Message	Id	Version	Level	Task	Keywords	RecordId	ProviderName	ProviderId	LogName	ProcessId	ThreadId	MachineName	TimeCreated	ActivityId	ContainerLog	MatchedQueryIds	Bookmark	LevelDisplayName	OpcodeDisplayName	TaskDisplayName	KeywordsDisplayNames	Properties
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0x10A3C6 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x1198 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	4799	0	0	13826	-9214364837600034816	15008	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:04:49 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1551579950-1188233383-2621771192-2409672429 Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80C51F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15007	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:04:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1551579950-1188233383-2621771192-2409672429 Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x811A3D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15006	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:03:09 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1551579950-1188233383-2621771192-2409672429 Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x811A3D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15005	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:03:09 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1551579950-1188233383-2621771192-2409672429 Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x811A3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15004	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:03:09 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	15003	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:03:09 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1551579950-1188233383-2621771192-2409672429 Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80E015 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	15002	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:03:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1551579950-1188233383-2621771192-2409672429 Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80E015 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	15001	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:03:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1551579950-1188233383-2621771192-2409672429 Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80E015 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	15000	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:03:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14999	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:03:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1551579950-1188233383-2621771192-2409672429 Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80C3D0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14998	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:02:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1551579950-1188233383-2621771192-2409672429 Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80C51F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14997	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:02:58 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1551579950-1188233383-2621771192-2409672429 Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80C51F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14996	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:02:58 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14995	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:02:58 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1551579950-1188233383-2621771192-2409672429 Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80C4CA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14994	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:02:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1551579950-1188233383-2621771192-2409672429 Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80C4CA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14993	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:02:58 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1551579950-1188233383-2621771192-2409672429 Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80C4CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14992	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:02:58 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14991	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:02:58 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1551579950-1188233383-2621771192-2409672429 Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80C484 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14990	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:02:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1551579950-1188233383-2621771192-2409672429 Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80C484 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14989	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:02:58 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1551579950-1188233383-2621771192-2409672429 Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80C484 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14988	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:02:58 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14987	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:02:58 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1551579950-1188233383-2621771192-2409672429 Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80C3D0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14986	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:02:58 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1551579950-1188233383-2621771192-2409672429 Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x80C3D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14985	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:02:58 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5C7B3B2E-00A7-46D3-B80D-459CEDAEA08F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14984	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:02:58 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3052683034-1123303489-3063205288-3108625705 Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CE260 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14983	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:02:49 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7DD75B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14982	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:02:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3616865595-1175511488-2078476935-1309936878 Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745FDC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14981	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:02:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-126484325-1209079381-3328071080-282380537 Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7C0223 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14980	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:02:06 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E76A1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14979	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:01:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E76A1 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14978	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:01:32 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E76A1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14977	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:01:32 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14976	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:01:32 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E1BDD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14975	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:01:16 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E1BDD Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14974	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:01:16 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7E1BDD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14973	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:01:16 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14972	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:01:16 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7DE234 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14971	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:01:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7DE234 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14970	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:01:11 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7DE234 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14969	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:01:11 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14968	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:01:11 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7DD61F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14967	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:01:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7DD75B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14966	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:01:11 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7DD75B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14965	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:01:11 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14964	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:01:11 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7DD706 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14963	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:01:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7DD706 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14962	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:01:11 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7DD706 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14961	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:01:11 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14960	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:01:11 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7DD6C1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14959	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:01:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7DD6C1 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14958	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:01:11 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7DD6C1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14957	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:01:11 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14956	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:01:11 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7DD61F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14955	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:01:11 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1207014200-1126603817-1782027166-1181910488 Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7DD61F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14954	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:01:11 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 47F19338-9C29-4326-9E93-376AD8857246 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14953	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:01:11 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3052683034-1123303489-3063205288-3108625705 Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7D71B4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14952	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:00:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3052683034-1123303489-3063205288-3108625705 Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7D71B4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14951	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:00:35 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3052683034-1123303489-3063205288-3108625705 Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7D71B4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14950	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:00:35 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14949	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:00:35 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x7D4C43	4905	0	0	13568	-9214364837600034816	14948	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:00:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x7D4C43	4904	0	0	13568	-9214364837600034816	14947	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:00:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3052683034-1123303489-3063205288-3108625705 Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7D0D6E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14946	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:00:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3052683034-1123303489-3063205288-3108625705 Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7D0D6E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14945	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:00:26 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3052683034-1123303489-3063205288-3108625705 Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7D0D6E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14944	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:00:26 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14943	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:00:26 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3052683034-1123303489-3063205288-3108625705 Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CE112 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14942	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:00:21 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3052683034-1123303489-3063205288-3108625705 Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CE260 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14941	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:00:21 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3052683034-1123303489-3063205288-3108625705 Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CE260 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14940	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:00:21 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14939	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:00:21 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3052683034-1123303489-3063205288-3108625705 Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CE20B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14938	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:00:21 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3052683034-1123303489-3063205288-3108625705 Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CE20B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14937	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:00:21 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3052683034-1123303489-3063205288-3108625705 Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CE20B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14936	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:00:21 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14935	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:00:21 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3052683034-1123303489-3063205288-3108625705 Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CE1C5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14934	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 3:00:21 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3052683034-1123303489-3063205288-3108625705 Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CE1C5 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14933	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:00:21 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3052683034-1123303489-3063205288-3108625705 Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CE1C5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14932	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:00:21 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14931	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:00:21 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3052683034-1123303489-3063205288-3108625705 Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CE112 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14930	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:00:21 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3052683034-1123303489-3063205288-3108625705 Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7CE112 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14929	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:00:21 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B5F43F1A-4041-42F4-A8CD-94B629DD49B9 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14928	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:00:21 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-126484325-1209079381-3328071080-282380537 Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7C7CC9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14927	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:00:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-126484325-1209079381-3328071080-282380537 Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7C7CC9 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14926	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:00:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-126484325-1209079381-3328071080-282380537 Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7C7CC9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14925	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:00:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14924	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 3:00:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-126484325-1209079381-3328071080-282380537 Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7C35FD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14923	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-126484325-1209079381-3328071080-282380537 Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7C35FD Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14922	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:56 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-126484325-1209079381-3328071080-282380537 Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7C35FD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14921	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:56 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14920	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:56 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-126484325-1209079381-3328071080-282380537 Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BFFB0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14919	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:51 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-126484325-1209079381-3328071080-282380537 Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7C0223 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14918	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-126484325-1209079381-3328071080-282380537 Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7C0223 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14917	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14916	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-126484325-1209079381-3328071080-282380537 Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7C015A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14915	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:51 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-126484325-1209079381-3328071080-282380537 Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7C015A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14914	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:59:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-126484325-1209079381-3328071080-282380537 Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7C015A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14913	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:59:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14912	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:59:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-126484325-1209079381-3328071080-282380537 Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7C00BB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14911	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:51 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-126484325-1209079381-3328071080-282380537 Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7C00BB Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14910	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-126484325-1209079381-3328071080-282380537 Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7C00BB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14909	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14908	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-126484325-1209079381-3328071080-282380537 Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BFFB0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14907	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-126484325-1209079381-3328071080-282380537 Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7BFFB0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14906	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0789FF65-1655-4811-A855-5EC6F9C8D410 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14905	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x7BE7C2	4905	0	0	13568	-9214364837600034816	14904	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:49 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x7BE7C2	4904	0	0	13568	-9214364837600034816	14903	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:49 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x7B9DF0	4905	0	0	13568	-9214364837600034816	14902	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:40 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x7B9DF0	4904	0	0	13568	-9214364837600034816	14901	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:40 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x7B8DFE	4905	0	0	13568	-9214364837600034816	14900	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x7B8DFE	4904	0	0	13568	-9214364837600034816	14899	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x7B85BF	4905	0	0	13568	-9214364837600034816	14898	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x7B85BF	4904	0	0	13568	-9214364837600034816	14897	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x7B7702	4905	0	0	13568	-9214364837600034816	14896	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:29 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x7B7702	4904	0	0	13568	-9214364837600034816	14895	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:29 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1455797569-1292548379-3513590929-3151618163 Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7A3D66 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14894	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1455797569-1292548379-3513590929-3151618163 Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7ABDBD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14893	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:09 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1455797569-1292548379-3513590929-3151618163 Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7ABDBD Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14892	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:09 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1455797569-1292548379-3513590929-3151618163 Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7ABDBD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14891	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:09 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14890	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:09 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3127152167-1181345998-2233414021-2950284034 Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x779BD8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14889	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:08 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1455797569-1292548379-3513590929-3151618163 Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7A501F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14888	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1455797569-1292548379-3513590929-3151618163 Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7A501F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14887	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1455797569-1292548379-3513590929-3151618163 Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7A501F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14886	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14885	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1455797569-1292548379-3513590929-3151618163 Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7A3C1B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14884	