Category: News
abnormal Behavior in Users Devices
hi security guys
I am facing strange behaviors on Microsoft EDR that show in timeline Windows Defender Advanced Threat ProtectionSenseIR.exe is using fake accounts which are not exist in Microsoft Active directory and Azure Active Directory
Is considering a normal behavior, hacked or Windows Defender Advanced Threat Protection zero day vulnerable.
the below sample from timeline that related with fake account.
Event TimeMachine IdComputer NameAction TypeFile NameFolder PathSha1Sha256MD5Process Command LineAccount DomainAccount NameAccount SidLogo IdProcess IdProcess Creation TimeProcess Token ElevationRegistry KeyRegistry Value NameRegistry Value DataRemote UrlRemote Computer NameRemote IPRemote PortLocal IPLocal PortFile Origin UrlFile Origin IPInitiating Process SHA1Initiating Process SHA256Initiating Process File NameInitiating Process Folder PathInitiating Process IdInitiating Process Command LineInitiating Process Creation TimeInitiating Process Integrity LevelInitiating Process Token ElevationInitiating Process Parent IdInitiating Process Parent File NameInitiating Process Parent Creation TimeInitiating Process MD5Initiating Process Account DomainInitiating Process Account NameInitiating Process Account SidInitiating Process Logon IdReport IdAdditional FieldsApp Guard Container IdProtocolLogon TypeProcess Integrity LevelRegistry Value TypePrevious Registry Value NamePrevious Registry Value DataPrevious Registry KeyFile Origin Referrer UrlSensitivity LabelSensitivity Sub LabelIs Endpoint Dlp AppliedIs Azure Info Protection AppliedAlert IdsCategoriesSeveritiesIs MarkedData Type2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InboundRdpConnection LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 1.65E+09 T1021.001 (bolster) Techniques2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 9.09E+08 T1078.002 (bolster) Techniques2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemStandard7192DeviceHarddiskVolume3Program FilesWindows Defender Advanced Threat ProtectionSenseIR.exe2024-04-19T12:21:11.307nt authoritysystemS-1-5-18 28953{“IsLocalLogon”:false} CachedRemoteInteractive Events2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 8.59E+08 T1078.002 (bolster) Techniques2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InboundRdpConnection LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 8.45E+08 T1021.001 (bolster) Techniques2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemStandard7192DeviceHarddiskVolume3Program FilesWindows Defender Advanced Threat ProtectionSenseIR.exe2024-04-19T12:21:11.307nt authoritysystemS-1-5-18 28952{“IsLocalLogon”:false} CachedRemoteInteractive Events2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonAttempted LITCfake account 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 28951 Events2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InteractiveRemoteComponentInvocation LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 1.71E+09 T1078 (Friends)/T1021.001 (Friends)Techniques2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 D398B9D68B555K9K6K041K8Pia8849D1A6B1AC463A75A4F57158Ba4D796A2414790FCD3694D8Ab9ED3A8942A9CBCD0B71691Alsass.exeC:WindowsSystem32824lsass.exe2024-04-18T08:04:00.305SystemDefault928wininit.exe2024-04-18T08:04:00.107NT AUTHORITYsystemS-1-5-18 9.6E+08 T1078.002 (bolster) Techniques2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 D398B9D68B555K9K6K041K8Pia8849D1A6B1AC463A75A4F57158Ba4D796A2414790FCD3694D8Ab9ED3A8942A9CBCD0B71691Alsass.exeC:WindowsSystem32lsass.exe824lsass.exe2024-04-18T08:04:00.305SystemStandard928wininit.exe2024-04-18T08:04:00.107nt authoritysystemS-1-5-18 28934{“IsLocalLogon”:false} RemoteInteractive Events
thanks in advance
hi security guys I am facing strange behaviors on Microsoft EDR that show in timeline Windows Defender Advanced Threat ProtectionSenseIR.exe is using fake accounts which are not exist in Microsoft Active directory and Azure Active Directory Is considering a normal behavior, hacked or Windows Defender Advanced Threat Protection zero day vulnerable.the below sample from timeline that related with fake account.Event TimeMachine IdComputer NameAction TypeFile NameFolder PathSha1Sha256MD5Process Command LineAccount DomainAccount NameAccount SidLogo IdProcess IdProcess Creation TimeProcess Token ElevationRegistry KeyRegistry Value NameRegistry Value DataRemote UrlRemote Computer NameRemote IPRemote PortLocal IPLocal PortFile Origin UrlFile Origin IPInitiating Process SHA1Initiating Process SHA256Initiating Process File NameInitiating Process Folder PathInitiating Process IdInitiating Process Command LineInitiating Process Creation TimeInitiating Process Integrity LevelInitiating Process Token ElevationInitiating Process Parent IdInitiating Process Parent File NameInitiating Process Parent Creation TimeInitiating Process MD5Initiating Process Account DomainInitiating Process Account NameInitiating Process Account SidInitiating Process Logon IdReport IdAdditional FieldsApp Guard Container IdProtocolLogon TypeProcess Integrity LevelRegistry Value TypePrevious Registry Value NamePrevious Registry Value DataPrevious Registry KeyFile Origin Referrer UrlSensitivity LabelSensitivity Sub LabelIs Endpoint Dlp AppliedIs Azure Info Protection AppliedAlert IdsCategoriesSeveritiesIs MarkedData Type2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InboundRdpConnection LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 1.65E+09 T1021.001 (bolster) Techniques2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 9.09E+08 T1078.002 (bolster) Techniques2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemStandard7192DeviceHarddiskVolume3Program FilesWindows Defender Advanced Threat ProtectionSenseIR.exe2024-04-19T12:21:11.307nt authoritysystemS-1-5-18 28953{“IsLocalLogon”:false} CachedRemoteInteractive Events2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 8.59E+08 T1078.002 (bolster) Techniques2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InboundRdpConnection LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 8.45E+08 T1021.001 (bolster) Techniques2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemStandard7192DeviceHarddiskVolume3Program FilesWindows Defender Advanced Threat ProtectionSenseIR.exe2024-04-19T12:21:11.307nt authoritysystemS-1-5-18 28952{“IsLocalLogon”:false} CachedRemoteInteractive Events2024-04-19T12:22:10.9876595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonAttempted LITCfake account 7c04ec2377e32b3c742f581f6c5437464dd2cf23247PKBT60B6DT25B34CP74B5889Ap10F1B3S72B4D4D95B5B25B54560B8powershell.exeC:WindowsSystem32WindowsPowerShellv1.08332powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -Command “& {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open(‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility Get-FileHash ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Algorithm SHA256; if (!( $calculatedHash.Hash -eq ‘575497143631ed5cd604e7a1e8666187bd6acf421ad685273e559c0013179789’)) { exit 323;}; Start-Transcript -Path ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionTempPSScriptOutputsPSScript_Transcript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.txt’; . ‘C:ProgramDataMicrosoftWindows Defender Advanced Threat ProtectionDownloadsPSScript_{70971E03-A55E-4EC2-BC9B-A8F0173A83C3}.ps1’ -Id 3f884218-6a5a-4d02-8032-32ed7f90339a -Descriptor eyJEZXRlY3Rpb25LZXlzIjpbIk1va2h0YXIuU2hvc2hhbiJdLCJDb250ZW50IjoiZXdvZ0lDSlRaWEpwWVd4cGVtVmtUbXhTWldOdmNtUWlPaUFpU0dkQlNVRkNORUZJWjBGQlFVRkJRVUZCUVVGQlJGVTFUWHBqUVVGblFVRkJaMEZCUVVGblFVZEJRemNyY3pONU9UUXZZVUZSVVVGQlVVRkJRVUZCUVVGUlFVdEJRVUZCUVVGQlVVRkJRVUZHUVVFd1FVTmlWRGRNWW5SWVduUjVNbTlPUmtnek1FcGhNRlZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUWtGQlFVRkJRVUZCUVVGQlFVRkJRVU5CUVVGQlJHZEJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZCUVVGQlFVRkJRVUZVVVVKMlFVZHpRV0ZCUWpCQlIwVkJZMmRCZFVGR1RVRmhRVUoyUVVoTlFXRkJRbWhCUnpSQlFVRkNjMEZIYTBGa1FVSnFRVWQzUVdGUlFqQkJSMDFCVEdkQ2MwRkhPRUZaZDBKb1FVZDNRVlJSUW5aQlIzTkJZVUZDTUVGSFJVRmpaMEYxUVVaTlFXRkJRblpCU0UxQllVRkNhRUZITkVGUlFVSnpRVWRyUVdSQlFtcEJRelJCWWtGQ2RrRkhUVUZaVVVKelFVVXdRV0ozUW5KQlIyZEJaRUZDYUVGSVNVRk1aMEpVUVVkblFXSjNRbnBCUjJkQldWRkNkVUZCUVVGVVVVSjJRVWR6UVdGQlFqQkJSMFZCWTJkQlowRkdUVUZoUVVKMlFVaE5RV0ZCUW1oQlJ6UkJRVUZCUVVGblFVRkNkMEZCUVVGRlEwRkJRVWhCUVVGQllrRkNjRUZJVVVGWmQwSlRaRzQ0V0dOcVZVWTFSVzVIT0hadWFFUlFSUzh2ZEdOQ2FtUXlNMjFHVlc5QlJ6UkJaRkZDYzBGSGQwRkxVVUZCUVVFOVBTSXNDaUFnSWxOdlpuUjNZWEpsUlhoamJIVnphVzl1VEdsemRFWnZja1JsY0d4dmVXMWxiblFpT2lCYlhRcDkiLCJFbnRpdHlQYXRoIjoiIiwiRW50aXR5VHlwZSI6NiwiTHVyZURlcGxveW1lbnRDb250ZXh0Ijp7IkV4cGlyYXRpb25VdGMiOiIyMDI0LTA0LTIyVDEyOjE2OjQ1LjQ0NTE3NzVaIiwiSWQiOiJhZjlkNWY2YS1jNjZhLTRmYmMtOTkwZS00MzMwYmI4ZTZjODQiLCJDb3JyZWxhdGlvbklkIjpudWxsfSwiRmlsZUF0dHJpYnV0ZXMiOjAsIlVzZXJSaWQiOjkyNjEwMzg2MX0=}”2024-04-19T12:21:13.582SystemDefault7192SenseIR.exe2024-04-19T12:21:11.307NT AUTHORITYsystemS-1-5-18 28951 Events2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1InteractiveRemoteComponentInvocation LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 1.71E+09 T1078 (Friends)/T1021.001 (Friends)Techniques2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1WindowsDomainAccountLogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 D398B9D68B555K9K6K041K8Pia8849D1A6B1AC463A75A4F57158Ba4D796A2414790FCD3694D8Ab9ED3A8942A9CBCD0B71691Alsass.exeC:WindowsSystem32824lsass.exe2024-04-18T08:04:00.305SystemDefault928wininit.exe2024-04-18T08:04:00.107NT AUTHORITYsystemS-1-5-18 9.6E+08 T1078.002 (bolster) Techniques2024-04-19T12:22:09.7286595e6522d8db8d92425250a4fe68dd7ce1fc1dbPC1LogonSuccess LITCfake accountS-1-5-21-3977750084-2905094788-454684165-926103861 D398B9D68B555K9K6K041K8Pia8849D1A6B1AC463A75A4F57158Ba4D796A2414790FCD3694D8Ab9ED3A8942A9CBCD0B71691Alsass.exeC:WindowsSystem32lsass.exe824lsass.exe2024-04-18T08:04:00.305SystemStandard928wininit.exe2024-04-18T08:04:00.107nt authoritysystemS-1-5-18 28934{“IsLocalLogon”:false} RemoteInteractive Eventsthanks in advance Read More
AVD RemoteApp not showing in web client taskbar
We have setup a new AVD RemoteApp environment for one of our customers (about 50 users). They will primarily use the AVD webclient (Connect to Azure Virtual Desktop with the Remote Desktop Web client – Azure | Microsoft Learn).
Upon testing we have noticed that some of our apps aren’t displaying in the top taskbar of the webclient (see screenshot). The app opens fine, but just isn’t displaying the in the taskbar.
This is annoying because upon minimizing the app there is no way to open the app again…
Has anyone seen this before? Any workarounds?
