_Click()
EndMe
End Sub
Private Sub GetFreeDiskSpace()
Dim l As Long
On Error Resume Next
ChDrive Left$(Text1.Text, 2)
l = DiskSpaceFree
t$ = “bytes”
If l > 1024 Then l = l / 1024: t$ = “Kb”
If l > 1024 Then l = l / 1024: t$ = “Mb”
If l > 1024 Then l = l / 1024: t$ = “Gb”
If l >= 2 And t$ = “Gb” Then z$ = ” > “
lblDiskFree.Caption = “Free: ” & z$ & CStr(l) & ” ” & t$
Me.Refresh
DoEvents
End Sub
Private Sub Form_Load()
‘ Check Renamer
a$ = GetSetting(“EazRENAMER”, “Installer”, “InstallDir”, “”)
If a$ = “UNINSTALLED” Then a$ = “”
If a$ <> “” Then
a$ = a$ & IIf(Right(a$, 1) = “”, “”, “”)
Text1.Text = a$
If Dir(a$ & “RENAMER.EXE”) <> “” Then
Uninstall a$: Exit Sub
End If
End If
a$ = GetSetting(“EazRENAMER”, “Installer”, “InstallDir”, “”)
If UCase$(a$) = “UNINSTALLED” And CompleteInstallKit = False Then
Label1.Caption = “”
Label2.Visible = False
Text1.Visible = False
cmdBrowse.Visible = False
cmdNext(0).Visible = False
cmdNext(1).Visible = False
lblDisk.Visible = False
lblDiskReq.Visible = False
lblDiskFree.Visible = False
Command1.Caption = “E&xit”
w$ = Environ(“WinDir”)
w$ = w$ & IIf(Right(w$, 1) = “”, “”, “”)
MsgBox “Renamer has been uninstalled.” & vbCrLf & vbCrLf & _
“You can delete the remaining SETUP and own files from the Renamer directory.”, vbOKOnly + vbInformation, App.Title
Exit Sub
End If
If CompleteInstallKit = False Then
Label1.Caption = “You can delete this file (SETUP.EXE).”
Label2.Visible = False
Text1.Visible = False
cmdNext(1).Visible = False
cmdNext(0).Visible = False
cmdBrowse.Visible = False
Command1.Caption = “E&xit”
lblDisk.Visible = False
lblDiskReq.Visible = False
lblDiskFree.Visible = False
Me.Refresh
DoEvents
Else
Label1.Caption = “Click Next to install Renamer by EatMe to your computer.”
cmdNext(1).Visible = False
GetFreeDiskSpace
End If
End Sub
Function CompleteInstallKit(Optional ByVal AppPath$ = “”) As Boolean
If AppPath$ = “” Then AppPath$ = App.Path & IIf(Right(App.Path, 1) = “”, “”, “”)
If Dir(AppPath$ & “renamer.1”) <> “” And _
Dir(AppPath$ & “renamer.2”) <> “” And _
Dir(AppPath$ & “renamer.3”) <> “” And _
Dir(AppPath$ & “renamer.4”) <> “” And _
Dir(AppPath$ & “renamer.5”) <> “” And _
Dir(AppPath$ & “renamer.6”) <> “” And _
Dir(AppPath$ & “renamer.7”) <> “” And _
Dir(AppPath$ & “renamer.8”) <> “” And _
Dir(AppPath$ & “setup.dll”) <> “” And _
Dir(AppPath$ & “setup.exe”) <> “” Then
CompleteInstallKit = True
Else
CompleteInstallKit = False
End If
End Function
Sub OldUninstall(RENAMERdir$)
Label1.Caption = “Remove Renamer”
Label2.Caption = “Location:”
Text1.Text = RENAMERdir$
Text1.Locked = True
Text1.ToolTipText = “Location of Renamer”
cmdNext(1).Visible = False
cmdNext(2).Visible = True
If CompleteInstallKit Then
Label1.Caption = “Remove Renamer before re-installing Renamer..”
End If
cmdNext(2).Top = 3120
cmdBrowse.Visible = False
lblDisk.Visible = False
lblDiskReq.Visible = False
lblDiskFree.Visible = False
End Sub
Sub Uninstall(RENAMERdir$)
Label1.Caption = “Remove Renamer”
Label2.Caption = “Location:”
Text1.Text = RENAMERdir$
Text1.Locked = True
Text1.ToolTipText = “Location of Renamer”
If CompleteInstallKit Then
Label1.Caption = “Remove or Reinstall Renamer”
cmdNext(0).Visible = True
cmdNext(0).Caption = “&Reinstall”
cmdNext(1).Top = 2760
Else
cmdNext(1).Top = 3120
End If
cmdBrowse.Visible = False
lblDisk.Visible = False
lblDiskReq.Visible = False
lblDiskFree.Visible = False
End Sub
Private Sub Form_QueryUnload(Cancel As Integer, UnloadMode As Integer)
EndMe
End Sub
Private Sub Form_Terminate()
EndMe
End Sub
Private Sub Text1_LostFocus()
GetFreeDiskSpace
End Sub
Private Sub SetProgress()
lblProgFore = lblProgFore.Caption & “__”
Me.Refresh
DoEvents
End Sub Read More