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1455797569-1292548379-3513590929-3151618163 Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7A3D66 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14883	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1455797569-1292548379-3513590929-3151618163 Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7A3D66 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14882	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14881	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1455797569-1292548379-3513590929-3151618163 Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7A3D11 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14880	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1455797569-1292548379-3513590929-3151618163 Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7A3D11 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14879	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1455797569-1292548379-3513590929-3151618163 Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7A3D11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14878	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14877	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:59:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1455797569-1292548379-3513590929-3151618163 Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7A3CCC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14876	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:59:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1455797569-1292548379-3513590929-3151618163 Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7A3CCC Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14875	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:59:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1455797569-1292548379-3513590929-3151618163 Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7A3CCC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14874	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:59:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14873	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:59:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1455797569-1292548379-3513590929-3151618163 Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7A3C1B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14872	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:59:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1455797569-1292548379-3513590929-3151618163 Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7A3C1B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14871	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:59:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 56C5B541-B91B-4D0A-9124-6DD173E0D9BB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14870	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:59:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x746D92 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14869	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:30 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x723594 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14868	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:30 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3127152167-1181345998-2233414021-2950284034 Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7890DF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14867	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:25 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3127152167-1181345998-2233414021-2950284034 Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7890DF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14866	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:25 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3127152167-1181345998-2233414021-2950284034 Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7890DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14865	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:25 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14864	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:25 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x78621D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14863	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:23 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x78621D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14862	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:23 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x78621D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14861	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:23 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14860	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:23 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x609874 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14859	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:23 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3127152167-1181345998-2233414021-2950284034 Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77A6AB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14858	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:18 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3127152167-1181345998-2233414021-2950284034 Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77A6AB Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14857	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3127152167-1181345998-2233414021-2950284034 Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x77A6AB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14856	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14855	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3127152167-1181345998-2233414021-2950284034 Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x779A9C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14854	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:18 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3127152167-1181345998-2233414021-2950284034 Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x779BD8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14853	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3127152167-1181345998-2233414021-2950284034 Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x779BD8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14852	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14851	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3127152167-1181345998-2233414021-2950284034 Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x779B83 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14850	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:18 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3127152167-1181345998-2233414021-2950284034 Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x779B83 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14849	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3127152167-1181345998-2233414021-2950284034 Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x779B83 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14848	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14847	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:58:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3127152167-1181345998-2233414021-2950284034 Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x779B3E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14846	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:58:18 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3127152167-1181345998-2233414021-2950284034 Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x779B3E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14845	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:58:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3127152167-1181345998-2233414021-2950284034 Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x779B3E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14844	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:58:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14843	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:58:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3127152167-1181345998-2233414021-2950284034 Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x779A9C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14842	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:58:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3127152167-1181345998-2233414021-2950284034 Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon ID: 0x779A9C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14841	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:58:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: BA648E27-E8CE-4669-8531-1F8502C3D9AF Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14840	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:58:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x611288 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14839	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:58:09 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76F9FA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14838	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:58:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76F9FA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14837	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:58:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x76F9FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14836	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:58:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14835	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:58:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712562 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14834	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:58:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D6337 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14833	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:59 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75F822 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14832	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:55 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75F822 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14831	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:55 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75F822 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14830	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:55 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14829	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:55 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75B110 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14828	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:51 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75B110 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14827	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x75B110 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14826	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14825	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3616865595-1175511488-2078476935-1309936878 Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x752CB7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14824	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3616865595-1175511488-2078476935-1309936878 Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x752CB7 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14823	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:29 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3616865595-1175511488-2078476935-1309936878 Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x752CB7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14822	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:29 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14821	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:29 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74D8AF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14820	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74D8AF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14819	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:26 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74D8AF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14818	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:26 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14817	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:26 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3616865595-1175511488-2078476935-1309936878 Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74B66C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14816	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:24 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3616865595-1175511488-2078476935-1309936878 Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74B66C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14815	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:24 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3616865595-1175511488-2078476935-1309936878 Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74B66C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14814	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:24 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14813	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:24 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74788D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14812	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:20 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74788D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14811	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:20 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x74788D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14810	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:20 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14809	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:20 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x746C57 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14808	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:20 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x746D92 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14807	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:20 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x746D92 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14806	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:20 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14805	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:20 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x746D3D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14804	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:20 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x746D3D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14803	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:20 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x746D3D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14802	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:20 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14801	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:20 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x746CF8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14800	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:20 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x746CF8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14799	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:20 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x746CF8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14798	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:20 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14797	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:20 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x746C57 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14796	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:20 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2389633479-1186255822-2854315660-1764934060 Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x746C57 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14795	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:20 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 8E6EE9C7-D3CE-46B4-8C66-21AAACC13269 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14794	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:20 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3616865595-1175511488-2078476935-1309936878 Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745E8E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14793	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:19 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3616865595-1175511488-2078476935-1309936878 Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745FDC Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14792	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:19 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3616865595-1175511488-2078476935-1309936878 Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745FDC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14791	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:19 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14790	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:19 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3616865595-1175511488-2078476935-1309936878 Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745F87 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14789	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:19 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3616865595-1175511488-2078476935-1309936878 Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745F87 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14788	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:19 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3616865595-1175511488-2078476935-1309936878 Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745F87 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14787	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:19 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14786	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:19 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3616865595-1175511488-2078476935-1309936878 Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745F41 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14785	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:19 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3616865595-1175511488-2078476935-1309936878 Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745F41 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14784	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:19 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3616865595-1175511488-2078476935-1309936878 Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745F41 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14783	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:19 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14782	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:19 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3616865595-1175511488-2078476935-1309936878 Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745E8E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14781	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:19 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3616865595-1175511488-2078476935-1309936878 Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon ID: 0x745E8E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14780	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:19 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: D794FD3B-E1C0-4610-870A-E37BEE0C144E Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14779	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:19 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3275251533-1201895683-439887505-3636890910 Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65F186 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14778	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:10 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F2E49 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14777	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:07 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x737B11 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14776	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:06 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x737B11 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14775	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:06 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x737B11 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14774	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:06 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14773	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:06 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x736DE2 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14772	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x736DE2 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14771	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x736DE2 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14770	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14769	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:57:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x731345 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14768	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x731345 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14767	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x731345 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14766	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14765	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72F1E8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14764	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:01 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72F1E8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14763	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:01 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72F1E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14762	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:01 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14761	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:01 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72DA26 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14760	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:00 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72DA26 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14759	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:00 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72DA26 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14758	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:00 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14757	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:00 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72D14B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14756	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:00 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72D14B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14755	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:00 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72D14B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14754	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:00 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14753	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:57:00 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x729108 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14752	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:56 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x729108 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14751	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:56 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x729108 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14750	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:56 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14749	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:56 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7241CB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14748	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:51 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7241CB Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14747	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7241CB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14746	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14745	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x723459 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14744	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:50 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x723594 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14743	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:50 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x723594 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14742	