Help appreciated,
Hi,We have setup a new AVD RemoteApp environment for one of our customers (about 50 users). They will primarily use the AVD webclient (Connect to Azure Virtual Desktop with the Remote Desktop Web client – Azure | Microsoft Learn).Upon testing we have noticed that some of our apps aren’t displaying in the top taskbar of the webclient (see screenshot). The app opens fine, but just isn’t displaying the in the taskbar.This is annoying because upon minimizing the app there is no way to open the app again…Has anyone seen this before? Any workarounds? Help appreciated, Read More
pinv operation in matlab
I have a matrix X of size [32X32X10]. I want to do pinv(X). But it suggested to use pagesvd(X). Now the dimension becomes [32X1X10]. However I want the matrix dimension to remain same that is [32X32X10].I have a matrix X of size [32X32X10]. I want to do pinv(X). But it suggested to use pagesvd(X). Now the dimension becomes [32X1X10]. However I want the matrix dimension to remain same that is [32X32X10]. I have a matrix X of size [32X32X10]. I want to do pinv(X). But it suggested to use pagesvd(X). Now the dimension becomes [32X1X10]. However I want the matrix dimension to remain same that is [32X32X10]. matrix, pinv, pagesvd MATLAB Answers — New Questions
Failed to use C caller to run customer code
hello, when i try to use the customer code in simulink through C caller, error happens, know how to resolve it.hello, when i try to use the customer code in simulink through C caller, error happens, know how to resolve it. hello, when i try to use the customer code in simulink through C caller, error happens, know how to resolve it. simulink, c caller MATLAB Answers — New Questions
Microsoft form lost data after removing questions
Hi all,
I removed questions from a form after we received enough registrations. I didn’t notice it would delete all the data as well.. Is it possible to recover the data somehow? I did not sync it in time unfortunately.
I hope someone can help me, thanks!
Hi all, I removed questions from a form after we received enough registrations. I didn’t notice it would delete all the data as well.. Is it possible to recover the data somehow? I did not sync it in time unfortunately.I hope someone can help me, thanks! Read More
Word Add-in
Wie kann ich in Word die Funktion Add-in verfügbar machen?
Wie kann ich in Word die Funktion Add-in verfügbar machen? Read More
Outlook mail
My outlook mail keeps freezing or crashing on Chrome. I have cleared cache, uninstalled chrome and reinstalled and problem still keeps happening. I don’t have the problem with other internet browsing crashing.
My outlook mail keeps freezing or crashing on Chrome. I have cleared cache, uninstalled chrome and reinstalled and problem still keeps happening. I don’t have the problem with other internet browsing crashing. Read More
Unassigned Tasks Disappeared
Yesterday I entered many unassigned tasks in To Do on my iPad as a brain dump. The first thing I noticed was they did not sync across devices. So I thought I would wait and see if they did. Now today I find those tasks are nowhere to be found, not even on my iPad. Any thoughts on what happened and how to resolve this issue?
Yesterday I entered many unassigned tasks in To Do on my iPad as a brain dump. The first thing I noticed was they did not sync across devices. So I thought I would wait and see if they did. Now today I find those tasks are nowhere to be found, not even on my iPad. Any thoughts on what happened and how to resolve this issue? Read More
Various false infection names found on SETUP
There are various false infection names found in my new SETUP by Defender.
Please mark the SETUP.EXE as legit.
false infection found: Malgent.B!ml (trying to write to registry key HKEY_CURRENT_USERSoftwareVB and VBA Program SettingsEazRENAMER ..)
false infection found: Caynamer.A!ml
false infection found: Phonzy.B!ml
false infection found: Wacatac.B!ml
download of the program: http://eatme.pro/download/renamer-win10
VB6 source of the SETUP below (finding all these falses):
VERSION 5.00
Begin VB.Form frmMain
BorderStyle = 1 ‘Fixed Single
Caption = “Renamer by EatMe Setup”
ClientHeight = 3585
ClientLeft = 45
ClientTop = 330
ClientWidth = 4785
Icon = “frmMain.frx”:0000
LinkTopic = “Form1”
MaxButton = 0 ‘False
MinButton = 0 ‘False
Picture = “frmMain.frx”:030A
ScaleHeight = 3585
ScaleWidth = 4785
StartUpPosition = 2 ‘CenterScreen
Begin VB.CommandButton cmdNext
Caption = “&Uninstall”
Height = 300
Index = 2
Left = 120
TabIndex = 14
ToolTipText = “Uninstall Renamer by EatMe”
Top = 2760
Visible = 0 ‘False
Width = 1335
End
Begin VB.CommandButton cmdNext
Caption = “&Uninstall”
Height = 300
Index = 1
Left = 120
TabIndex = 6
ToolTipText = “Uninstall Renamer by EatMe”
Top = 2760
Width = 1335
End
Begin VB.CommandButton cmdNext
Caption = “&Next”
Height = 300
Index = 0
Left = 120
TabIndex = 5
ToolTipText = “Install Renamer by EatMe”
Top = 3120
Width = 1335
End
Begin VB.CommandButton Command1
Cancel = -1 ‘True
Caption = “&Cancel”
Height = 300
Left = 3360
TabIndex = 4
ToolTipText = “Exit setup”
Top = 3120
Width = 1335
End
Begin VB.CommandButton cmdBrowse
Caption = “&Browse…”
Height = 300
Left = 3360
TabIndex = 3
ToolTipText = “Browse for the installation path”
Top = 2160
Width = 1335
End
Begin VB.TextBox Text1
BeginProperty Font
Name = “Tahoma”
Size = 8.25
Charset = 0
Weight = 400
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
Height = 285
Left = 120
TabIndex = 2
Text = “C:WinUtilRenamer”
ToolTipText = “The path where Renamer by EatMe will be installed”
Top = 1800
Width = 4575
End
Begin VB.Label lblProgHundred
BackStyle = 0 ‘Transparent
Caption = “100%”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 255
Left = 3840
TabIndex = 13
Top = 2520
Visible = 0 ‘False
Width = 735
End
Begin VB.Label lblProgZero
BackStyle = 0 ‘Transparent
Caption = “0%”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 255
Left = 240
TabIndex = 12
Top = 2520
Visible = 0 ‘False
Width = 495
End
Begin VB.Label lblProgFore
BackStyle = 0 ‘Transparent
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 375
Left = 360
TabIndex = 11
Top = 2520
Visible = 0 ‘False
Width = 4335
End
Begin VB.Label lblProgBack
BackStyle = 0 ‘Transparent
Caption = “__________________________”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFC0C0&
Height = 375
Left = 360
TabIndex = 10
Top = 2520
Visible = 0 ‘False
Width = 4335
End
Begin VB.Label lblDiskFree
BackStyle = 0 ‘Transparent
Caption = “Free:”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 400
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 255
Left = 360
TabIndex = 9
Top = 2640
Width = 4335
End
Begin VB.Label lblDiskReq
BackStyle = 0 ‘Transparent
Caption = “Required: < 1 Mb”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 400
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 255
Left = 360
TabIndex = 8
Top = 2400
Width = 2895
End
Begin VB.Label lblDisk
BackStyle = 0 ‘Transparent
Caption = “Disk space”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 400
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 255
Left = 240
TabIndex = 7
Top = 2160
Width = 3015
End
Begin VB.Label Label2
BackStyle = 0 ‘Transparent
Caption = “Target Directory:”
BeginProperty Font
Name = “Tahoma”
Size = 14.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 375
Left = 120
TabIndex = 1
Top = 1440
Width = 4575
End
Begin VB.Label Label1
Alignment = 2 ‘Center
BackStyle = 0 ‘Transparent
Caption = “#”
BeginProperty Font
Name = “Tahoma”
Size = 14.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 1455
Left = 120
TabIndex = 0
Top = 120
Width = 4575
End
End
Attribute VB_Name = “frmMain”
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Private Declare Function fCreateShellLink Lib “setup.dll” (ByVal _
lpstrFolderName As String, ByVal lpstrLinkName As String, ByVal _
lpstrLinkPath As String, ByVal lpstrLinkArgs As String) As Long
Private Declare Function DiskSpaceFree Lib “setup.dll” Alias “DISKSPACEFREE” () As Long
Private Declare Function fRemoveShellLink Lib “setup.dll” (ByVal lpstrFolderName As String, ByVal lpstrLinkName As String) As Long
Private Declare Function DLLSelfRegister Lib “setup.dll” (ByVal lpDllName As String) As Integer
Private Sub cmdBrowse_Click()
frmFolder.Show vbModal, frmMain
GetFreeDiskSpace
End Sub
Private Sub cmdNext_Click(Index As Integer)
Dim lReturn As Long
Dim w$, i$, P$, prfx$, prf$
Select Case Index
Case 2 ‘ Uninstall
If MsgBox(“Are you sure you want to uninstall?”, vbYesNo + vbExclamation, App.Title) = vbYes Then
cmdNext(2).Visible = False
Label1.Caption = “Uninstalling…”
Label2.Visible = False
Text1.Visible = False
Command1.Visible = False
Me.Refresh
DoEvents
a$ = Text1.Text & IIf(Right(Text1.Text, 1) = “”, “”, “”)
On Error Resume Next
Kill a$ & “renamer.exe”
Kill a$ & “about.htm”
Kill a$ & “screenshot.jpg”
Kill a$ & “HelpFileList.htm”
Kill a$ & “HelpFileList.htm”
Kill a$ & “HelpAddFile.bmp”
Kill a$ & “HelpAddPath.bmp”
Kill a$ & “TestThis*.tst”
RmDir a$ & “Help”
RmDir a$ & “TestThis”
Kill a$ & “setup.exe”
Kill a$ & “setup.dll”
‘Remmove from to Desktop
fRemoveShellLink “….Desktop”, “Renamer”
‘Remove from Program Menu Group
fRemoveShellLink “”, “Renamer”
SaveSetting “EazRENAMER”, “Installer”, “InstallDir”, “UNINSTALLED”
Err.Clear
On Error Resume Next
RegDelete HKEY_LOCAL_MACHINE, “SoftwareMicrosoftWindowsCurrentVersionUninstallEazRENAMER”
If Err Then
MsgBox “Could not delete Renamer Setup from HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentversionUninstallEazRENAMER”, vbCritical + vbOKOnly, App.Title
Err.Clear
End If
If Not CompleteInstallKit() Then
Label1.Caption = “Uninstallation completed.”
cmdNext(0).Visible = False
Else
Label1.Caption = “Uninstallation completed. You can now re-install.”
Text1.Text = “C:WINUTILRENAMER”
Text1.Visible = True
Text1.Enabled = True
Text1.Locked = False
cmdNext(0).Visible = True
cmdBrowse.Visible = True
lblDisk.Visible = True
lblDiskReq.Visible = True
GetFreeDiskSpace
lblDiskFree.Visible = True
End If
End If
Case 0 ‘ install
prf$ = Environ$(“ProgramW6432”)
prfx$ = Environ$(“ProgramFiles(x86)”)
If (UCase(Left(Text1.Text, Len(prf$))) = UCase(prf$)) Or (UCase(Left(Text1.Text, Len(prfx$))) = UCase(prfx$)) Then
MsgBox “Renamer can not be installed in Program Files due to permission for writing Undo files. Choose another folder.”, vbInformation + vbOKOnly, App.Title
Exit Sub
ElseIf Len(Text1.Text) < 3 Then MsgBox “Enter target directory for installation first.”, vbCritical + vbOKOnly, App.Title: Exit Sub
End If
cmdNext(0).Visible = False
cmdNext(1).Visible = False
Label1.Caption = “Installing…”
Label2.Visible = False
Text1.Visible = False
Command1.Visible = False
cmdBrowse.Visible = False
lblDisk.Visible = False
lblDiskReq.Visible = False
lblDiskFree.Visible = False
lblProgBack.Visible = True
lblProgFore.Visible = True
lblProgZero.Visible = True
lblProgHundred.Visible = True
SetProgress
Me.Refresh
DoEvents
Screen.MousePointer = vbHourglass
P$ = UCase(App.Path & IIf(Right(App.Path, 1) = “”, “”, “”))
i$ = UCase(Text1.Text & IIf(Right(Text1.Text, 1) = “”, “”, “”))
w$ = Environ(“WinDir”)
w$ = w$ & IIf(Right(w$, 1) = “”, “”, “”)
On Error Resume Next
‘Create Dir(s)
j$ = i$ & “FileList”
mk$ = j$
mf$ = “”
Do
sp% = InStr(mk$, “”)
If sp% <= 0 Then Exit Do
Mid(mk$, sp%, 1) = “/”
mf$ = Left(j$, sp%)
MkDir mf$
Loop
j$ = i$ & “Help”
mk$ = j$
mf$ = “”
Do
sp% = InStr(mk$, “”)
If sp% <= 0 Then Exit Do
Mid(mk$, sp%, 1) = “/”
mf$ = Left(j$, sp%)
MkDir mf$
Loop
j$ = i$ & “TestThis”
mk$ = j$
mf$ = “”
Do
sp% = InStr(mk$, “”)
If sp% <= 0 Then Exit Do
Mid(mk$, sp%, 1) = “/”
mf$ = Left(j$, sp%)
MkDir mf$
Loop
j$ = i$ & “Undo”
mk$ = j$
mf$ = “”
Do
sp% = InStr(mk$, “”)
If sp% <= 0 Then Exit Do
Mid(mk$, sp%, 1) = “/”
mf$ = Left(j$, sp%)
MkDir mf$
Loop
‘If Dir(w$ & “SYSTEMCOMDLG32.OCX”) = “” Then
‘ Readfile$ = “MP3RND.4”
‘ WriteFile$ = “COMDLG32.OCX”
‘ On Error GoTo ReadErr
‘ Open P$ & “mp3rnd.4” For Binary As #1
‘ On Error GoTo WriteErr
‘ Open w$ & “systemcomdlg32.ocx” For Output As #2
‘ Close #2
‘ Open w$ & “systemcomdlg32.ocx” For Binary As #2
‘ Do While Not EOF(1)
‘ z$ = ” “
‘ On Error GoTo ReadErr
‘ Get #1, , z$
‘ On Error GoTo WriteErr
‘ Put #2, , z$
‘ Loop
‘ Close
‘End If
‘DLLSelfRegister w$ & “systemcomdlg32.ocx”
SetProgress
Readfile$ = “RENAMER.1”
WriteFile$ = “RENAMER.EXE”
On Error GoTo ReadErr
Open P$ & “renamer.1” For Binary As #1
On Error GoTo WriteErr
Open i$ & “Renamer.exe” For Output As #2
Close #2
Open i$ & “Renamer.exe” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
Readfile$ = “RENAMER.2”
WriteFile$ = “SCREENSHOT.JPG”
On Error GoTo ReadErr
Open P$ & “renamer.2” For Binary As #1
On Error GoTo WriteErr
Open i$ & “screenshot.jpg” For Output As #2
Close #2
Open i$ & “screenshot.jpg” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
Readfile$ = “RENAMER.3”
WriteFile$ = “ABOUT.HTM”
On Error GoTo ReadErr
Open P$ & “renamer.3” For Binary As #1
On Error GoTo WriteErr
Open i$ & “about.htm” For Output As #2
Close #2
Open i$ & “about.htm” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
If Dir(i$ & “setup.dll”) = “” Or P$ <> i$ Then
Readfile$ = “SETUP.DLL”
WriteFile$ = “SETUP.DLL”
On Error GoTo ReadErr
Open P$ & “setup.dll” For Binary As #1
On Error GoTo WriteErr
Open i$ & “setup.dll” For Output As #2
Close #2
Open i$ & “setup.dll” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
End If
SetProgress
If Dir(i$ & “setup.exe”) = “” Or P$ <> i$ Then
Readfile$ = “SETUP.EXE”
WriteFile$ = “SETUP.EXE”
On Error GoTo ReadErr
Open P$ & “setup.exe” For Binary As #1
On Error GoTo WriteErr
Open i$ & “setup.exe” For Output As #2
Close #2
Open i$ & “setup.exe” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
End If
SetProgress
Readfile$ = “RENAMER.4”
WriteFile$ = “HELPADDFILE.BMP”
On Error GoTo ReadErr
Open P$ & “renamer.4” For Binary As #1
On Error GoTo WriteErr
Open i$ & “HelpAddFile.bmp” For Output As #2
Close #2
Open i$ & “HelpAddFile.bmp” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
Readfile$ = “RENAMER.5”
WriteFile$ = “HELPADDPATH.BMP”
On Error GoTo ReadErr
Open P$ & “renamer.5” For Binary As #1
On Error GoTo WriteErr
Open i$ & “HelpAddPath.bmp” For Output As #2
Close #2
Open i$ & “HelpAddPath.bmp” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
Readfile$ = “RENAMER.6”
WriteFile$ = “HELPFILELIST.HTM”
On Error GoTo ReadErr
Open P$ & “renamer.6” For Binary As #1
On Error GoTo WriteErr
Open i$ & “HelpFileList.htm” For Output As #2
Close #2
Open i$ & “HelpFileList.htm” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
Readfile$ = “RENAMER.7”
WriteFile$ = “PRESETS.REG”
On Error GoTo WriteErr
Name P$ & “renamer.7” As P$ & “presets.reg”
On Error Resume Next
Shell (w$ & “regedit.exe /s ” & P$ & “presets.reg”)
Err.Clear
DoEvents
DoEvents
DoEvents
SetProgress
Readfile$ = “”
WriteFile$ = “10x empty test file”
On Error GoTo WriteErr
Open i$ & “TestThis1_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis2_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis3_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis4_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis5_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis6_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis7_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis8_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis9_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis10_Artist___CD___Title.tst” For Output As #2
Close #2
On Error Resume Next
SetProgress
‘Add to Desktop
lReturn = fCreateShellLink(“….Desktop”, _
“Renamer”, i$ & “Renamer.exe”, “”)
‘Add to Program Menu Group
lReturn = fCreateShellLink(“”, “Renamer”, _
i$ & “Renamer.exe”, “”)
SaveSetting “EazRENAMER”, “Installer”, “InstallDir”, i$
RegCreate HKEY_LOCAL_MACHINE, “SoftwareMicrosoftWindowsCurrentVersionUninstallEazRENAMER”
RegSet HKEY_LOCAL_MACHINE, “SoftwareMicrosoftWindowsCurrentVersionUninstallEazRENAMER”, “DisplayName”, “Renamer by EatMe 2.4.5.w11”, REG_SZ
RegSet HKEY_LOCAL_MACHINE, “SoftwareMicrosoftWindowsCurrentVersionUninstallEazRENAMER”, “UninstallString”, i$ & “setup.exe”, REG_SZ
SetProgress
Readfile$ = “RENAMER.7”
WriteFile$ = “PRESETS.REG”
On Error GoTo ReadErr
Name P$ & “presets.reg” As P$ & “RENAMER.7”
On Error Resume Next
SetProgress
Label1.Caption = “Completed installation.”
Case 1 ‘ uninstall
If MsgBox(“Are you sure you want to uninstall?”, vbYesNo + vbExclamation, App.Title) = vbYes Then
cmdNext(0).Visible = False
cmdNext(1).Visible = False
Label1.Caption = “Uninstalling…”
Label2.Visible = False
Text1.Visible = False
Command1.Visible = False
Me.Refresh
DoEvents
On Error Resume Next
w$ = Environ(“WinDir”)
w$ = w$ & IIf(Right(w$, 1) = “”, “”, “”)
a$ = Text1.Text & IIf(Right(Text1.Text, 1) = “”, “”, “”)
Kill a$ & “renamer.exe”
Kill a$ & “about.htm”
Kill a$ & “screenshot.jpg”
Kill a$ & “HelpFileList.htm”
Kill a$ & “HelpAddFile.bmp”
Kill a$ & “HelpAddPath.bmp”
Kill a$ & “TestThis*.tst”
RmDir a$ & “Help”
RmDir a$ & “TestThis”
Kill a$ & “setup.exe”
Kill a$ & “setup.dll”
‘Remmove from to Desktop
fRemoveShellLink “….Desktop”, “Renamer”
‘Remove from Program Menu Group
fRemoveShellLink “”, “Renamer”
SaveSetting “EazRENAMER”, “Installer”, “InstallDir”, “UNINSTALLED”
Err.Clear
On Error Resume Next
RegDelete HKEY_LOCAL_MACHINE, “SoftwareMicrosoftWindowsCurrentVersionUninstallEazRENAMER”
If Err Then
MsgBox “Could not delete Renamer Setup from HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentversionUninstallEazRENAMER”, vbCritical + vbOKOnly, App.Title
Err.Clear
End If
If Not CompleteInstallKit(a$) Then
Label1.Caption = “Uninstalled. Please delete the remaining SETUP and own files from the Renamer folder.”
Else
Label1.Caption = “Uninstallation completed.”
End If
End If
End Select
EndSub:
Screen.MousePointer = vbDefault
Command1.Caption = “E&xit”
Command1.Visible = True
Me.Refresh
DoEvents
Exit Sub
ReadErr:
MsgBox “An error occured while reading the following file: ” & vhbcrlf & vbCrLf & _
Readfile$ & vbCrLf & vbCrLf & _
Err.Description & vbCrLf & vbCrLf & _
“Setup can not continue the installation.”, vbCritical + vbOKOnly, App.Title
Label1.Caption = “An error occured while installing.”
Resume EndSub
WriteErr:
MsgBox “An error occured while writing the following file: ” & vhbcrlf & vbCrLf & _
WriteFile$ & vbCrLf & vbCrLf & _
Err.Description & vbCrLf & vbCrLf & _
“Setup can not continue the installation.”, vbCritical + vbOKOnly, App.Title
Label1.Caption = “An error occured while installing.”
Resume EndSub
End Sub
Private Sub Command1_Click()
EndMe
End Sub
Private Sub GetFreeDiskSpace()
Dim l As Long
On Error Resume Next
ChDrive Left$(Text1.Text, 2)
l = DiskSpaceFree
t$ = “bytes”
If l > 1024 Then l = l / 1024: t$ = “Kb”
If l > 1024 Then l = l / 1024: t$ = “Mb”
If l > 1024 Then l = l / 1024: t$ = “Gb”
If l >= 2 And t$ = “Gb” Then z$ = ” > “
lblDiskFree.Caption = “Free: ” & z$ & CStr(l) & ” ” & t$
Me.Refresh
DoEvents
End Sub
Private Sub Form_Load()
‘ Check Renamer
a$ = GetSetting(“EazRENAMER”, “Installer”, “InstallDir”, “”)
If a$ = “UNINSTALLED” Then a$ = “”
If a$ <> “” Then
a$ = a$ & IIf(Right(a$, 1) = “”, “”, “”)
Text1.Text = a$
If Dir(a$ & “RENAMER.EXE”) <> “” Then
Uninstall a$: Exit Sub
End If
End If
a$ = GetSetting(“EazRENAMER”, “Installer”, “InstallDir”, “”)
If UCase$(a$) = “UNINSTALLED” And CompleteInstallKit = False Then
Label1.Caption = “”
Label2.Visible = False
Text1.Visible = False
cmdBrowse.Visible = False
cmdNext(0).Visible = False
cmdNext(1).Visible = False
lblDisk.Visible = False
lblDiskReq.Visible = False
lblDiskFree.Visible = False
Command1.Caption = “E&xit”
w$ = Environ(“WinDir”)
w$ = w$ & IIf(Right(w$, 1) = “”, “”, “”)
MsgBox “Renamer has been uninstalled.” & vbCrLf & vbCrLf & _
“You can delete the remaining SETUP and own files from the Renamer directory.”, vbOKOnly + vbInformation, App.Title
Exit Sub
End If
If CompleteInstallKit = False Then
Label1.Caption = “You can delete this file (SETUP.EXE).”
Label2.Visible = False
Text1.Visible = False
cmdNext(1).Visible = False
cmdNext(0).Visible = False
cmdBrowse.Visible = False
Command1.Caption = “E&xit”
lblDisk.Visible = False
lblDiskReq.Visible = False
lblDiskFree.Visible = False
Me.Refresh
DoEvents
Else
Label1.Caption = “Click Next to install Renamer by EatMe to your computer.”
cmdNext(1).Visible = False
GetFreeDiskSpace
End If
End Sub
Function CompleteInstallKit(Optional ByVal AppPath$ = “”) As Boolean
If AppPath$ = “” Then AppPath$ = App.Path & IIf(Right(App.Path, 1) = “”, “”, “”)
If Dir(AppPath$ & “renamer.1”) <> “” And _
Dir(AppPath$ & “renamer.2”) <> “” And _
Dir(AppPath$ & “renamer.3”) <> “” And _
Dir(AppPath$ & “renamer.4”) <> “” And _
Dir(AppPath$ & “renamer.5”) <> “” And _
Dir(AppPath$ & “renamer.6”) <> “” And _
Dir(AppPath$ & “renamer.7”) <> “” And _
Dir(AppPath$ & “renamer.8”) <> “” And _
Dir(AppPath$ & “setup.dll”) <> “” And _
Dir(AppPath$ & “setup.exe”) <> “” Then
CompleteInstallKit = True
Else
CompleteInstallKit = False
End If
End Function
Sub OldUninstall(RENAMERdir$)
Label1.Caption = “Remove Renamer”
Label2.Caption = “Location:”
Text1.Text = RENAMERdir$
Text1.Locked = True
Text1.ToolTipText = “Location of Renamer”
cmdNext(1).Visible = False
cmdNext(2).Visible = True
If CompleteInstallKit Then
Label1.Caption = “Remove Renamer before re-installing Renamer..”