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:50 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14741	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:50 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72353F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14740	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:50 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72353F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14739	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:50 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x72353F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14738	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:50 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14737	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:50 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7234FA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14736	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:56:50 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7234FA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14735	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:50 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7234FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14734	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:50 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14733	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:50 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x723459 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14732	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:50 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-53612494-1094821652-2306477492-3360040361 Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x723459 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14731	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:50 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 03320FCE-A714-4141-B40D-7A89A92546C8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14730	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:50 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x720C27 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14729	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:47 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x720C27 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14728	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:47 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x720C27 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14727	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:47 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14726	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:47 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x71D061 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14725	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:43 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x71D061 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14724	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:43 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x71D061 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14723	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:43 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14722	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:43 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B237D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14721	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:40 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x713178 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14720	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x713178 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14719	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x713178 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14718	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14717	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712426 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14716	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712562 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14715	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712562 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14714	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14713	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x71250D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14712	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x71250D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14711	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x71250D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14710	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14709	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7124C8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14708	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7124C8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14707	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x7124C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14706	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14705	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712426 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14704	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-779480014-1164083871-1432407941-4227316460 Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon ID: 0x712426 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14703	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 2E75EBCE-829F-4562-85CF-6055ECBAF7FB Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14702	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:56:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69DC54 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14701	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:56:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x708A6A	4905	0	0	13568	-9214364837600034816	14700	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:56:25 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x708A6A	4904	0	0	13568	-9214364837600034816	14699	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:56:25 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x704CEC	4905	0	0	13568	-9214364837600034816	14698	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:56:17 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x704CEC	4904	0	0	13568	-9214364837600034816	14697	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:56:17 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA223 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14696	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:56:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FA9E9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14695	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:56:03 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FA9E9 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14694	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:56:03 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6FA9E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14693	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:56:03 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14692	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:56:03 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x6F9D7E	4905	0	0	13568	-9214364837600034816	14691	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:56:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x6F9D7E	4904	0	0	13568	-9214364837600034816	14690	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:56:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x6F8A8C	4905	0	0	13568	-9214364837600034816	14689	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:58 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x6F8A8C	4904	0	0	13568	-9214364837600034816	14688	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:58 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F5CEF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14687	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:53 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F5CEF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14686	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:53 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F5CEF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14685	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:53 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14684	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:53 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F39AC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14683	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:52 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F39AC Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14682	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:52 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F39AC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14681	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:52 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14680	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:52 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F2D0E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14679	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:52 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F2E49 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14678	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:52 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F2E49 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14677	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:52 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14676	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:52 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F2DF4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14675	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:52 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F2DF4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14674	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:52 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F2DF4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14673	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:52 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14672	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:52 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F2DAF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14671	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:52 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F2DAF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14670	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:52 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F2DAF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14669	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:52 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14668	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:52 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F2D0E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14667	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4120916119-1082658898-1987658379-3694724380 Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6F2D0E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14666	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F5A03097-1052-4088-8B42-79761C0539DC Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14665	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E9CDA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14664	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:42 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E9CDA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14663	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:42 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E9CDA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14662	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:42 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14661	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:42 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E7CFF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14660	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:41 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E7CFF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14659	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:41 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6E7CFF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14658	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:41 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14657	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:41 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C00A8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14656	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:40 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DADFE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14655	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DADFE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14654	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DADFE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14653	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14652	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA0E8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14651	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA223 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14650	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA223 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14649	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14648	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA1CE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14647	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA1CE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14646	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA1CE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14645	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14644	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA189 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14643	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA189 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14642	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA189 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14641	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14640	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA0E8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14639	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4174556487-1119301284-325085083-134947216 Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6DA0E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14638	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: F8D2AD47-2EA4-42B7-9B67-601390210B08 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14637	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D78B0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14636	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D78B0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14635	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D78B0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14634	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14633	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D5F9F Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14632	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D6337 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14631	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D6337 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14630	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14629	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D628A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14628	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D628A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14627	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D628A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14626	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14625	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D6192 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14624	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D6192 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14623	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D6192 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14622	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14621	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D5F9F Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14620	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:55:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-2529630790-1327157640-3557015700-3289945220 Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6D5F9F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14619	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:55:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 96C71A46-D188-4F1A-94C0-03D4849418C4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14618	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:55:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3813433021-1272970695-2353730482-675847307 Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64E59E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14617	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:55:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x6C4697	4905	0	0	13568	-9214364837600034816	14616	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:27 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x6C4697	4904	0	0	13568	-9214364837600034816	14615	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:27 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C465D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14614	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:55:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C465D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14613	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:55:27 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6C465D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14612	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:55:27 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14611	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:55:27 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x6BDDCD	4905	0	0	13568	-9214364837600034816	14610	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:55:21 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x6BDDCD	4904	0	0	13568	-9214364837600034816	14609	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:55:21 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B8B0D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14608	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:55:14 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B8B0D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14607	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:55:14 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6B8B0D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14606	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:55:14 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14605	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:55:14 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63162C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14604	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:55:14 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ACA12 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14603	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ACA12 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14602	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:12 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6ACA12 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14601	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:12 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14600	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:12 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A8F02 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14599	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A8F02 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14598	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:11 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A8F02 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14597	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:11 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14596	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:11 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A2F26 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14595	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:07 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A2F26 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14594	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:07 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A2F26 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14593	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:07 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14592	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:07 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A1BC8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14591	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:06 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A1BC8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14590	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:06 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A1BC8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14589	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:06 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14588	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:06 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A1177 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14587	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:06 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A1177 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14586	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:06 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6A1177 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14585	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:06 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14584	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:06 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69ED07 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14583	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69ED07 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14582	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69ED07 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14581	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14580	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69DAF4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14579	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69DC54 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14578	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69DC54 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14577	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14576	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69DBFA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14575	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69DBFA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14574	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69DBFA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14573	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14572	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69DBB5 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14571	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:55:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69DBB5 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14570	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69DBB5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14569	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14568	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69DAF4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14567	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-808043267-1231222903-967794063-2760421545 Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x69DAF4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14566	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 3029C303-F877-4962-8F5D-AF39A9B088A4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14565	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x69335F	4905	0	0	13568	-9214364837600034816	14564	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:03 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x69335F	4904	0	0	13568	-9214364837600034816	14563	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:55:03 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x6921ED	4905	0	0	13568	-9214364837600034816	14562	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:58 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x6921ED	4904	0	0	13568	-9214364837600034816	14561	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:58 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x6908C7	4905	0	0	13568	-9214364837600034816	14560	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:53 