End If
cmdNext(2).Top = 3120
cmdBrowse.Visible = False
lblDisk.Visible = False
lblDiskReq.Visible = False
lblDiskFree.Visible = False
End Sub
Sub Uninstall(RENAMERdir$)
Label1.Caption = “Remove Renamer”
Label2.Caption = “Location:”
Text1.Text = RENAMERdir$
Text1.Locked = True
Text1.ToolTipText = “Location of Renamer”
If CompleteInstallKit Then
Label1.Caption = “Remove or Reinstall Renamer”
cmdNext(0).Visible = True
cmdNext(0).Caption = “&Reinstall”
cmdNext(1).Top = 2760
Else
cmdNext(1).Top = 3120
End If
cmdBrowse.Visible = False
lblDisk.Visible = False
lblDiskReq.Visible = False
lblDiskFree.Visible = False
End Sub
Private Sub Form_QueryUnload(Cancel As Integer, UnloadMode As Integer)
EndMe
End Sub
Private Sub Form_Terminate()
EndMe
End Sub
Private Sub Text1_LostFocus()
GetFreeDiskSpace
End Sub
Private Sub SetProgress()
lblProgFore = lblProgFore.Caption & “__”
Me.Refresh
DoEvents
End Sub
There are various false infection names found in my new SETUP by Defender.Please mark the SETUP.EXE as legit. false infection found: Malgent.B!ml (trying to write to registry key HKEY_CURRENT_USERSoftwareVB and VBA Program SettingsEazRENAMER ..)false infection found: Caynamer.A!ml false infection found: Phonzy.B!mlfalse infection found: Wacatac.B!ml download of the program: http://eatme.pro/download/renamer-win10 VB6 source of the SETUP below (finding all these falses):VERSION 5.00
Begin VB.Form frmMain
BorderStyle = 1 ‘Fixed Single
Caption = “Renamer by EatMe Setup”
ClientHeight = 3585
ClientLeft = 45
ClientTop = 330
ClientWidth = 4785
Icon = “frmMain.frx”:0000
LinkTopic = “Form1”
MaxButton = 0 ‘False
MinButton = 0 ‘False
Picture = “frmMain.frx”:030A
ScaleHeight = 3585
ScaleWidth = 4785
StartUpPosition = 2 ‘CenterScreen
Begin VB.CommandButton cmdNext
Caption = “&Uninstall”
Height = 300
Index = 2
Left = 120
TabIndex = 14
ToolTipText = “Uninstall Renamer by EatMe”
Top = 2760
Visible = 0 ‘False
Width = 1335
End
Begin VB.CommandButton cmdNext
Caption = “&Uninstall”
Height = 300
Index = 1
Left = 120
TabIndex = 6
ToolTipText = “Uninstall Renamer by EatMe”
Top = 2760
Width = 1335
End
Begin VB.CommandButton cmdNext
Caption = “&Next”
Height = 300
Index = 0
Left = 120
TabIndex = 5
ToolTipText = “Install Renamer by EatMe”
Top = 3120
Width = 1335
End
Begin VB.CommandButton Command1
Cancel = -1 ‘True
Caption = “&Cancel”
Height = 300
Left = 3360
TabIndex = 4
ToolTipText = “Exit setup”
Top = 3120
Width = 1335
End
Begin VB.CommandButton cmdBrowse
Caption = “&Browse…”
Height = 300
Left = 3360
TabIndex = 3
ToolTipText = “Browse for the installation path”
Top = 2160
Width = 1335
End
Begin VB.TextBox Text1
BeginProperty Font
Name = “Tahoma”
Size = 8.25
Charset = 0
Weight = 400
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
Height = 285
Left = 120
TabIndex = 2
Text = “C:WinUtilRenamer”
ToolTipText = “The path where Renamer by EatMe will be installed”
Top = 1800
Width = 4575
End
Begin VB.Label lblProgHundred
BackStyle = 0 ‘Transparent
Caption = “100%”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 255
Left = 3840
TabIndex = 13
Top = 2520
Visible = 0 ‘False
Width = 735
End
Begin VB.Label lblProgZero
BackStyle = 0 ‘Transparent
Caption = “0%”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 255
Left = 240
TabIndex = 12
Top = 2520
Visible = 0 ‘False
Width = 495
End
Begin VB.Label lblProgFore
BackStyle = 0 ‘Transparent
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 375
Left = 360
TabIndex = 11
Top = 2520
Visible = 0 ‘False
Width = 4335
End
Begin VB.Label lblProgBack
BackStyle = 0 ‘Transparent
Caption = “__________________________”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFC0C0&
Height = 375
Left = 360
TabIndex = 10
Top = 2520
Visible = 0 ‘False
Width = 4335
End
Begin VB.Label lblDiskFree
BackStyle = 0 ‘Transparent
Caption = “Free:”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 400
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 255
Left = 360
TabIndex = 9
Top = 2640
Width = 4335
End
Begin VB.Label lblDiskReq
BackStyle = 0 ‘Transparent
Caption = “Required: < 1 Mb”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 400
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 255
Left = 360
TabIndex = 8
Top = 2400
Width = 2895
End
Begin VB.Label lblDisk
BackStyle = 0 ‘Transparent
Caption = “Disk space”
BeginProperty Font
Name = “Tahoma”
Size = 11.25
Charset = 0
Weight = 400
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 255
Left = 240
TabIndex = 7
Top = 2160
Width = 3015
End
Begin VB.Label Label2
BackStyle = 0 ‘Transparent
Caption = “Target Directory:”
BeginProperty Font
Name = “Tahoma”
Size = 14.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 375
Left = 120
TabIndex = 1
Top = 1440
Width = 4575
End
Begin VB.Label Label1
Alignment = 2 ‘Center
BackStyle = 0 ‘Transparent
Caption = “#”
BeginProperty Font
Name = “Tahoma”
Size = 14.25
Charset = 0
Weight = 700
Underline = 0 ‘False
Italic = 0 ‘False
Strikethrough = 0 ‘False
EndProperty
ForeColor = &H00FFFFFF&
Height = 1455
Left = 120
TabIndex = 0
Top = 120
Width = 4575
End
End
Attribute VB_Name = “frmMain”
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Private Declare Function fCreateShellLink Lib “setup.dll” (ByVal _
lpstrFolderName As String, ByVal lpstrLinkName As String, ByVal _
lpstrLinkPath As String, ByVal lpstrLinkArgs As String) As Long
Private Declare Function DiskSpaceFree Lib “setup.dll” Alias “DISKSPACEFREE” () As Long
Private Declare Function fRemoveShellLink Lib “setup.dll” (ByVal lpstrFolderName As String, ByVal lpstrLinkName As String) As Long
Private Declare Function DLLSelfRegister Lib “setup.dll” (ByVal lpDllName As String) As Integer
Private Sub cmdBrowse_Click()
frmFolder.Show vbModal, frmMain
GetFreeDiskSpace
End Sub
Private Sub cmdNext_Click(Index As Integer)
Dim lReturn As Long
Dim w$, i$, P$, prfx$, prf$
Select Case Index
Case 2 ‘ Uninstall
If MsgBox(“Are you sure you want to uninstall?”, vbYesNo + vbExclamation, App.Title) = vbYes Then
cmdNext(2).Visible = False
Label1.Caption = “Uninstalling…”
Label2.Visible = False
Text1.Visible = False
Command1.Visible = False
Me.Refresh
DoEvents
a$ = Text1.Text & IIf(Right(Text1.Text, 1) = “”, “”, “”)
On Error Resume Next
Kill a$ & “renamer.exe”
Kill a$ & “about.htm”
Kill a$ & “screenshot.jpg”
Kill a$ & “HelpFileList.htm”
Kill a$ & “HelpFileList.htm”
Kill a$ & “HelpAddFile.bmp”
Kill a$ & “HelpAddPath.bmp”
Kill a$ & “TestThis*.tst”
RmDir a$ & “Help”
RmDir a$ & “TestThis”
Kill a$ & “setup.exe”
Kill a$ & “setup.dll”
‘Remmove from to Desktop
fRemoveShellLink “….Desktop”, “Renamer”
‘Remove from Program Menu Group
fRemoveShellLink “”, “Renamer”
SaveSetting “EazRENAMER”, “Installer”, “InstallDir”, “UNINSTALLED”
Err.Clear
On Error Resume Next
RegDelete HKEY_LOCAL_MACHINE, “SoftwareMicrosoftWindowsCurrentVersionUninstallEazRENAMER”
If Err Then
MsgBox “Could not delete Renamer Setup from HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentversionUninstallEazRENAMER”, vbCritical + vbOKOnly, App.Title
Err.Clear
End If
If Not CompleteInstallKit() Then
Label1.Caption = “Uninstallation completed.”
cmdNext(0).Visible = False
Else
Label1.Caption = “Uninstallation completed. You can now re-install.”
Text1.Text = “C:WINUTILRENAMER”
Text1.Visible = True
Text1.Enabled = True
Text1.Locked = False
cmdNext(0).Visible = True
cmdBrowse.Visible = True
lblDisk.Visible = True
lblDiskReq.Visible = True
GetFreeDiskSpace
lblDiskFree.Visible = True
End If
End If
Case 0 ‘ install
prf$ = Environ$(“ProgramW6432”)
prfx$ = Environ$(“ProgramFiles(x86)”)
If (UCase(Left(Text1.Text, Len(prf$))) = UCase(prf$)) Or (UCase(Left(Text1.Text, Len(prfx$))) = UCase(prfx$)) Then
MsgBox “Renamer can not be installed in Program Files due to permission for writing Undo files. Choose another folder.”, vbInformation + vbOKOnly, App.Title
Exit Sub
ElseIf Len(Text1.Text) < 3 Then MsgBox “Enter target directory for installation first.”, vbCritical + vbOKOnly, App.Title: Exit Sub
End If
cmdNext(0).Visible = False
cmdNext(1).Visible = False
Label1.Caption = “Installing…”
Label2.Visible = False
Text1.Visible = False
Command1.Visible = False
cmdBrowse.Visible = False
lblDisk.Visible = False
lblDiskReq.Visible = False
lblDiskFree.Visible = False
lblProgBack.Visible = True
lblProgFore.Visible = True
lblProgZero.Visible = True
lblProgHundred.Visible = True
SetProgress
Me.Refresh
DoEvents
Screen.MousePointer = vbHourglass
P$ = UCase(App.Path & IIf(Right(App.Path, 1) = “”, “”, “”))
i$ = UCase(Text1.Text & IIf(Right(Text1.Text, 1) = “”, “”, “”))
w$ = Environ(“WinDir”)
w$ = w$ & IIf(Right(w$, 1) = “”, “”, “”)
On Error Resume Next
‘Create Dir(s)
j$ = i$ & “FileList”
mk$ = j$
mf$ = “”
Do
sp% = InStr(mk$, “”)
If sp% <= 0 Then Exit Do
Mid(mk$, sp%, 1) = “/”
mf$ = Left(j$, sp%)
MkDir mf$
Loop
j$ = i$ & “Help”
mk$ = j$
mf$ = “”
Do
sp% = InStr(mk$, “”)
If sp% <= 0 Then Exit Do
Mid(mk$, sp%, 1) = “/”
mf$ = Left(j$, sp%)
MkDir mf$
Loop
j$ = i$ & “TestThis”
mk$ = j$
mf$ = “”
Do
sp% = InStr(mk$, “”)
If sp% <= 0 Then Exit Do
Mid(mk$, sp%, 1) = “/”
mf$ = Left(j$, sp%)
MkDir mf$
Loop
j$ = i$ & “Undo”
mk$ = j$
mf$ = “”
Do
sp% = InStr(mk$, “”)
If sp% <= 0 Then Exit Do
Mid(mk$, sp%, 1) = “/”
mf$ = Left(j$, sp%)
MkDir mf$
Loop
‘If Dir(w$ & “SYSTEMCOMDLG32.OCX”) = “” Then
‘ Readfile$ = “MP3RND.4”
‘ WriteFile$ = “COMDLG32.OCX”
‘ On Error GoTo ReadErr
‘ Open P$ & “mp3rnd.4” For Binary As #1
‘ On Error GoTo WriteErr
‘ Open w$ & “systemcomdlg32.ocx” For Output As #2
‘ Close #2
‘ Open w$ & “systemcomdlg32.ocx” For Binary As #2
‘ Do While Not EOF(1)
‘ z$ = ” “
‘ On Error GoTo ReadErr
‘ Get #1, , z$
‘ On Error GoTo WriteErr
‘ Put #2, , z$
‘ Loop
‘ Close
‘End If
‘DLLSelfRegister w$ & “systemcomdlg32.ocx”
SetProgress
Readfile$ = “RENAMER.1”
WriteFile$ = “RENAMER.EXE”
On Error GoTo ReadErr
Open P$ & “renamer.1” For Binary As #1
On Error GoTo WriteErr
Open i$ & “Renamer.exe” For Output As #2
Close #2
Open i$ & “Renamer.exe” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
Readfile$ = “RENAMER.2”
WriteFile$ = “SCREENSHOT.JPG”
On Error GoTo ReadErr
Open P$ & “renamer.2” For Binary As #1
On Error GoTo WriteErr
Open i$ & “screenshot.jpg” For Output As #2
Close #2
Open i$ & “screenshot.jpg” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
Readfile$ = “RENAMER.3”
WriteFile$ = “ABOUT.HTM”
On Error GoTo ReadErr
Open P$ & “renamer.3” For Binary As #1
On Error GoTo WriteErr
Open i$ & “about.htm” For Output As #2
Close #2
Open i$ & “about.htm” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
If Dir(i$ & “setup.dll”) = “” Or P$ <> i$ Then
Readfile$ = “SETUP.DLL”
WriteFile$ = “SETUP.DLL”
On Error GoTo ReadErr
Open P$ & “setup.dll” For Binary As #1
On Error GoTo WriteErr
Open i$ & “setup.dll” For Output As #2
Close #2
Open i$ & “setup.dll” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
End If
SetProgress
If Dir(i$ & “setup.exe”) = “” Or P$ <> i$ Then
Readfile$ = “SETUP.EXE”
WriteFile$ = “SETUP.EXE”
On Error GoTo ReadErr
Open P$ & “setup.exe” For Binary As #1
On Error GoTo WriteErr
Open i$ & “setup.exe” For Output As #2
Close #2
Open i$ & “setup.exe” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
End If
SetProgress
Readfile$ = “RENAMER.4”
WriteFile$ = “HELPADDFILE.BMP”
On Error GoTo ReadErr
Open P$ & “renamer.4” For Binary As #1
On Error GoTo WriteErr
Open i$ & “HelpAddFile.bmp” For Output As #2
Close #2
Open i$ & “HelpAddFile.bmp” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
Readfile$ = “RENAMER.5”
WriteFile$ = “HELPADDPATH.BMP”
On Error GoTo ReadErr
Open P$ & “renamer.5” For Binary As #1
On Error GoTo WriteErr
Open i$ & “HelpAddPath.bmp” For Output As #2
Close #2
Open i$ & “HelpAddPath.bmp” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
Readfile$ = “RENAMER.6”
WriteFile$ = “HELPFILELIST.HTM”
On Error GoTo ReadErr
Open P$ & “renamer.6” For Binary As #1
On Error GoTo WriteErr
Open i$ & “HelpFileList.htm” For Output As #2
Close #2
Open i$ & “HelpFileList.htm” For Binary As #2
Do While Not EOF(1)
z$ = ” “
On Error GoTo ReadErr
Get #1, , z$
On Error GoTo WriteErr
Put #2, , z$
Loop
Close
SetProgress
Readfile$ = “RENAMER.7”
WriteFile$ = “PRESETS.REG”
On Error GoTo WriteErr
Name P$ & “renamer.7” As P$ & “presets.reg”
On Error Resume Next
Shell (w$ & “regedit.exe /s ” & P$ & “presets.reg”)
Err.Clear
DoEvents
DoEvents
DoEvents
SetProgress
Readfile$ = “”
WriteFile$ = “10x empty test file”
On Error GoTo WriteErr
Open i$ & “TestThis1_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis2_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis3_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis4_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis5_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis6_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis7_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis8_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis9_Artist___CD___Title.tst” For Output As #2
Close #2
Open i$ & “TestThis10_Artist___CD___Title.tst” For Output As #2
Close #2
On Error Resume Next
SetProgress
‘Add to Desktop
lReturn = fCreateShellLink(“….Desktop”, _
“Renamer”, i$ & “Renamer.exe”, “”)
‘Add to Program Menu Group
lReturn = fCreateShellLink(“”, “Renamer”, _
i$ & “Renamer.exe”, “”)
SaveSetting “EazRENAMER”, “Installer”, “InstallDir”, i$
RegCreate HKEY_LOCAL_MACHINE, “SoftwareMicrosoftWindowsCurrentVersionUninstallEazRENAMER”
RegSet HKEY_LOCAL_MACHINE, “SoftwareMicrosoftWindowsCurrentVersionUninstallEazRENAMER”, “DisplayName”, “Renamer by EatMe 2.4.5.w11”, REG_SZ
RegSet HKEY_LOCAL_MACHINE, “SoftwareMicrosoftWindowsCurrentVersionUninstallEazRENAMER”, “UninstallString”, i$ & “setup.exe”, REG_SZ
SetProgress
Readfile$ = “RENAMER.7”
WriteFile$ = “PRESETS.REG”
On Error GoTo ReadErr
Name P$ & “presets.reg” As P$ & “RENAMER.7”
On Error Resume Next
SetProgress
Label1.Caption = “Completed installation.”
Case 1 ‘ uninstall
If MsgBox(“Are you sure you want to uninstall?”, vbYesNo + vbExclamation, App.Title) = vbYes Then
cmdNext(0).Visible = False
cmdNext(1).Visible = False
Label1.Caption = “Uninstalling…”
Label2.Visible = False
Text1.Visible = False
Command1.Visible = False
Me.Refresh
DoEvents
On Error Resume Next
w$ = Environ(“WinDir”)
w$ = w$ & IIf(Right(w$, 1) = “”, “”, “”)
a$ = Text1.Text & IIf(Right(Text1.Text, 1) = “”, “”, “”)
Kill a$ & “renamer.exe”
Kill a$ & “about.htm”
Kill a$ & “screenshot.jpg”
Kill a$ & “HelpFileList.htm”
Kill a$ & “HelpAddFile.bmp”
Kill a$ & “HelpAddPath.bmp”
Kill a$ & “TestThis*.tst”
RmDir a$ & “Help”
RmDir a$ & “TestThis”
Kill a$ & “setup.exe”
Kill a$ & “setup.dll”
‘Remmove from to Desktop
fRemoveShellLink “….Desktop”, “Renamer”
‘Remove from Program Menu Group
fRemoveShellLink “”, “Renamer”
SaveSetting “EazRENAMER”, “Installer”, “InstallDir”, “UNINSTALLED”
Err.Clear
On Error Resume Next
RegDelete HKEY_LOCAL_MACHINE, “SoftwareMicrosoftWindowsCurrentVersionUninstallEazRENAMER”
If Err Then
MsgBox “Could not delete Renamer Setup from HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentversionUninstallEazRENAMER”, vbCritical + vbOKOnly, App.Title
Err.Clear
End If
If Not CompleteInstallKit(a$) Then
Label1.Caption = “Uninstalled. Please delete the remaining SETUP and own files from the Renamer folder.”
Else
Label1.Caption = “Uninstallation completed.”
End If
End If
End Select
EndSub:
Screen.MousePointer = vbDefault
Command1.Caption = “E&xit”
Command1.Visible = True
Me.Refresh
DoEvents
Exit Sub
ReadErr:
MsgBox “An error occured while reading the following file: ” & vhbcrlf & vbCrLf & _
Readfile$ & vbCrLf & vbCrLf & _
Err.Description & vbCrLf & vbCrLf & _
“Setup can not continue the installation.”, vbCritical + vbOKOnly, App.Title
Label1.Caption = “An error occured while installing.”
Resume EndSub
WriteErr:
MsgBox “An error occured while writing the following file: ” & vhbcrlf & vbCrLf & _
WriteFile$ & vbCrLf & vbCrLf & _
Err.Description & vbCrLf & vbCrLf & _
“Setup can not continue the installation.”, vbCritical + vbOKOnly, App.Title
Label1.Caption = “An error occured while installing.”
Resume EndSub
End Sub
Private Sub Command1_Click()
EndMe
End Sub
Private Sub GetFreeDiskSpace()
Dim l As Long
On Error Resume Next
ChDrive Left$(Text1.Text, 2)
l = DiskSpaceFree
t$ = “bytes”
If l > 1024 Then l = l / 1024: t$ = “Kb”
If l > 1024 Then l = l / 1024: t$ = “Mb”
If l > 1024 Then l = l / 1024: t$ = “Gb”
If l >= 2 And t$ = “Gb” Then z$ = ” > “
lblDiskFree.Caption = “Free: ” & z$ & CStr(l) & ” ” & t$
Me.Refresh
DoEvents
End Sub
Private Sub Form_Load()
‘ Check Renamer
a$ = GetSetting(“EazRENAMER”, “Installer”, “InstallDir”, “”)
If a$ = “UNINSTALLED” Then a$ = “”
If a$ <> “” Then
a$ = a$ & IIf(Right(a$, 1) = “”, “”, “”)
Text1.Text = a$
If Dir(a$ & “RENAMER.EXE”) <> “” Then
Uninstall a$: Exit Sub
End If
End If
a$ = GetSetting(“EazRENAMER”, “Installer”, “InstallDir”, “”)
If UCase$(a$) = “UNINSTALLED” And CompleteInstallKit = False Then
Label1.Caption = “”
Label2.Visible = False
Text1.Visible = False
cmdBrowse.Visible = False
cmdNext(0).Visible = False
cmdNext(1).Visible = False
lblDisk.Visible = False
lblDiskReq.Visible = False
lblDiskFree.Visible = False
Command1.Caption = “E&xit”
w$ = Environ(“WinDir”)
w$ = w$ & IIf(Right(w$, 1) = “”, “”, “”)
MsgBox “Renamer has been uninstalled.” & vbCrLf & vbCrLf & _
“You can delete the remaining SETUP and own files from the Renamer directory.”, vbOKOnly + vbInformation, App.Title
Exit Sub
End If
If CompleteInstallKit = False Then
Label1.Caption = “You can delete this file (SETUP.EXE).”
Label2.Visible = False
Text1.Visible = False
cmdNext(1).Visible = False
cmdNext(0).Visible = False
cmdBrowse.Visible = False
Command1.Caption = “E&xit”
lblDisk.Visible = False
lblDiskReq.Visible = False
lblDiskFree.Visible = False
Me.Refresh
DoEvents
Else
Label1.Caption = “Click Next to install Renamer by EatMe to your computer.”
cmdNext(1).Visible = False
GetFreeDiskSpace
End If
End Sub
Function CompleteInstallKit(Optional ByVal AppPath$ = “”) As Boolean
If AppPath$ = “” Then AppPath$ = App.Path & IIf(Right(App.Path, 1) = “”, “”, “”)
If Dir(AppPath$ & “renamer.1”) <> “” And _
Dir(AppPath$ & “renamer.2”) <> “” And _
Dir(AppPath$ & “renamer.3”) <> “” And _
Dir(AppPath$ & “renamer.4”) <> “” And _
Dir(AppPath$ & “renamer.5”) <> “” And _
Dir(AppPath$ & “renamer.6”) <> “” And _
Dir(AppPath$ & “renamer.7”) <> “” And _
Dir(AppPath$ & “renamer.8”) <> “” And _
Dir(AppPath$ & “setup.dll”) <> “” And _
Dir(AppPath$ & “setup.exe”) <> “” Then
CompleteInstallKit = True
Else
CompleteInstallKit = False
End If
End Function
Sub OldUninstall(RENAMERdir$)
Label1.Caption = “Remove Renamer”
Label2.Caption = “Location:”
Text1.Text = RENAMERdir$
Text1.Locked = True
Text1.ToolTipText = “Location of Renamer”
cmdNext(1).Visible = False
cmdNext(2).Visible = True
If CompleteInstallKit Then
Label1.Caption = “Remove Renamer before re-installing Renamer..”