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x6908C7	4904	0	0	13568	-9214364837600034816	14559	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:53 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x68FA9B	4905	0	0	13568	-9214364837600034816	14558	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:50 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x68FA9B	4904	0	0	13568	-9214364837600034816	14557	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:50 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x68D8CC	4905	0	0	13568	-9214364837600034816	14556	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:54:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x68D8CC	4904	0	0	13568	-9214364837600034816	14555	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:54:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68C08E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14554	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:54:43 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68C08E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14553	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:54:43 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x68C08E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14552	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:54:43 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14551	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:54:43 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x68A92E	4905	0	0	13568	-9214364837600034816	14550	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:54:41 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x68A92E	4904	0	0	13568	-9214364837600034816	14549	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:54:41 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3275251533-1201895683-439887505-3636890910 Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67E5DA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14548	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3275251533-1201895683-439887505-3636890910 Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67E5DA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14547	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:37 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3275251533-1201895683-439887505-3636890910 Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x67E5DA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14546	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:37 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14545	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:37 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C514C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14544	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:35 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x670D90 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14543	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:31 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x670D90 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14542	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:31 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x670D90 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14541	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:31 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14540	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:31 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3275251533-1201895683-439887505-3636890910 Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66F49A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14539	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:30 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3275251533-1201895683-439887505-3636890910 Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66F49A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14538	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3275251533-1201895683-439887505-3636890910 Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66F49A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14537	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14536	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66B85E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14535	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66B85E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14534	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:27 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66B85E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14533	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:27 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14532	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:27 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66AE85 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14531	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66AE85 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14530	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:26 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66AE85 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14529	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:26 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14528	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:26 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66A6EC Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14527	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66A6EC Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14526	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:26 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x66A6EC Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14525	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:26 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14524	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:26 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3275251533-1201895683-439887505-3636890910 Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65F037 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14523	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:23 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3275251533-1201895683-439887505-3636890910 Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65F186 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14522	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:23 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3275251533-1201895683-439887505-3636890910 Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65F186 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14521	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:23 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14520	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:23 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3275251533-1201895683-439887505-3636890910 Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65F131 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14519	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:23 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3275251533-1201895683-439887505-3636890910 Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65F131 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14518	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:23 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3275251533-1201895683-439887505-3636890910 Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65F131 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14517	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:23 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14516	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:23 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3275251533-1201895683-439887505-3636890910 Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65F0EB Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14515	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:54:23 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3275251533-1201895683-439887505-3636890910 Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65F0EB Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14514	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:23 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3275251533-1201895683-439887505-3636890910 Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65F0EB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14513	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:23 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14512	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:23 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3275251533-1201895683-439887505-3636890910 Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65F037 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14511	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:23 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3275251533-1201895683-439887505-3636890910 Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x65F037 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14510	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:23 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: C3385F4D-7903-47A3-9126-381A1E8DC6D8 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14509	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:23 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3813433021-1272970695-2353730482-675847307 Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x659880 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14508	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3813433021-1272970695-2353730482-675847307 Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x659880 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14507	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:13 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3813433021-1272970695-2353730482-675847307 Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x659880 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14506	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:13 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14505	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:13 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x6562BF	4905	0	0	13568	-9214364837600034816	14504	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:10 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x6562BF	4904	0	0	13568	-9214364837600034816	14503	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:10 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3813433021-1272970695-2353730482-675847307 Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64FA13 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14502	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:03 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3813433021-1272970695-2353730482-675847307 Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64FA13 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14501	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:03 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3813433021-1272970695-2353730482-675847307 Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64FA13 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14500	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:03 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14499	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:03 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3813433021-1272970695-2353730482-675847307 Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64E446 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14498	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3813433021-1272970695-2353730482-675847307 Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64E59E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14497	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3813433021-1272970695-2353730482-675847307 Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64E59E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14496	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14495	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3813433021-1272970695-2353730482-675847307 Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64E532 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14494	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3813433021-1272970695-2353730482-675847307 Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64E532 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14493	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3813433021-1272970695-2353730482-675847307 Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64E532 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14492	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14491	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:54:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3813433021-1272970695-2353730482-675847307 Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64E4ED Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14490	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:54:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3813433021-1272970695-2353730482-675847307 Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64E4ED Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14489	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:54:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3813433021-1272970695-2353730482-675847307 Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64E4ED Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14488	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:54:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14487	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:54:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3813433021-1272970695-2353730482-675847307 Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64E446 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14486	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:54:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3813433021-1272970695-2353730482-675847307 Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x64E446 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14485	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:54:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E34C5EBD-FDC7-4BDF-B213-4B8C8B9C4828 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14484	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:54:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x64BB90	4905	0	0	13568	-9214364837600034816	14483	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:54:00 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x64BB90	4904	0	0	13568	-9214364837600034816	14482	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:54:00 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x648CE3	4905	0	0	13568	-9214364837600034816	14481	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:52 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x648CE3	4904	0	0	13568	-9214364837600034816	14480	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:52 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6439FA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14479	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6439FA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14478	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:45 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6439FA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14477	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:45 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14476	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:45 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-214384781-1082104893-916040364-4206008642 Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6201AE Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14475	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:44 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63AE94 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14474	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:41 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63AE94 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14473	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:41 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63AE94 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14472	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:41 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14471	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:41 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-214384781-1082104893-916040364-4206008642 Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x634542 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14470	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:38 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-214384781-1082104893-916040364-4206008642 Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x634542 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14469	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:38 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-214384781-1082104893-916040364-4206008642 Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x634542 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14468	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:38 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14467	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:38 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63215D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14466	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63215D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14465	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:37 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63215D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14464	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:37 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14463	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:37 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6314EF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14462	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63162C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14461	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x63162C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14460	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14459	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6315D7 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14458	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6315D7 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14457	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6315D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14456	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14455	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x631592 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14454	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:53:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x631592 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14453	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:53:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x631592 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14452	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:53:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14451	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:53:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6314EF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14450	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:53:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3769365868-1132836228-3695173546-535655920 Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6314EF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14449	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:53:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E0ABF56C-B584-4385-AADF-3FDCF075ED1F Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14448	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:53:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x624B82 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14447	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:34 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x624B82 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14446	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:34 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x624B82 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14445	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:34 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14444	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:34 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-214384781-1082104893-916040364-4206008642 Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x620C4B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14443	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:30 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-214384781-1082104893-916040364-4206008642 Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x620C4B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14442	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-214384781-1082104893-916040364-4206008642 Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x620C4B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14441	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14440	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-214384781-1082104893-916040364-4206008642 Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x620073 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14439	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:30 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-214384781-1082104893-916040364-4206008642 Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6201AE Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14438	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-214384781-1082104893-916040364-4206008642 Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6201AE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14437	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14436	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-214384781-1082104893-916040364-4206008642 Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x620159 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14435	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:30 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-214384781-1082104893-916040364-4206008642 Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x620159 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14434	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-214384781-1082104893-916040364-4206008642 Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x620159 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14433	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14432	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-214384781-1082104893-916040364-4206008642 Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x620114 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14431	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:30 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-214384781-1082104893-916040364-4206008642 Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x620114 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14430	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-214384781-1082104893-916040364-4206008642 Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x620114 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14429	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14428	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-214384781-1082104893-916040364-4206008642 Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x620073 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14427	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-214384781-1082104893-916040364-4206008642 Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon ID: 0x620073 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14426	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 0CC7408D-9C3D-407F-ACAA-99364299B2FA Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14425	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61A287 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14424	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:22 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61A287 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14423	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:22 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61A287 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14422	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:22 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14421	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:22 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6154BF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14420	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:19 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6154BF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14419	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:19 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6154BF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14418	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:19 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14417	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:19 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x612359 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14416	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x612359 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14415	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:17 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x612359 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14414	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:17 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14413	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:17 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61113B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14412	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x611288 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14411	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:17 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x611288 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14410	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:17 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14409	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:17 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61122E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14408	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61122E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14407	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:17 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61122E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14406	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:17 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14405	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:17 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6111E9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14404	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6111E9 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14403	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:17 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6111E9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14402	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:17 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14401	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:17 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61113B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14400	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:17 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-867056722-1328326259-3843209384-3830235919 Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x61113B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14399	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:17 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 33AE3C52-A673-4F2C-A8B8-12E50FC34CE4 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14398	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:17 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1822639145-1174182659-26334893-1109733463 Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF267 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14397	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60A660 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14396	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60A660 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14395	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:12 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x60A660 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14394	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:12 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14393	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:12 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x609666 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14392	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x609874 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14391	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:12 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x609874 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14390	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:12 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14389	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:12 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6097A4 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14388	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6097A4 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14387	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:12 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x6097A4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14386	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:12 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14385	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:12 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x609740 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14384	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:12 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x609740 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14383	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:12 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x609740 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14382	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:12 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14381	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:12 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x609666 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14380	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:12 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1093310534-1231483348-2504872895-1986908028 Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x609666 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14379	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:12 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 412A9846-F1D4-4966-BF53-4D957CCF6D76 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14378	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:12 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1822639145-1174182659-26334893-1109733463 Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x606987 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14377	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:10 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1822639145-1174182659-26334893-1109733463 Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x606987 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14376	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:10 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1822639145-1174182659-26334893-1109733463 Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x606987 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14375	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:10 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14374	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:10 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1822639145-1174182659-26334893-1109733463 Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FFCD1 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14373	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1822639145-1174182659-26334893-1109733463 Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FFCD1 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14372	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1822639145-1174182659-26334893-1109733463 Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FFCD1 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14371	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14370	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1822639145-1174182659-26334893-1109733463 Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF12B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14369	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1822639145-1174182659-26334893-1109733463 Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF267 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14368	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1822639145-1174182659-26334893-1109733463 Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF267 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14367	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14366	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1822639145-1174182659-26334893-1109733463 Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF212 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14365	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1822639145-1174182659-26334893-1109733463 Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF212 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14364	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1822639145-1174182659-26334893-1109733463 Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF212 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14363	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14362	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1822639145-1174182659-26334893-1109733463 Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF1CD Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14361	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:53:04 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1822639145-1174182659-26334893-1109733463 Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF1CD Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14360	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1822639145-1174182659-26334893-1109733463 Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF1CD Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14359	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14358	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1822639145-1174182659-26334893-1109733463 Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF12B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14357	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1822639145-1174182659-26334893-1109733463 Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5FF12B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14356	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 6CA34429-9B03-45FC-ADD6-910157302542 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14355	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x5FE783	4905	0	0	13568	-9214364837600034816	14354	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x5FE783	4904	0	0	13568	-9214364837600034816	14353	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:53:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x5FA29F	4905	0	0	13568	-9214364837600034816	14352	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:49 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x5FA29F	4904	0	0	13568	-9214364837600034816	14351	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:49 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59A3E8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14350	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:42 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EEB44 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14349	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:38 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EEB44 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14348	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:38 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5EEB44 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14347	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:38 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14346	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:38 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E0D93 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14345	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:36 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E0D93 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14344	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5E0D93 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14343	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14342	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:36 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DAB3C Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14341	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:32 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DAB3C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14340	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:32 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5DAB3C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14339	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:32 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14338	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:32 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D42C8 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14337	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:30 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D42C8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14336	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5D42C8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14335	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14334	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x5C8C6F	4905	0	0	13568	-9214364837600034816	14333	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:28 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x5C8C6F	4904	0	0	13568	-9214364837600034816	14332	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:28 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C752E Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14331	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C752E Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14330	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:28 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C752E Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14329	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:28 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14328	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:28 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C4F4D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14327	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:25 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x5C51FC	4905	0	0	13568	-9214364837600034816	14326	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:25 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x5C51FC	4904	0	0	13568	-9214364837600034816	14325	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:25 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C514C Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14324	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:25 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C514C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14323	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:25 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14322	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:25 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C50CA Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14321	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:25 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C50CA Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14320	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:25 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C50CA Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14319	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:25 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14318	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:25 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C507B Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14317	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:25 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C507B Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14316	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:25 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C507B Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14315	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:25 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14314	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:25 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C4F4D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14313	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:25 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3782701334-1196947612-722675862-609787048 Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C4F4D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14312	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:25 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: E1777116-F89C-4757-9628-132BA89C5824 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14311	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:25 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C15D0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14310	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:21 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C15D0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14309	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:21 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C15D0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14308	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:21 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14307	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:21 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x5C14D5	4905	0	0	13568	-9214364837600034816	14306	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:21 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x5C14D5	4904	0	0	13568	-9214364837600034816	14305	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:21 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BFE42 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14304	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:19 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C00A8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14303	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5C00A8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14302	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14301	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BFFC9 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14300	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:18 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BFFC9 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14299	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BFFC9 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14298	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14297	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BFF59 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14296	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:18 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BFF59 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14295	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BFF59 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14294	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14293	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BFE42 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14292	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-3017046160-1214228521-4230390154-4042096741 Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5BFE42 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14291	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: B3D47890-A829-485F-8AA1-26FC6580EDF0 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14290	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:18 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B330A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14289	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:17 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B330A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14288	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:17 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B330A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14287	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:17 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14286	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:17 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B212D Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14285	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:16 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B237D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14284	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:16 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B237D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14283	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:16 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14282	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:16 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B2306 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14281	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:16 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B2306 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14280	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:16 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B2306 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14279	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:16 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14278	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:16 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B22A3 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14277	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:16 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B22A3 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14276	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:16 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B22A3 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14275	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:16 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14274	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:16 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B212D Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14273	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:16 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-4258030969-1098630337-3985106576-1758440544 Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B212D Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14272	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:16 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: FDCC6579-C4C1-417B-90E6-87ED60ACCF68 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14271	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:16 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B0BD0 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14270	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:15 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B0BD0 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14269	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:15 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x5B0BD0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14268	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:15 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14267	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:15 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x5AF589	4905	0	0	13568	-9214364837600034816	14266	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:14 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x5AF589	4904	0	0	13568	-9214364837600034816	14265	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:14 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x5A0545	4905	0	0	13568	-9214364837600034816	14264	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:09 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x5A0545	4904	0	0	13568	-9214364837600034816	14263	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:52:09 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59E8EF Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14262	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:05 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59E8EF Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14261	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59E8EF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14260	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14259	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x59E645	4905	0	0	13568	-9214364837600034816	14258	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x59E645	4904	0	0	13568	-9214364837600034816	14257	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:05 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59675A Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14256	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:52:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59A3E8 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14255	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:52:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59A3E8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14254	