End If
cmdNext(2).Top = 3120
cmdBrowse.Visible = False
lblDisk.Visible = False
lblDiskReq.Visible = False
lblDiskFree.Visible = False
End Sub
Sub Uninstall(RENAMERdir$)
Label1.Caption = “Remove Renamer”
Label2.Caption = “Location:”
Text1.Text = RENAMERdir$
Text1.Locked = True
Text1.ToolTipText = “Location of Renamer”
If CompleteInstallKit Then
Label1.Caption = “Remove or Reinstall Renamer”
cmdNext(0).Visible = True
cmdNext(0).Caption = “&Reinstall”
cmdNext(1).Top = 2760
Else
cmdNext(1).Top = 3120
End If
cmdBrowse.Visible = False
lblDisk.Visible = False
lblDiskReq.Visible = False
lblDiskFree.Visible = False
End Sub
Private Sub Form_QueryUnload(Cancel As Integer, UnloadMode As Integer)
EndMe
End Sub
Private Sub Form_Terminate()
EndMe
End Sub
Private Sub Text1_LostFocus()
GetFreeDiskSpace
End Sub
Private Sub SetProgress()
lblProgFore = lblProgFore.Caption & “__”
Me.Refresh
DoEvents
End Sub Read More
Data Protection for SAP Solutions
Data Protection for SAP Solutions
Introduction
Data protection is key criteria for all customers. You need to find an optimal way to protect against data loss or data inconsistencies caused by hardware or software defects, accidentally deletion of data, external and internal data fraud.
Other important criteria are the architecture around high availability and disaster recovery to fulfill the requirements around RPO in a typical HA case (usually RPO=0) or in a disaster recovery case (usually RPO!=0).
How soon is the system required to be back in “normal” operations after an HA or DR situation.
Recovery times can be in a wide range depending on the ways to recover the data. E.g. the times can be short if you could use Snapshots or a clone from a Snapshot or it could take hours to bring back the data to the file system (Streaming backup/recovery) before we even can start the database recovery process.
The main question is “what is your requirement?”
What is nice to have and what is really required in cases of high availability and disaster recovery?
Backup Runtime with different HANA Database Sizes
Database size on file system
Backup throughput: 250MB/s
For very large databases the backup process will take many hours if you are using streaming based backup. With snapshot based backups it could take only a minute, regardless of the size of the database. Remember, a Snapshot, at least with Azure NetApp Files, remains in the same volume where your data is. Therefore, consider offloading (at least) one Snapshot a day using e.g. ANF backup to a ANF backup Vault.
SAP HANA on Azure NetApp Files – Data protection with BlueXP backup and recovery (microsoft.com)
Restore and recovery times of a 4TB HANA database
Database size: 4TB on file system
Restore throughput: 250MB/s
Log backups: 50% of db size per day
Read troughput during db start: 1000MB/s
Throughput during recovery: 250MB/s
Conclusion:
For smaller databases it can be absolutely sufficient to use streaming backups to fulfil your requirements. For larger or very large databases getting to low RTO times with streaming backups can be difficult. Since it can take hours to restore the data to the original location. This could enlarge the RTO significantly. Although, specifically for the high availability case, we would recommend using HSR (HANA System Replication) to reach an acceptable RTO. But even than the failing system may need to be rebuild or recovered which might take many hours. To reduce the time for a complete system rebuild, customers are using Snapshot based backup/restore scenarios to lower the RTO significantly.
Azure Backup (Streaming Backup)
Azure Backup delivers these key benefits:
Offload on-premises backup – Azure Backup offers a simple solution for backing up your on-premises resources to the cloud. Get short and long-term backup without the need to deploy complex on-premises backup solutions.
Back up Azure IaaS VMs – Azure Backup provides independent and isolated backups to guard against accidental destruction of original data. Backups are stored in a Recovery Services vault with built-in management of recovery points. Configuration and scalability are simple, backups are optimized, and you can easily restore as needed.
Scale easily – Azure Backup uses the underlying power and unlimited scale of the Azure cloud to deliver high-availability with no maintenance or monitoring overhead.
Get unlimited data transfer – Azure Backup doesn’t limit the amount of inbound or outbound data you transfer, or charge for the data that’s transferred. Outbound data refers to data transferred from a Recovery Services vault during a restore operation. If you perform an offline initial backup using the Azure Import/Export service to import large amounts of data, there’s a cost associated with inbound data. Learn more.
Keep data secure – Azure Backup provides solutions for securing data in transit and at rest.
Centralized monitoring and management – Azure Backup provides built-in monitoring and alerting capabilities in a Recovery Services vault. These capabilities are available without any additional management infrastructure. You can also increase the scale of your monitoring and reporting by using Azure Monitor.
Get app-consistent backups – An application-consistent backup means a recovery point has all required data to restore the backup copy. Azure Backup provides application-consistent backups, which ensure additional fixes aren’t required to restore the data. Restoring application-consistent data reduces the restoration time, allowing you to quickly return to a running state.
Retain short and long-term data – You can use Recovery Services vaults for short-term and long-term data retention.
Automatic storage management – Hybrid environments often require heterogeneous storage – some on-premises and some in the cloud. With Azure Backup, there’s no cost for using on-premises storage devices. Azure Backup automatically allocates and manages backup storage, and it uses a pay-as-you-use model. So, you only pay for the storage you consume. Learn more about pricing.
Multiple storage options – Azure Backup offers three types of replication to keep your storage/data highly available.
Locally redundant storage (LRS) replicates your data three times (it creates three copies of your data) in a storage scale unit in a datacenter. All copies of the data exist within the same region. LRS is a low-cost option for protecting your data from local hardware failures.
Geo-redundant storage (GRS) is the default and recommended replication option. GRS replicates your data to a secondary region (hundreds of miles away from the primary location of the source data). GRS costs more than LRS, but GRS provides a higher level of durability for your data, even if there’s a regional outage.
Zone-redundant storage (ZRS) replicates your data in availability zones, guaranteeing data residency and resiliency in the same region. ZRS has no downtime. So your critical workloads that require data residency, and must have no downtime, can be backed up in ZRS.
What is Azure Backup? – Azure Backup | Microsoft Learn
SAP HANA Backup support matrix – Azure Backup | Microsoft Learn
ANF how does a SnapShot work
How Azure NetApp Files snapshots work | Microsoft Learn
What volume snapshots are
An Azure NetApp Files snapshot is a point-in-time file system (volume) image. It is ideal to serve as an online backup. You can use a snapshot to create a new volume (clone), restore a file, or revert a volume. In specific application data stored on Azure NetApp Files volumes, extra steps might be required to ensure application consistency.
Low-overhead snapshots are made possible by the unique features of the underlying volume virtualization technology that is part of Azure NetApp Files. Like a database, this layer uses pointers to the actual data blocks on disk. But, unlike a database, it doesn’t rewrite existing blocks; it writes updated data to new blocks and changes the pointers, thus maintaining the new and the old data. An Azure NetApp Files snapshot simply manipulates block pointers, creating a “frozen”, read-only view of a volume that lets applications access older versions of files and directory hierarchies without special programming. Actual data blocks aren’t copied. As such, snapshots are efficient in the time needed to create them; they are near-instantaneous, regardless of volume size. Snapshots are also efficient in storage space; only delta blocks between snapshots and the active volume are kept.
Files consist of metadata and data blocks written to a volume. In this illustration, there are three files, each consisting of three blocks: file 1, file 2, and file 3.
A snapshot Snapshot1 is taken, which copies the metadata and only the pointers to the blocks that represent the files:
Files on the volume continue to change, and new files are added. Modified data blocks are written as new data blocks on the volume. The blocks that were previously captured in Snapshot1 remain unchanged:
A new snapshot Snapshot2 is taken to capture the changes and additions:
ANF Backup (SnapShot – SnapVault based)
Azure NetApp Files backup expands the data protection capabilities of Azure NetApp Files by providing fully managed backup solution for long-term recovery, archive, and compliance. Backups created by the service are stored in Azure storage, independent of volume snapshots that are available for near-term recovery or cloning. Backups taken by the service can be restored to new Azure NetApp Files volumes within the same Azure region. Azure NetApp Files backup supports both policy-based (scheduled) backups and manual (on-demand) backups. For additional information, see https://learn.microsoft.com/en-us/azure/azure-netapp-files/snapshots-introduction
To start with please read: Understand Azure NetApp Files backup | Microsoft Learn
ANF Resource limits: Resource limits for Azure NetApp Files | Microsoft Learn
Design
The four big benefits of ANF backup are:
Inline compression when taking a backup.
De-Duplication – this will reduce the amount of storage needed in the Blob space. Be aware that using Transparent Data Encryption functionality as offered by the different DBMS are prohibiting efficiency gains by De-Duplication
Block level Delta copy of the blocks – this will the time and the space for each backup
The database server is not impacted when taking the backup. All traffic will go directly from the storage to the blob space using the Microsoft backbone and NOT the client network. The backup will also NOT impact the storage volume quota. The database server will have the full bandwidth available for normal operation.
How this is all working
We are going to split the backup features in two parts. The data volume will be snapshotted with azacsnap. Creating this snapshot, it is important that the data volume is in a consistent state before the snapshot is triggered. Creating the application consistency is managed with azacsnap in the case of e.g. SAP HANA Oracle (with Oracle Linux), and Db2 (Linux only).
The SAP HANA log backup area is a “offline” volume and can be backed up anytime without talking to the database. We also need a much higher backup frequency to reduce the RPO as for the data volume. The database can be “rolled forward” with any data snapshot if you have all the logs created after this data volume snapshot. Therefore, the frequency of how often we backup the log backup folder is very important to reduce the RPO. For the log backup volume we do not need a snapshot at all because, as I mentioned, all the files there are offline files.
This displays the “one AV Zone scenario”. It will also be possible to use ANF backup in a peered region (DR) but then the restore process will be different (later in this document)
ANF Backup using an DR Region
It is also an option to leverage ANF backup from a DR Azure region. In this scenario the backups will be created from the ANF DR volumes. In our example, we are using both. CRR (Cross Region Replication) in a region ANF can replicate to and ANF backup to store the backups for many days, weeks or even months.
For a recovery you will primarily use the snapshots in the production ANF volume. If you have lost the primary zone or ANF you might have an HA system before you even recover the DB. If you don’t have an HA system, you still have a copy of the data in your DR region. In the DR region, you simply could activate the volumes or create a clone out of the volumes. Both are very fast methods to get your data back. You would need to recover the database using the clone or the DR volume. In most cases you will lose some data because in the DR region usually is a gap of available log backups.
ANF Volume Lock
One other data protection method is to lock the ANF volume from deletion.
When you create a lock you will protect the ANF volume from accidently deletion.
If you or someone else tries to delete the ANF volume, or the resource group the ANF volume belongs to, Azure will return an error.
Result in:
However, there is a limitation to consider. If you set a lock on an ANF volume that vlocks deletion of the volume, you also can’t delete any snapshots created of this volume. This presents a limitation when you work with consistent backups using AzAcSnap. AzAcSnap. As those are not going to be able to delete any snapshots of a volume where the lock is configured. The consequence is that the retention management of azacsnap or BlueXP is not able to delete the snapshots that are out of the retention period anymore.
But for a time where you start with your SAP deployment in Azure this might is a workable way to protect your volumes for accidently deletion.
Repair system
There are many reasons why you might find yourself in a situation to repair a HANA database to s specific point in time. the most common are:
Accidental deletion of data within a table or deletion of a complete table during administration or operations causing a logical inconsistency in the database.
Issues in hardware of software stack causing corruption of page/block content in the database.
In both of these it might take hours, days or even weeks until the impacted data is accessed the next time. The more time passes between the introduction of such an inconsistency and the repair, the more difficult is the root cause analysis and correction. Especially in cases of logical inconsistencies, an HA system will not help since the logical inconsistency cause by a ‘delete command’ got “transferred” to the database of the HA system through HANA System Replication as well.
The most common method of solving these logical inconsistency problems is to “quickly” build an, so called, repair system to extract deleted and now “missing” data.
To detect physical inconsistencies, executing regular consistency checks are highly recommended to detect problems as early as possible.