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:52:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14253	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:52:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x599875 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14252	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:52:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x599875 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14251	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:52:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x599875 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14250	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:52:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14249	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:52:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x599766 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14248	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:52:02 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x599766 Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14247	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:52:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x599766 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14246	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:52:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14245	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:52:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59675A Privileges: SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14244	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-83-1-1605282566-1210444640-3500990601-853131241 Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon ID: 0x59675A Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14243	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: 5FAEAB06-EB60-4825-89E0-ACD0E9BFD932 Account Domain: NT VIRTUAL MACHINE Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14242	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:52:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x5956E6	4905	0	0	13568	-9214364837600034816	14241	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:52:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x5956E6	4904	0	0	13568	-9214364837600034816	14240	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:52:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x591E45	4905	0	0	13568	-9214364837600034816	14239	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:51:59 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x591E45	4904	0	0	13568	-9214364837600034816	14238	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:51:59 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x590CEA	4905	0	0	13568	-9214364837600034816	14237	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:51:56 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x590CEA	4904	0	0	13568	-9214364837600034816	14236	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:51:56 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x5896C4	4905	0	0	13568	-9214364837600034816	14235	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:51:50 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x5896C4	4904	0	0	13568	-9214364837600034816	14234	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:51:50 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x586228	4905	0	0	13568	-9214364837600034816	14233	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:51:45 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x586228	4904	0	0	13568	-9214364837600034816	14232	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:51:45 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x577E42	4905	0	0	13568	-9214364837600034816	14231	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:51:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x577E42	4904	0	0	13568	-9214364837600034816	14230	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:51:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to unregister a security event source. Subject Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x57395F	4905	0	0	13568	-9214364837600034816	14229	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:51:26 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to register a security event source. Subject : Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Process: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe Event Source: Source Name: VSSAudit Event Source ID: 0x57395F	4904	0	0	13568	-9214364837600034816	14228	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:51:26 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14227	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:51:20 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14226	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	4604	hv-cinder-85220	8/18/2022 2:51:20 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0x10A3C6 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xbd8 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	4799	0	0	13826	-9214364837600034816	14225	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:49:53 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0x10A3C6 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0xf6c Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	4799	0	0	13826	-9214364837600034816	14224	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:48:57 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14223	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:29:31 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14222	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	1268	hv-cinder-85220	8/18/2022 2:29:31 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14221	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	860	hv-cinder-85220	8/18/2022 2:05:54 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14220	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	860	hv-cinder-85220	8/18/2022 2:05:54 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0x10A3C6 User: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Process Information: Process ID: 0x844 Process Name: C:\Program Files\Git\usr\bin\bash.exe	4798	0	0	13824	-9214364837600034816	14219	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:05:47 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14218	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:04:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14217	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:04:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0x10A3C6 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14216	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:03:10 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0x10A3C6 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x534 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: HV-CINDER-85220 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14215	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:03:10 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: HV-CINDER-85220 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x534 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14214	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:03:10 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: HV-CINDER-85220 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14213	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:03:10 PM	dc68a2b0-b30a-0002-1ca6-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0xFE3D5 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14212	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:03:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0xFE3D5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x534 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: HV-CINDER-85220 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14211	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:03:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: HV-CINDER-85220 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x534 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14210	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:03:04 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: HV-CINDER-85220 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14209	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:03:04 PM	dc68a2b0-b30a-0003-9da5-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0xF976C Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14208	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:03:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0xF976C Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x534 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: HV-CINDER-85220 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14207	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:03:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: HV-CINDER-85220 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x534 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14206	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:03:02 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: HV-CINDER-85220 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14205	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:03:02 PM	dc68a2b0-b30a-0002-99a5-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0	0	12292	-9214364837600034816	14204	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:02:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0	0	12292	-9214364837600034816	14203	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:02:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0	0	12292	-9214364837600034816	14202	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:02:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14201	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:02:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_200c44c9-11c8-4477-9a09-c867fd23f830 Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14200	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:02:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Create Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14199	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:02:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_200c44c9-11c8-4477-9a09-c867fd23f830 Operation: Write persisted key to file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14198	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:02:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x80090016	5061	0	0	12290	-9218868437227405312	14197	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:02:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Delete key file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14196	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:02:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14195	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:02:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14194	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:02:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0	0	12292	-9214364837600034816	14193	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:02:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: ECDSA_P256 Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14192	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:02:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: Microsoft Connected Devices Platform device certificate Key Type: User key. Key File Operation Information: File Path: C:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Crypto\Keys\de7cf8a7901d2ad13e5c67c29e5d1662_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14191	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:02:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0x8B7B8 Target Account: Security ID: S-1-5-21-821956041-2582283885-703308673-500 Account Name: Administrator Account Domain: HV-CINDER-85220	4724	0	0	13824	-9214364837600034816	14190	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	860	hv-cinder-85220	8/18/2022 2:02:22 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0x8B7B8 Target Account: Security ID: S-1-5-21-821956041-2582283885-703308673-500 Account Name: Administrator Account Domain: HV-CINDER-85220 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/18/2022 2:02:22 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14189	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	860	hv-cinder-85220	8/18/2022 2:02:22 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0x8B7B8 User: Security ID: S-1-5-21-821956041-2582283885-703308673-500 Account Name: Administrator Account Domain: HV-CINDER-85220 Process Information: Process ID: 0xfc0 Process Name: C:\Windows\System32\net1.exe	4798	0	0	13824	-9214364837600034816	14188	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	860	hv-cinder-85220	8/18/2022 2:02:22 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0x8B7B8 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x638 Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	4799	0	0	13826	-9214364837600034816	14187	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	860	hv-cinder-85220	8/18/2022 2:02:08 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x2C743 Logon Type: 5 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14186	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	860	hv-cinder-85220	8/18/2022 2:01:49 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x590 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?08?-?18T14:01:47.104754200Z New Time: ?2022?-?08?-?18T14:01:47.103000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1	0	12288	-9214364837600034816	14185	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	512	hv-cinder-85220	8/18/2022 2:01:47 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0x8B7B8 Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14184	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:01:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-20 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0x8B7B8 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x534 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: HV-CINDER-85220 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14183	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:01:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-20 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E4 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: HV-CINDER-85220 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x534 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14182	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:01:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: HV-CINDER-85220 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14181	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:01:46 PM	dc68a2b0-b30a-0005-96a3-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0x865FE Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14180	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:01:42 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0x865FE Privileges: SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14179	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:01:42 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x558D7 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0x865FE Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x534 Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: HV-CINDER-85220 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14178	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:01:42 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x558D7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: HV-CINDER-85220 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x534 Process Name: C:\Windows\System32\svchost.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14177	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:01:42 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: HV-CINDER-85220 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14176	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:01:42 PM	dc68a2b0-b30a-0000-47a3-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: e425f0ab-4f40-4fd4-999e-1687270296a7 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14175	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:01:42 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: e425f0ab-4f40-4fd4-999e-1687270296a7 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\025eb623881bfdfe9716c20953b08b83_200c44c9-11c8-4477-9a09-c867fd23f830 Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14174	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:01:42 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x558D7 Target Account: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220	4724	0	0	13824	-9214364837600034816	14173	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:40 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x558D7 Target Account: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Changed Attributes: SAM Account Name: Admin Display Name: Admin User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/18/2022 2:01:40 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14172	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:40 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x558D7 User: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Process Information: Process ID: 0xcd4 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0	0	13824	-9214364837600034816	14171	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:40 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x558D7 User: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Process Information: Process ID: 0xcd4 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0	0	13824	-9214364837600034816	14170	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:40 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x558D7 User: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Process Information: Process ID: 0xcd4 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0	0	13824	-9214364837600034816	14169	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:40 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14168	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:35 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14167	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:35 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x558D7 User: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Process Information: Process ID: 0xcd4 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0	0	13824	-9214364837600034816	14166	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:01:34 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled local group. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x558D7 Member: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: - Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Additional Information: Privileges: -	4732	0	0	13826	-9214364837600034816	14165	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:01:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was logged off. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0x679DF Logon Type: 2 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.	4634	0	0	12545	-9214364837600034816	14164	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:01:33 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x558D7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x228 Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14163	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:01:33 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x558D7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Logon ID: 0x679DF Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xcd4 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: HV-CINDER-85220 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14162	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:32 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x558D7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: Admin Account Domain: HV-CINDER-85220 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0xcd4 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14161	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:32 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: Admin Source Workstation: HV-CINDER-85220 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14160	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:32 PM	dc68a2b0-b30a-0003-02a3-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x558D7 Target Account: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220	4724	0	0	13824	-9214364837600034816	14159	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:29 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x558D7 Target Account: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Changed Attributes: SAM Account Name: Admin Display Name: Admin User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/18/2022 2:01:29 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x15 New UAC Value: 0x210 User Account Control: Account Enabled 'Password Not Required' - Disabled 'Don't Expire Password' - Enabled User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14158	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:29 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was enabled. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x558D7 Target Account: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220	4722	0	0	13824	-9214364837600034816	14157	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:29 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was created. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x558D7 New Account: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: Admin Account Domain: HV-CINDER-85220 Attributes: SAM Account Name: Admin Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges -	4720	0	0	13824	-9214364837600034816	14156	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:29 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A member was added to a security-enabled global group. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x558D7 Member: Security ID: S-1-5-21-821956041-2582283885-703308673-1001 Account Name: - Group: Security ID: S-1-5-21-821956041-2582283885-703308673-513 Group Name: None Group Domain: HV-CINDER-85220 Additional Information: Privileges: -	4728	0	0	13826	-9214364837600034816	14155	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:29 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x558D7 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14154	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:03 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x2C743 Logon Information: Logon Type: 4 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x558D7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0xf58 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe Network Information: Workstation Name: HV-CINDER-85220 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14153	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:03 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: HV-CINDER-85220 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14152	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:03 PM	dc68a2b0-b30a-0002-2ca3-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x2C743 Target Account: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220	4724	0	0	13824	-9214364837600034816	14151	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:03 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x2C743 Target Account: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/18/2022 2:01:03 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14150	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:03 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x2C743 User: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Process Information: Process ID: 0xf58 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0	0	13824	-9214364837600034816	14149	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:03 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x2C743 User: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Process Information: Process ID: 0xf58 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0	0	13824	-9214364837600034816	14148	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:01:03 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account failed to log on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Type: 2 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: Administrator Account Domain: HV-CINDER-85220 Failure Information: Failure Reason: The specified account's password has expired. Status: 0xC0000224 Sub Status: 0x0 Process Information: Caller Process ID: 0x228 Caller Process Name: C:\Windows\System32\svchost.exe Network Information: Workstation Name: HV-CINDER-85220 Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4625	0	0	12544	-9218868437227405312	14147	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:58 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-821956041-2582283885-703308673-500 Account Name: Administrator Account Domain: HV-CINDER-85220 Process Information: Process ID: 0x514 Process Name: C:\Windows\System32\LogonUI.exe	4798	0	0	13824	-9214364837600034816	14146	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:57 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14145	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:57 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14144	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:57 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe	4799	0	0	13826	-9214364837600034816	14143	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:54 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x9c4 Process Name: C:\Windows\System32\vmms.exe	4799	0	0	13826	-9214364837600034816	14142	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:54 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14141	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:54 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14140	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:54 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x228 Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14139	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:52 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14138	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_200c44c9-11c8-4477-9a09-c867fd23f830 Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14137	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: TSSecKeySet1 Key Type: Machine key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14136	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: TSSecKeySet1 Key Type: Machine key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686aace6942fb7f7ceb231212eef4a4_200c44c9-11c8-4477-9a09-c867fd23f830 Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14135	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:51 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x2C743 Privileges: SeAssignPrimaryTokenPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14134	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:50 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon ID: 0x2C743 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: HV-CINDER-85220 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14133	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:50 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: cloudbase-init Account Domain: HV-CINDER-85220 Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	14132	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:50 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The computer attempted to validate the credentials for an account. Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon Account: cloudbase-init Source Workstation: HV-CINDER-85220 Error Code: 0x0	4776	0	0	14336	-9214364837600034816	14131	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:50 PM	dc68a2b0-b30a-0001-e7a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Credential Validation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key migration operation. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Additional Information: Operation: Export of persistent cryptographic key. Return Code: 0x0	5059	0	0	12292	-9214364837600034816	14130	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14129	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14128	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Cryptographic operation. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: RSA Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Cryptographic Operation: Operation: Open Key. Return Code: 0x0	5061	0	0	12290	-9214364837600034816	14127	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	System Integrity	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Key file operation. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Cryptographic Parameters: Provider Name: Microsoft Software Key Storage Provider Algorithm Name: UNKNOWN Key Name: d333d640-a50f-7cdf-7d80-d8d5ae7a9b11 Key Type: User key. Key File Operation Information: File Path: C:\ProgramData\Microsoft\Crypto\SystemKeys\63819b95e4646e20a43fc837afb825c9_6f209d63-1e80-4632-84d6-2afc9405ddcc Operation: Read persisted key from file. Return Code: 0x0	5058	0	0	12292	-9214364837600034816	14126	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14125	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14124	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14123	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14122	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14121	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14120	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.	5024	0	0	12292	-9214364837600034816	14119	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:48 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x20DBB Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14118	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:47 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14117	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:47 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14116	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:47 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14115	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:47 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14114	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:47 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14113	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:47 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14112	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:47 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14111	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:47 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14110	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:47 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14109	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:47 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14108	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:47 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x228 Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14107	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:47 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.	5033	0	0	12292	-9214364837600034816	14106	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	212	hv-cinder-85220	8/18/2022 2:00:46 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x228 Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14105	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x228 Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14104	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x534 Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14103	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-20 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E4 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x534 Process Name: C:\Windows\System32\svchost.exe	4799	0	0	13826	-9214364837600034816	14102	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14101	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14100	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14099	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14098	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14097	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14096	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14095	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14094	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Process Information: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14093	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Process Information: Process ID: 0x43c Process Name: C:\Windows\System32\VSSVC.exe	4799	0	0	13826	-9214364837600034816	14092	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14091	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14090	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:46 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x598 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?08?-?18T14:00:45.962348600Z New Time: ?2022?-?08?-?18T14:00:45.692000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1	0	12288	-9214364837600034816	14089	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	516	hv-cinder-85220	8/18/2022 2:00:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14088	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:45 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14087	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:45 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14086	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:45 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14085	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	900	hv-cinder-85220	8/18/2022 2:00:45 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14084	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:45 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	14083	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:45 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x608 Process Information: Process ID: 0x50c Process Name: C:\Windows\System32\oobe\msoobe.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)	4907	0	0	13568	-9214364837600034816	14082	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	212	hv-cinder-85220	8/18/2022 2:00:45 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-21-821956041-2582283885-703308673-513 Group Name: None Group Domain: HV-CINDER-85220 Changed Attributes: SAM Account Name: None SID History: - Additional Information: Privileges: -	4737	0	0	13826	-9214364837600034816	14081	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-821956041-2582283885-703308673-513 Account Domain: HV-CINDER-85220 Old Account Name: None New Account Name: None Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14080	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled global group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-21-821956041-2582283885-703308673-513 Group Name: None Group Domain: HV-CINDER-85220 Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4737	0	0	13826	-9214364837600034816	14079	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-821956041-2582283885-703308673-503 Account Name: DefaultAccount Account Domain: HV-CINDER-85220 Changed Attributes: SAM Account Name: DefaultAccount Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14078	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-821956041-2582283885-703308673-503 Account Name: DefaultAccount Account Domain: HV-CINDER-85220 Changed Attributes: SAM Account Name: DefaultAccount Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14077	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-821956041-2582283885-703308673-501 Account Name: Guest Account Domain: HV-CINDER-85220 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14076	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-821956041-2582283885-703308673-501 Account Name: Guest Account Domain: HV-CINDER-85220 Changed Attributes: SAM Account Name: Guest Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x215 New UAC Value: 0x215 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14075	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-821956041-2582283885-703308673-500 Account Name: Administrator Account Domain: HV-CINDER-85220 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14074	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-821956041-2582283885-703308673-500 Account Name: Administrator Account Domain: HV-CINDER-85220 Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x10 New UAC Value: 0x10 User Account Control: - User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	14073	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: System Managed Accounts Group SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14072	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-581 Account Domain: Builtin Old Account Name: System Managed Accounts Group New Account Name: System Managed Accounts Group Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14071	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-581 Group Name: System Managed Accounts Group Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14070	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-582 Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Storage Replica Administrators SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14069	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-582 Account Domain: Builtin Old Account Name: Storage Replica Administrators New Account Name: Storage Replica Administrators Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14068	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-582 Group Name: Storage Replica Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14067	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Management Users SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14066	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-580 Account Domain: Builtin Old Account Name: Remote Management Users New Account Name: Remote Management Users Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14065	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-580 Group Name: Remote Management Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14064	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Access Control Assistance Operators SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14063	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-579 Account Domain: Builtin Old Account Name: Access Control Assistance Operators New Account Name: Access Control Assistance Operators Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14062	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-579 Group Name: Access Control Assistance Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14061	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Hyper-V Administrators SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14060	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-578 Account Domain: Builtin Old Account Name: Hyper-V Administrators New Account Name: Hyper-V Administrators Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14059	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-578 Group Name: Hyper-V Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14058	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-577 Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Management Servers SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14057	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-577 Account Domain: Builtin Old Account Name: RDS Management Servers New Account Name: RDS Management Servers Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14056	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-577 Group Name: RDS Management Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14055	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-576 Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Endpoint Servers SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14054	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-576 Account Domain: Builtin Old Account Name: RDS Endpoint Servers New Account Name: RDS Endpoint Servers Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14053	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-576 Group Name: RDS Endpoint Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14052	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-575 Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: RDS Remote Access Servers SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14051	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-575 Account Domain: Builtin Old Account Name: RDS Remote Access Servers New Account Name: RDS Remote Access Servers Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14050	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-575 Group Name: RDS Remote Access Servers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14049	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-574 Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: Certificate Service DCOM Access SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14048	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-574 Account Domain: Builtin Old Account Name: Certificate Service DCOM Access New Account Name: Certificate Service DCOM Access Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14047	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-574 Group Name: Certificate Service DCOM Access Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14046	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: Event Log Readers SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14045	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-573 Account Domain: Builtin Old Account Name: Event Log Readers New Account Name: Event Log Readers Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14044	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-573 Group Name: Event Log Readers Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14043	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Cryptographic Operators SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14042	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-569 Account Domain: Builtin Old Account Name: Cryptographic Operators New Account Name: Cryptographic Operators Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14041	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-569 Group Name: Cryptographic Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14040	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: IIS_IUSRS SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14039	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-568 Account Domain: Builtin Old Account Name: IIS_IUSRS New Account Name: IIS_IUSRS Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14038	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-568 Group Name: IIS_IUSRS Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14037	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: Distributed COM Users SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14036	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-562 Account Domain: Builtin Old Account Name: Distributed COM Users New Account Name: Distributed COM Users Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14035	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-562 Group Name: Distributed COM Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14034	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Log Users SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14033	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-559 Account Domain: Builtin Old Account Name: Performance Log Users New Account Name: Performance Log Users Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14032	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-559 Group Name: Performance Log Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14031	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: Performance Monitor Users SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14030	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-558 Account Domain: Builtin Old Account Name: Performance Monitor Users New Account Name: Performance Monitor Users Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14029	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-558 Group Name: Performance Monitor Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14028	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: Power Users SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14027	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-547 Account Domain: Builtin Old Account Name: Power Users New Account Name: Power Users Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14026	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-547 Group Name: Power Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14025	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Network Configuration Operators SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14024	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-556 Account Domain: Builtin Old Account Name: Network Configuration Operators New Account Name: Network Configuration Operators Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14023	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-556 Group Name: Network Configuration Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14022	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: Remote Desktop Users SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14021	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-555 Account Domain: Builtin Old Account Name: Remote Desktop Users New Account Name: Remote Desktop Users Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14020	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-555 Group Name: Remote Desktop Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14019	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: Replicator SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14018	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-552 Account Domain: Builtin Old Account Name: Replicator New Account Name: Replicator Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14017	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-552 Group Name: Replicator Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14016	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Backup Operators SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14015	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-551 Account Domain: Builtin Old Account Name: Backup Operators New Account Name: Backup Operators Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14014	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-551 Group Name: Backup Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14013	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: Guests SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14012	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-546 Account Domain: Builtin Old Account Name: Guests New Account Name: Guests Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14011	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-546 Group Name: Guests Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14010	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: Users SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14009	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-545 Account Domain: Builtin Old Account Name: Users New Account Name: Users Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14008	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-545 Group Name: Users Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14007	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: Administrators SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14006	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-544 Account Domain: Builtin Old Account Name: Administrators New Account Name: Administrators Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14005	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-544 Group Name: Administrators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14004	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-550 Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: Print Operators SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14003	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The name of an account was changed: Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-32-550 Account Domain: Builtin Old Account Name: Print Operators New Account Name: Print Operators Additional Information: Privileges: -	4781	0	0	13824	-9214364837600034816	14002	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:44 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A security-enabled local group was changed. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Group: Security ID: S-1-5-32-550 Group Name: Print Operators Group Domain: Builtin Changed Attributes: SAM Account Name: - SID History: - Additional Information: Privileges: -	4735	0	0	13826	-9214364837600034816	14001	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	852	hv-cinder-85220	8/18/2022 2:00:43 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security Group Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	14000	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:32 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13999	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:32 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13998	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:32 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13997	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:32 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13996	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:32 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13995	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:32 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13994	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:31 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13993	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:31 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB56C Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege	4672	0	0	12548	-9214364837600034816	13992	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:31 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB55A Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13991	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:31 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB56C Linked Logon ID: 0xB55A Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13990	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:31 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0xB55A Linked Logon ID: 0xB56C Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13989	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:31 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2dc Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	13988	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:31 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13987	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:31 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13986	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	896	hv-cinder-85220	8/18/2022 2:00:31 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13985	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	860	hv-cinder-85220	8/18/2022 2:00:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: HV-CINDER-85220$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x324 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13984	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	860	hv-cinder-85220	8/18/2022 2:00:30 PM	dc68a2b0-b30a-0005-b3a2-68dc0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x6195	4902	0	0	13568	-9214364837600034816	13983	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	864	hv-cinder-85220	8/18/2022 2:00:30 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13982	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	824	hv-cinder-85220	8/18/2022 2:00:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.	