For SAP HANA, the following main consistency checks exist:
CHECK_CATALOG
Metadata
Procedure to check SAP HANA metadata for consistency
CHECK_TABLE_CONSISTENCY
Column store
Row store
Procedure to check tables in column store and row store for consistency
Backup
Persistence
During (non-snapshot) backups the physical page structure (e.g. checksum) is checked
hdbpersdiag
Persistence
Starting with SAP HANA 2.0 SPS 05 the hdbpersdiag tool is officially supported to check the consistency of the persistence level. see Persistence Consistency Check for more information.
2116157 – FAQ: SAP HANA Consistency Checks and Corruptions – SAP for Me
SAP Note 1977584 provides details about these consistency check tools. See also for related information in the SAP HANA Administration Guide.
To create an “repair System” we can select an older snapshot, which was created with e.g. azacsnap, and recover the database where we assume the deleted table was still available. Then export the table and import the table into the original PRD database. Of course,
we recommend that SAP support personnel guides you through this recovery process and potential additional repairs in the database.
The process of creating a ‘repair system’ can look as the following graphic:
Microsoft Tech Community – Latest Blogs –Read More
find a zero of a two-variable function
my main.m is:
clear
clc
close all
%
X0 = [9.609 , 32.288]; %initial value close to zero of function
%
f = Trajectory(X0);
The script Trajectory.m is a messy think that returns a value of f. I want to find values of tht two input variables (X0) is the initial vbalues that give f=0my main.m is:
clear
clc
close all
%
X0 = [9.609 , 32.288]; %initial value close to zero of function
%
f = Trajectory(X0);
The script Trajectory.m is a messy think that returns a value of f. I want to find values of tht two input variables (X0) is the initial vbalues that give f=0 my main.m is:
clear
clc
close all
%
X0 = [9.609 , 32.288]; %initial value close to zero of function
%
f = Trajectory(X0);
The script Trajectory.m is a messy think that returns a value of f. I want to find values of tht two input variables (X0) is the initial vbalues that give f=0 zoro of two-variable function MATLAB Answers — New Questions
problem reading wav file
hi,
I created a folder in drive C on users. I copied the audio file .wav in it. i opened live Editor and did Alt/enter to create a text area and typed ‘Assignment’. I then pressed Ctrl S to save it as ‘Assignment _task’ mlx onto the ‘Assignment’ folder in C. both the audio file and Mxs file appeared on matlab’s ‘my folder’. I then pressed Alt/enter to get into Code area. In Code area, i typed ‘audioread(‘the wav file’) and pressed Ctrl /enter. I came out with error as follows:
Error using audioread>readaudio (line 157)
The file type is not supported
Error in audioread (line 136)
[y, Fs] = readaudio (filename, range, datatype);
my question are 1./ of how can i get the ‘range’ and know the ‘datatype’?2./ why it said ‘audioread>readaudio and error in ‘audioread’ 3./ am i supposed to get x and Fs and rows and column?
Can anyone help me of how to read the audio please?
thank you
D.Ahi,
I created a folder in drive C on users. I copied the audio file .wav in it. i opened live Editor and did Alt/enter to create a text area and typed ‘Assignment’. I then pressed Ctrl S to save it as ‘Assignment _task’ mlx onto the ‘Assignment’ folder in C. both the audio file and Mxs file appeared on matlab’s ‘my folder’. I then pressed Alt/enter to get into Code area. In Code area, i typed ‘audioread(‘the wav file’) and pressed Ctrl /enter. I came out with error as follows:
Error using audioread>readaudio (line 157)
The file type is not supported
Error in audioread (line 136)
[y, Fs] = readaudio (filename, range, datatype);
my question are 1./ of how can i get the ‘range’ and know the ‘datatype’?2./ why it said ‘audioread>readaudio and error in ‘audioread’ 3./ am i supposed to get x and Fs and rows and column?
Can anyone help me of how to read the audio please?
thank you
D.A hi,
I created a folder in drive C on users. I copied the audio file .wav in it. i opened live Editor and did Alt/enter to create a text area and typed ‘Assignment’. I then pressed Ctrl S to save it as ‘Assignment _task’ mlx onto the ‘Assignment’ folder in C. both the audio file and Mxs file appeared on matlab’s ‘my folder’. I then pressed Alt/enter to get into Code area. In Code area, i typed ‘audioread(‘the wav file’) and pressed Ctrl /enter. I came out with error as follows:
Error using audioread>readaudio (line 157)
The file type is not supported
Error in audioread (line 136)
[y, Fs] = readaudio (filename, range, datatype);
my question are 1./ of how can i get the ‘range’ and know the ‘datatype’?2./ why it said ‘audioread>readaudio and error in ‘audioread’ 3./ am i supposed to get x and Fs and rows and column?
Can anyone help me of how to read the audio please?
thank you
D.A audio read MATLAB Answers — New Questions
connection between matlab 2024a and arduino
Hi everyone.I want to turn on an LED using serial communication. The problem is when i give 0 ( for turn off ) and 1 ( for turn on ) in arduino IDE it works, But if these two numbers are taken from MATLAB, the LED will not light up. Can anyone tell me why this happens. Arduino and MATLAB codes are attached. thanks for your help.Hi everyone.I want to turn on an LED using serial communication. The problem is when i give 0 ( for turn off ) and 1 ( for turn on ) in arduino IDE it works, But if these two numbers are taken from MATLAB, the LED will not light up. Can anyone tell me why this happens. Arduino and MATLAB codes are attached. thanks for your help. Hi everyone.I want to turn on an LED using serial communication. The problem is when i give 0 ( for turn off ) and 1 ( for turn on ) in arduino IDE it works, But if these two numbers are taken from MATLAB, the LED will not light up. Can anyone tell me why this happens. Arduino and MATLAB codes are attached. thanks for your help. arduino, matlab MATLAB Answers — New Questions
@GLUCOALERT [Where Can I Find GlucoAlert Reviews?] @GLUCOALERTOFFICIAL
Gluco Alert Reviews To Support Blood Sugar Levels And Metabolic Stability In Your Body
Shipping:
Gluco Alert Reviews To Support Blood Sugar Levels And Metabolic Stability In Your BodyShipping:May To Place To United States, Read The Item Description For Shipping Options: See DetailsLocated in: Grand Prairie, Texas, United StatesTrusted Seller, Fast Shipping, And Easy Returns. Learn MoreGet the Item You Ordered Or Your Money Back. Learn More Read More
Azure Function with public access disabled
I have disabled public acess of Azure Function. The function is not integrated with VNet and does not have any private endpoint. I confirmed that if I call the function Url from Postman I get 403 Ip Forbidden, which is expected. However, when I configure the function as backend for Api Management intgrated with VNet , I am still able to call it and get 200 Ok response. How is this possible?
I have disabled public acess of Azure Function. The function is not integrated with VNet and does not have any private endpoint. I confirmed that if I call the function Url from Postman I get 403 Ip Forbidden, which is expected. However, when I configure the function as backend for Api Management intgrated with VNet , I am still able to call it and get 200 Ok response. How is this possible? Read More
What is going on with the power function?
“POTENZA” is the “POWER” function.
Why isn’t it working?
”POTENZA” is the “POWER” function.Why isn’t it working? Read More
Is there a free trial of Copilot (for Desktop – I have Office 365 subscrition)?
If no Free trial, where / how do I add it to my Office 365 subscription? Or do I have to purchase Copilot separately?
If no Free trial, where / how do I add it to my Office 365 subscription? Or do I have to purchase Copilot separately? Read More
Invalid argument name classificationmode name must be targetcategories, mask etc.
While using this code from Complex yolo document in R2023a version
doTraining = true;
if doTraining
iteration = 0;
% Create subplots for the learning rate and mini-batch loss.
fig = figure;
[lossPlotter, learningRatePlotter] = configureTrainingProgressPlotter(fig);
% Custom training loop.
for epoch = 1:maxEpochs
reset(mbqTrain);
shuffle(mbqTrain);
while(hasdata(mbqTrain))
iteration = iteration + 1;
[XTrain,YTrain] = next(mbqTrain);
% Evaluate the model gradients and loss using dlfeval and the
% modelGradients function.
[gradients,state,lossInfo] = dlfeval(@modelGradients,net,XTrain,YTrain,anchorBoxes,penaltyThreshold,networkOutputs);
% Apply L2 regularization.
gradients = dlupdate(@(g,w) g + l2Regularization*w, gradients, net.Learnables);
% Determine the current learning rate value.
currentLR = piecewiseLearningRateWithWarmup(iteration,epoch,learningRate,warmupPeriod,maxEpochs);
% Update the network learnable parameters using the SGDM optimizer.
[net,velocity] = sgdmupdate(net,gradients,velocity,currentLR);
% Update the state parameters of dlnetwork.
net.State = state;
% Display progress.
if mod(iteration,10)==1
displayLossInfo(epoch,iteration,currentLR,lossInfo);
end
% Update training plot with new points.
updatePlots(lossPlotter,learningRatePlotter,iteration,currentLR,lossInfo.totalLoss);
end
end
else
net = mdl.net;
anchorBoxes = mdl.anchorBoxes;
end
% Create a table to hold the bounding boxes, scores, and labels returned by
% the detector.
results = table(‘Size’,[0 3], …
‘VariableTypes’,{‘cell’,’cell’,’cell’}, …
‘VariableNames’,{‘Boxes’,’Scores’,’Labels’});
% Run the detector on images in the test set and collect the results.
reset(testData)
while hasdata(testData)
% Read the datastore and get the image.
data = read(testData);
image = data{1,1};
% Run the detector.
executionEnvironment = ‘auto’;
[bboxes,scores,labels] = detectComplexYOLOv4(net,image,anchorBoxes,classNames,executionEnvironment);
% Collect the results.
tbl = table({bboxes},{scores},{labels},’VariableNames’,{‘Boxes’,’Scores’,’Labels’});
results = [results; tbl];
end
% Evaluate the object detector using the average precision metric.
metrics = evaluateDetectionAOS(results, testData)
Got this error
Error using dlarray/crossentropy
Invalid argument name ‘ClassificationMode’. Name must be ‘TargetCategories’, ‘Mask’, ‘Reduction’, ‘NormalizationFactor’, ‘DataFormat’, or ‘WeightsFormat’.
Error in complexYolotrial>@(a,b,c)crossentropy(a.*c,b.*c,’ClassificationMode’,’multilabel’) (line 400)
objLoss = sum(cellfun(@(a,b,c) crossentropy(a.*c,b.*c,’ClassificationMode’,’multilabel’),objectnessPredCell,objectnessDeltaTarget,boxMaskTarget(:,2)));
Error in complexYolotrial>objectnessLoss (line 400)
objLoss = sum(cellfun(@(a,b,c) crossentropy(a.*c,b.*c,’ClassificationMode’,’multilabel’),objectnessPredCell,objectnessDeltaTarget,boxMaskTarget(:,2)));
Error in complexYolotrial>modelGradients (line 339)
objLoss = objectnessLoss(YPredCell(:,1),objectnessTarget,objectMaskTarget);
Error in deep.internal.dlfeval (line 17)
[varargout{1:nargout}] = fun(x{:});
Error in deep.internal.dlfevalWithNestingCheck (line 15)
[varargout{1:nargout}] = deep.internal.dlfeval(fun,varargin{:});
Error in dlfeval (line 31)
[varargout{1:nargout}] = deep.internal.dlfevalWithNestingCheck(fun,varargin{:}); how to resolve itWhile using this code from Complex yolo document in R2023a version
doTraining = true;
if doTraining
iteration = 0;
% Create subplots for the learning rate and mini-batch loss.
fig = figure;
[lossPlotter, learningRatePlotter] = configureTrainingProgressPlotter(fig);
% Custom training loop.
for epoch = 1:maxEpochs
reset(mbqTrain);
shuffle(mbqTrain);
while(hasdata(mbqTrain))
iteration = iteration + 1;
[XTrain,YTrain] = next(mbqTrain);
% Evaluate the model gradients and loss using dlfeval and the
% modelGradients function.
[gradients,state,lossInfo] = dlfeval(@modelGradients,net,XTrain,YTrain,anchorBoxes,penaltyThreshold,networkOutputs);
% Apply L2 regularization.
gradients = dlupdate(@(g,w) g + l2Regularization*w, gradients, net.Learnables);
% Determine the current learning rate value.
currentLR = piecewiseLearningRateWithWarmup(iteration,epoch,learningRate,warmupPeriod,maxEpochs);
% Update the network learnable parameters using the SGDM optimizer.