4608	0	0	12288	-9214364837600034816	13981	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	820	824	hv-cinder-85220	8/18/2022 2:00:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x334 New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13980	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	hv-cinder-85220	8/18/2022 2:00:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x324 New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2b4 Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13979	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	hv-cinder-85220	8/18/2022 2:00:29 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2dc New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x294 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13978	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	212	hv-cinder-85220	8/18/2022 2:00:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2b4 New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13977	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	212	hv-cinder-85220	8/18/2022 2:00:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x29c New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x294 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13976	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	212	hv-cinder-85220	8/18/2022 2:00:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x294 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13975	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	212	hv-cinder-85220	8/18/2022 2:00:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x254 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x248 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13974	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	512	hv-cinder-85220	8/18/2022 2:00:28 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x248 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13973	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	512	hv-cinder-85220	8/18/2022 2:00:27 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x218 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x190 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13972	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	hv-cinder-85220	8/18/2022 2:00:25 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x190 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13971	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	hv-cinder-85220	8/18/2022 2:00:25 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x18c New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13970	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	hv-cinder-85220	8/18/2022 2:00:25 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No	4826	0	0	13573	-9214364837600034816	13969	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	hv-cinder-85220	8/18/2022 2:00:25 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other Policy Change Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x5d4 Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?08?-?18T14:00:13.301755900Z New Time: ?2022?-?08?-?18T14:00:13.298000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1	0	12288	-9214364837600034816	13968	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	376	WIN-5T344G8GM1H	8/18/2022 2:00:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.	1100	0	4	103	4620693217682128896	13967	Microsoft-Windows-Eventlog	fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148	Security	1308	1524	WIN-5T344G8GM1H	8/18/2022 2:00:13 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Service shutdown	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13966	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	8/18/2022 2:00:08 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13965	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	8/18/2022 2:00:08 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H	4724	0	0	13824	-9214364837600034816	13964	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	8/18/2022 1:59:51 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Target Account: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: cloudbase-init Display Name: cloudbase-init User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 8/18/2022 1:59:51 PM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	13963	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	8/18/2022 1:59:51 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xa58 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0	0	13824	-9214364837600034816	13962	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	8/18/2022 1:59:51 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 User: Security ID: S-1-5-21-821956041-2582283885-703308673-1000 Account Name: cloudbase-init Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xa58 Process Name: C:\Program Files\Cloudbase Solutions\Cloudbase-Init\Python\python.exe	4798	0	0	13824	-9214364837600034816	13961	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	8/18/2022 1:59:51 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Auditing settings on object were changed. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Object: Object Server: Security Object Type: File Object Name: C:\Windows\Temp\winre\ExtractedFromWim Handle ID: 0x3bc Process Information: Process ID: 0x4a0 Process Name: C:\Windows\System32\oobe\Setup.exe Auditing Settings: Original Security Descriptor: New Security Descriptor: S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)	4907	0	0	13568	-9214364837600034816	13960	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	584	WIN-5T344G8GM1H	8/18/2022 1:59:26 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13959	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:13 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13958	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:13 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall service started successfully.	5024	0	0	12292	-9214364837600034816	13957	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	908	WIN-5T344G8GM1H	8/18/2022 1:59:13 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-7 Account Name: ANONYMOUS LOGON Account Domain: NT AUTHORITY Logon ID: 0x62EF0 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): NTLM V1 Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13956	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	8/18/2022 1:59:12 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13955	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	8/18/2022 1:59:12 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13954	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	8/18/2022 1:59:12 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13953	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	8/18/2022 1:59:12 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13952	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	8/18/2022 1:59:12 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13951	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:12 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13950	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:12 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13949	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:12 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13948	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:12 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13947	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:12 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13946	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:12 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Windows Firewall Driver started successfully.	5033	0	0	12292	-9214364837600034816	13945	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H	8/18/2022 1:59:11 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other System Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13944	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:11 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13943	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:11 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13942	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	8/18/2022 1:59:10 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13941	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	8/18/2022 1:59:10 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x51c Name: C:\Windows\System32\svchost.exe Previous Time: ?2022?-?08?-?18T13:59:10.269440800Z New Time: ?2022?-?08?-?18T13:59:10.683000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1	0	12288	-9214364837600034816	13940	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	236	WIN-5T344G8GM1H	8/18/2022 1:59:10 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13939	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	8/18/2022 1:59:10 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13938	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	868	WIN-5T344G8GM1H	8/18/2022 1:59:10 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13937	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:10 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13936	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:10 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13935	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:01 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13934	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:01 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13933	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:01 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13932	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:01 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13931	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:01 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13930	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:01 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x57541 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege	4672	0	0	12548	-9214364837600034816	13929	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:01 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x5751A Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13928	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:01 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: No Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x57541 Linked Logon ID: 0x5751A Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13927	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:01 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 2 Restricted Admin Mode: - Virtual Account: Yes Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-90-0-1 Account Name: DWM-1 Account Domain: Window Manager Logon ID: 0x5751A Linked Logon ID: 0x57541 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13926	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:01 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A logon was attempted using explicit credentials. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: DWM-1 Account Domain: Window Manager Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: localhost Additional Information: localhost Process Information: Process ID: 0x2e4 Process Name: C:\Windows\System32\winlogon.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account�s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.	4648	0	0	12544	-9214364837600034816	13925	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:01 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13924	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:01 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13923	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:01 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Privileges: SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13922	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:00 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-20 Account Name: NETWORK SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13921	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	912	WIN-5T344G8GM1H	8/18/2022 1:59:00 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13920	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	860	WIN-5T344G8GM1H	8/18/2022 1:59:00 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x32c Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13919	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	860	WIN-5T344G8GM1H	8/18/2022 1:59:00 PM	9c324e7c-b30a-0005-834e-329c0ab3d801	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The Per-user audit policy table was created. Number of Elements: 0 Policy ID: 0x5001E	4902	0	0	13568	-9214364837600034816	13918	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	872	WIN-5T344G8GM1H	8/18/2022 1:59:00 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Audit Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 0 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: - New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x4 Process Name: Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: - Authentication Package: - Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13917	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	832	WIN-5T344G8GM1H	8/18/2022 1:58:59 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Windows is starting up. This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.	4608	0	0	12288	-9214364837600034816	13916	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	828	832	WIN-5T344G8GM1H	8/18/2022 1:58:59 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x33c New Process Name: C:\Windows\System32\lsass.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2bc Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13915	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	584	WIN-5T344G8GM1H	8/18/2022 1:58:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x32c New Process Name: C:\Windows\System32\services.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x2bc Creator Process Name: C:\Windows\System32\wininit.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13914	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	584	WIN-5T344G8GM1H	8/18/2022 1:58:58 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2e4 New Process Name: C:\Windows\System32\winlogon.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x29c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13913	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	236	WIN-5T344G8GM1H	8/18/2022 1:58:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2bc New Process Name: C:\Windows\System32\wininit.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x258 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13912	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	236	WIN-5T344G8GM1H	8/18/2022 1:58:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x2a4 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x29c Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13911	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	236	WIN-5T344G8GM1H	8/18/2022 1:58:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x29c New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13910	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	236	WIN-5T344G8GM1H	8/18/2022 1:58:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x264 New Process Name: C:\Windows\System32\csrss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x258 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13909	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H	8/18/2022 1:58:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x258 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13908	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H	8/18/2022 1:58:57 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x238 New Process Name: C:\Windows\System32\setupcl.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13907	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	376	WIN-5T344G8GM1H	8/18/2022 1:58:40 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x208 New Process Name: C:\Windows\System32\autochk.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x1e4 Creator Process Name: C:\Windows\System32\smss.exe Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13906	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	188	WIN-5T344G8GM1H	8/18/2022 1:58:38 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4 New Process Name: C:\Windows\System32\smss.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13905	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H	8/18/2022 1:58:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e0 New Process Name: Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x4 Creator Process Name: Process Command Line: Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.	4688	2	0	13312	-9214364837600034816	13904	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H	8/18/2022 1:58:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Process Creation	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Boot Configuration Data loaded. Subject: Security ID: S-1-5-18 Account Name: - Account Domain: - Logon ID: 0x3E7 General Settings: Load Options: - Advanced Options: No Configuration Access Policy: Default System Event Logging: No Kernel Debugging: No VSM Launch Type: Auto Signature Settings: Test Signing: No Flight Signing: No Disable Integrity Checks: No HyperVisor Settings: HyperVisor Load Options: - HyperVisor Launch Type: Auto HyperVisor Debugging: No	4826	0	0	13573	-9214364837600034816	13903	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	136	WIN-5T344G8GM1H	8/18/2022 1:58:37 PM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Other Policy Change Events	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The system time was changed. Subject: Security ID: S-1-5-19 Account Name: LOCAL SERVICE Account Domain: NT AUTHORITY Logon ID: 0x3E5 Process Information: Process ID: 0x4dc Name: C:\Windows\System32\svchost.exe Previous Time: ?2018?-?01?-?19T09:48:13.164762500Z New Time: ?2018?-?01?-?19T09:48:13.152000000Z This event is generated when the system time is changed. It is normal for the Windows Time Service, which runs with System privilege, to change the system time on a regular basis. Other system time changes may be indicative of attempts to tamper with the computer.	4616	1	0	12288	-9214364837600034816	13902	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	4	1980	WIN-5T344G8GM1H	1/19/2018 9:48:13 AM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Security State Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The event logging service has shut down.	1100	0	4	103	4620693217682128896	13901	Microsoft-Windows-Eventlog	fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148	Security	436	1144	WIN-5T344G8GM1H	1/19/2018 9:48:13 AM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Service shutdown	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
User initiated logoff: Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.	4647	0	0	12545	-9214364837600034816	13900	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H	1/19/2018 9:48:12 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logoff	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13899	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	3024	WIN-5T344G8GM1H	1/19/2018 9:48:11 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13898	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	3024	WIN-5T344G8GM1H	1/19/2018 9:48:11 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13897	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	756	WIN-5T344G8GM1H	1/19/2018 9:48:10 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13896	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	756	WIN-5T344G8GM1H	1/19/2018 9:48:10 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Domain: Domain Name: WIN-5T344G8GM1H Domain ID: S-1-5-21-416071247-492812682-1642729393 Changed Attributes: Min. Password Age: Max. Password Age: Force Logoff: Lockout Threshold: Lockout Observation Window: Lockout Duration: Password Properties: Min. Password Length: Password History Length: - Machine Account Quota: - Mixed Domain Mode: - Domain Behavior Version: - OEM Information: 1 Additional Information: Privileges: -	4739	0	0	13569	-9214364837600034816	13895	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H	1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Authentication Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x10 User Account Control: 'Don't Expire Password' - Disabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	13894	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H	1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An attempt was made to reset an account's password. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H	4724	0	0	13824	-9214364837600034816	13893	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H	1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user account was changed. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Target Account: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Changed Attributes: SAM Account Name: Administrator Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: 1/19/2018 9:47:34 AM Account Expires: <never> Primary Group ID: 513 AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x210 User Account Control: - User Parameters: - SID History: - Logon Hours: All Additional Information: Privileges: -	4738	0	0	13824	-9214364837600034816	13892	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H	1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Domain Policy was changed. Change Type: Password Policy modified Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 Domain: Domain Name: WIN-5T344G8GM1H Domain ID: S-1-5-21-416071247-492812682-1642729393 Changed Attributes: Min. Password Age: ?? Max. Password Age: Force Logoff: ?? Lockout Threshold: Lockout Observation Window: - Lockout Duration: - Password Properties: - Min. Password Length: - Password History Length: 0 Machine Account Quota: 0 Mixed Domain Mode: 0 Domain Behavior Version: - OEM Information: - Additional Information: Privileges: -	4739	0	0	13569	-9214364837600034816	13891	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H	1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Authentication Policy Change	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
A user's local group membership was enumerated. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Logon ID: 0x1F0E3 User: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Account Domain: WIN-5T344G8GM1H Process Information: Process ID: 0xfac Process Name: C:\Windows\System32\Sysprep\sysprep.exe	4798	0	0	13824	-9214364837600034816	13890	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H	1/19/2018 9:47:34 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	User Account Management	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
Special privileges assigned to new logon. Subject: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Privileges: SeAssignPrimaryTokenPrivilege SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeAuditPrivilege SeSystemEnvironmentPrivilege SeImpersonatePrivilege SeDelegateSessionUserImpersonatePrivilege	4672	0	0	12548	-9214364837600034816	13889	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H	1/19/2018 9:47:33 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Special Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: WIN-5T344G8GM1H$ Account Domain: WORKGROUP Logon ID: 0x3E7 Logon Information: Logon Type: 5 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-18 Account Name: SYSTEM Account Domain: NT AUTHORITY Logon ID: 0x3E7 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x290 Process Name: C:\Windows\System32\services.exe Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Advapi Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.	4624	2	0	12544	-9214364837600034816	13888	Microsoft-Windows-Security-Auditing	54849625-5478-4994-a5ba-3e3b0328c30d	Security	664	716	WIN-5T344G8GM1H	1/19/2018 9:47:33 AM	ad8d0f9c-9109-0000-b10f-8dad0991d301	security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Logon	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]
The audit log was cleared. Subject: Security ID: S-1-5-21-416071247-492812682-1642729393-500 Account Name: Administrator Domain Name: WIN-5T344G8GM1H Logon ID: 0x1F0E3	1102	0	4	104	4620693217682128896	13887	Microsoft-Windows-Eventlog	fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148	Security	436	1136	WIN-5T344G8GM1H	1/19/2018 9:47:33 AM		security	System.UInt32[]	System.Diagnostics.Eventing.Reader.EventBookmark	Information	Info	Log clear	System.Collections.ObjectModel.ReadOnlyCollection`1[System.String]	System.Collections.Generic.List`1[System.Diagnostics.Eventing.Reader.EventProperty]