[net,velocity] = sgdmupdate(net,gradients,velocity,currentLR);
% Update the state parameters of dlnetwork.
net.State = state;
% Display progress.
if mod(iteration,10)==1
displayLossInfo(epoch,iteration,currentLR,lossInfo);
end
% Update training plot with new points.
updatePlots(lossPlotter,learningRatePlotter,iteration,currentLR,lossInfo.totalLoss);
end
end
else
net = mdl.net;
anchorBoxes = mdl.anchorBoxes;
end
% Create a table to hold the bounding boxes, scores, and labels returned by
% the detector.
results = table(‘Size’,[0 3], …
‘VariableTypes’,{‘cell’,’cell’,’cell’}, …
‘VariableNames’,{‘Boxes’,’Scores’,’Labels’});
% Run the detector on images in the test set and collect the results.
reset(testData)
while hasdata(testData)
% Read the datastore and get the image.
data = read(testData);
image = data{1,1};
% Run the detector.
executionEnvironment = ‘auto’;
[bboxes,scores,labels] = detectComplexYOLOv4(net,image,anchorBoxes,classNames,executionEnvironment);
% Collect the results.
tbl = table({bboxes},{scores},{labels},’VariableNames’,{‘Boxes’,’Scores’,’Labels’});
results = [results; tbl];
end
% Evaluate the object detector using the average precision metric.
metrics = evaluateDetectionAOS(results, testData)
Got this error
Error using dlarray/crossentropy
Invalid argument name ‘ClassificationMode’. Name must be ‘TargetCategories’, ‘Mask’, ‘Reduction’, ‘NormalizationFactor’, ‘DataFormat’, or ‘WeightsFormat’.
Error in complexYolotrial>@(a,b,c)crossentropy(a.*c,b.*c,’ClassificationMode’,’multilabel’) (line 400)
objLoss = sum(cellfun(@(a,b,c) crossentropy(a.*c,b.*c,’ClassificationMode’,’multilabel’),objectnessPredCell,objectnessDeltaTarget,boxMaskTarget(:,2)));
Error in complexYolotrial>objectnessLoss (line 400)
objLoss = sum(cellfun(@(a,b,c) crossentropy(a.*c,b.*c,’ClassificationMode’,’multilabel’),objectnessPredCell,objectnessDeltaTarget,boxMaskTarget(:,2)));
Error in complexYolotrial>modelGradients (line 339)
objLoss = objectnessLoss(YPredCell(:,1),objectnessTarget,objectMaskTarget);
Error in deep.internal.dlfeval (line 17)
[varargout{1:nargout}] = fun(x{:});
Error in deep.internal.dlfevalWithNestingCheck (line 15)
[varargout{1:nargout}] = deep.internal.dlfeval(fun,varargin{:});
Error in dlfeval (line 31)
[varargout{1:nargout}] = deep.internal.dlfevalWithNestingCheck(fun,varargin{:}); how to resolve it While using this code from Complex yolo document in R2023a version
doTraining = true;
if doTraining
iteration = 0;
% Create subplots for the learning rate and mini-batch loss.
fig = figure;
[lossPlotter, learningRatePlotter] = configureTrainingProgressPlotter(fig);
% Custom training loop.
for epoch = 1:maxEpochs
reset(mbqTrain);
shuffle(mbqTrain);
while(hasdata(mbqTrain))
iteration = iteration + 1;
[XTrain,YTrain] = next(mbqTrain);
% Evaluate the model gradients and loss using dlfeval and the
% modelGradients function.
[gradients,state,lossInfo] = dlfeval(@modelGradients,net,XTrain,YTrain,anchorBoxes,penaltyThreshold,networkOutputs);
% Apply L2 regularization.
gradients = dlupdate(@(g,w) g + l2Regularization*w, gradients, net.Learnables);
% Determine the current learning rate value.
currentLR = piecewiseLearningRateWithWarmup(iteration,epoch,learningRate,warmupPeriod,maxEpochs);
% Update the network learnable parameters using the SGDM optimizer.
[net,velocity] = sgdmupdate(net,gradients,velocity,currentLR);
% Update the state parameters of dlnetwork.
net.State = state;
% Display progress.
if mod(iteration,10)==1
displayLossInfo(epoch,iteration,currentLR,lossInfo);
end
% Update training plot with new points.
updatePlots(lossPlotter,learningRatePlotter,iteration,currentLR,lossInfo.totalLoss);
end
end
else
net = mdl.net;
anchorBoxes = mdl.anchorBoxes;
end
% Create a table to hold the bounding boxes, scores, and labels returned by
% the detector.
results = table(‘Size’,[0 3], …
‘VariableTypes’,{‘cell’,’cell’,’cell’}, …
‘VariableNames’,{‘Boxes’,’Scores’,’Labels’});
% Run the detector on images in the test set and collect the results.
reset(testData)
while hasdata(testData)
% Read the datastore and get the image.
data = read(testData);
image = data{1,1};
% Run the detector.
executionEnvironment = ‘auto’;
[bboxes,scores,labels] = detectComplexYOLOv4(net,image,anchorBoxes,classNames,executionEnvironment);
% Collect the results.
tbl = table({bboxes},{scores},{labels},’VariableNames’,{‘Boxes’,’Scores’,’Labels’});
results = [results; tbl];
end
% Evaluate the object detector using the average precision metric.
metrics = evaluateDetectionAOS(results, testData)
Got this error
Error using dlarray/crossentropy
Invalid argument name ‘ClassificationMode’. Name must be ‘TargetCategories’, ‘Mask’, ‘Reduction’, ‘NormalizationFactor’, ‘DataFormat’, or ‘WeightsFormat’.
Error in complexYolotrial>@(a,b,c)crossentropy(a.*c,b.*c,’ClassificationMode’,’multilabel’) (line 400)
objLoss = sum(cellfun(@(a,b,c) crossentropy(a.*c,b.*c,’ClassificationMode’,’multilabel’),objectnessPredCell,objectnessDeltaTarget,boxMaskTarget(:,2)));
Error in complexYolotrial>objectnessLoss (line 400)
objLoss = sum(cellfun(@(a,b,c) crossentropy(a.*c,b.*c,’ClassificationMode’,’multilabel’),objectnessPredCell,objectnessDeltaTarget,boxMaskTarget(:,2)));
Error in complexYolotrial>modelGradients (line 339)
objLoss = objectnessLoss(YPredCell(:,1),objectnessTarget,objectMaskTarget);
Error in deep.internal.dlfeval (line 17)
[varargout{1:nargout}] = fun(x{:});
Error in deep.internal.dlfevalWithNestingCheck (line 15)
[varargout{1:nargout}] = deep.internal.dlfeval(fun,varargin{:});
Error in dlfeval (line 31)
[varargout{1:nargout}] = deep.internal.dlfevalWithNestingCheck(fun,varargin{:}); how to resolve it deep learning MATLAB Answers — New Questions
3d matrix initialization and find the specific values after the for loops
Hello my Vf is 42444 *1*1000 matrix. I used this code for finding values for the location of 312 and incrementing of 324 from the 42444 values. But why the final matrix A is 131 * 3*1000. I am expecting 131*1*1000.
Could you help me on that?
Vf= is a 3d matix of 42444 * 1 * 1000;
m = size(Vf, 1)= 42444;
n = size(Vf, 2)= 1;
p = size(Vf, 3)=1000;
A=[m,n,p];
% Loop through the data and fill A
for j = 1:p
index = 1;
for i = 312:324:m
% Assign the value from Vf to the corresponding location in A
A(index, :, j) = Vf(i, :, j);
index = index + 1;
end
endHello my Vf is 42444 *1*1000 matrix. I used this code for finding values for the location of 312 and incrementing of 324 from the 42444 values. But why the final matrix A is 131 * 3*1000. I am expecting 131*1*1000.
Could you help me on that?
Vf= is a 3d matix of 42444 * 1 * 1000;
m = size(Vf, 1)= 42444;
n = size(Vf, 2)= 1;
p = size(Vf, 3)=1000;
A=[m,n,p];
% Loop through the data and fill A
for j = 1:p
index = 1;
for i = 312:324:m
% Assign the value from Vf to the corresponding location in A
A(index, :, j) = Vf(i, :, j);
index = index + 1;
end
end Hello my Vf is 42444 *1*1000 matrix. I used this code for finding values for the location of 312 and incrementing of 324 from the 42444 values. But why the final matrix A is 131 * 3*1000. I am expecting 131*1*1000.
Could you help me on that?
Vf= is a 3d matix of 42444 * 1 * 1000;
m = size(Vf, 1)= 42444;
n = size(Vf, 2)= 1;
p = size(Vf, 3)=1000;
A=[m,n,p];
% Loop through the data and fill A
for j = 1:p
index = 1;
for i = 312:324:m
% Assign the value from Vf to the corresponding location in A
A(index, :, j) = Vf(i, :, j);
index = index + 1;
end
end matlab, 3d matix MATLAB Answers — New Questions
Custom Display for symbolic Object
Hello,
I do alot of work with symbolic variables and latex, and I would like to have some custom output for when a semi colon is not put at the end of a line, I would like it to output the formated version of the symbolic variable so that I can use the copy as LaTeX. An example of how I would like it displayed is below, when I run the line sigma_i = 10*u.MPa I would like it to be displayed as if I had run myFunc.
u =symunit;
sigma_i =10*u.MPa
myFunc(sigma_i)
function myFunc(inputValue)
varName = inputname(1);
symbolicVarName = sym(varName);
disp(vpa(symbolicVarName == inputValue, 3)); % Adjust the precision as needed
end
I have tried creating class MySym which inherits from sym but whenever I do any operations the output ends up being a sym
classdef MySym < sym
methods
% Constructor method
function obj = MySym(val)
% Convert input to sym and store it in the object
obj = obj@sym(val); % Call superclass constructor
end
% Custom display method
function display(obj)
varName = inputname(1);
if isempty(varName)
varName = ‘ans’;
end
symbolicVarName = sym(varName);
disp(vpa(symbolicVarName == obj, 3)); % Display with 3 digits precision
end
end
endHello,
I do alot of work with symbolic variables and latex, and I would like to have some custom output for when a semi colon is not put at the end of a line, I would like it to output the formated version of the symbolic variable so that I can use the copy as LaTeX. An example of how I would like it displayed is below, when I run the line sigma_i = 10*u.MPa I would like it to be displayed as if I had run myFunc.
u =symunit;
sigma_i =10*u.MPa
myFunc(sigma_i)
function myFunc(inputValue)
varName = inputname(1);
symbolicVarName = sym(varName);
disp(vpa(symbolicVarName == inputValue, 3)); % Adjust the precision as needed
end
I have tried creating class MySym which inherits from sym but whenever I do any operations the output ends up being a sym
classdef MySym < sym
methods
% Constructor method
function obj = MySym(val)
% Convert input to sym and store it in the object
obj = obj@sym(val); % Call superclass constructor
end
% Custom display method
function display(obj)
varName = inputname(1);
if isempty(varName)
varName = ‘ans’;
end
symbolicVarName = sym(varName);
disp(vpa(symbolicVarName == obj, 3)); % Display with 3 digits precision
end
end
end Hello,
I do alot of work with symbolic variables and latex, and I would like to have some custom output for when a semi colon is not put at the end of a line, I would like it to output the formated version of the symbolic variable so that I can use the copy as LaTeX. An example of how I would like it displayed is below, when I run the line sigma_i = 10*u.MPa I would like it to be displayed as if I had run myFunc.
u =symunit;
sigma_i =10*u.MPa
myFunc(sigma_i)
function myFunc(inputValue)
varName = inputname(1);
symbolicVarName = sym(varName);
disp(vpa(symbolicVarName == inputValue, 3)); % Adjust the precision as needed
end
I have tried creating class MySym which inherits from sym but whenever I do any operations the output ends up being a sym
classdef MySym < sym
methods
% Constructor method
function obj = MySym(val)
% Convert input to sym and store it in the object
obj = obj@sym(val); % Call superclass constructor
end
% Custom display method
function display(obj)
varName = inputname(1);
if isempty(varName)
varName = ‘ans’;
end
symbolicVarName = sym(varName);
disp(vpa(symbolicVarName == obj, 3)); % Display with 3 digits precision
end
end
end symbolic variables, custom displaying MATLAB Answers — New Questions